DeepSec 2016 Talk: Social Engineering The Most Underestimated APT – Hacking the Human Operating System – Dominique C. Brack Social Engineering is an accepted Advanced Persistent Threat (APT) and is going to stay according to Dominique C. Brack of the Reputelligence, Social Engineering Engagement Framework (SEEF). Most of the high-value hacking attacks include components of social engineering. Understanding the behind the scene methods and approaches of social engineering will help you make the world a safer place. Or make your attack plans more successful! Social Engineering is a topic that does not really fit into technical hacking and is also underestimated by security professionals. There are no tools or hardware you can buy to prevent Social Engineering attacks. But Social Engineering is an APT to be taken seriously, because most attacks consist partly of it and its attack execution and prevention needs training and skills. Social Engineering has progressed and professionalized more than you think. It is disastrously effective. Prior to his talk we asked Dominique C. Brack some questions about the threats of SE.

1. DeepSec 2016 Talk: Social Engineering The Most Underestimated
APT – Hacking the Human Operating System – Dominique C. Brack
Posted on October 05,2016 by sanna
Social Engineering is an accepted Advanced Persistent Threat (APT) and is going to stay according to
Dominique C. Brack of the Reputelligence, Social Engineering Engagement Framework (SEEF). Most of the
high-value hacking attacks include components of social engineering. Understanding the behind the scene
methods and approaches of social engineering will help you make the world a safer place. Or make your attack
plans more successful! Social Engineering is a topic that does not really fit into technical hacking and is also
underestimated by security professionals. There are no tools or hardware you can buy to prevent Social
Engineering attacks.
But Social Engineering is an APT to be taken seriously, because most attacks consist partly of it and its attack
execution and prevention needs training and skills. Social Engineering has progressed and professionalized
more than you think. It is disastrously effective. Prior to his talk we asked Dominique C. Brack some questions
about the threats of SE.
Please tell us the top 5 facts about your talk.
My talk will provide the skills to detect, defend and assess Social Engineering attacks and describe the
associated risks that go along with it. You will learn about the motivations and methods used by social
engineers, to enable you to better protect yourself and your organization.
Especially you will learn about:
Assessing Social Engineering threats
Thinking like a social engineer
Considering attack frameworks (SEEF)
Reviewing the methods of manipulation
Identifying the countermeasures against Social Engineering
How did you come up with it? Was there something like an initial spark that set your
mind on creating this talk?
As a senior security professional I am working with many clients. International, local, governmental, defence
clients in highly sensitive settings (political or regulatory). For my clients I am always going the extra mile or
two. Some of them experienced highly sophisticated spear phishing attacks and attempts of industrial espionage.
In order to address these type of attacks I started to collect best practices and methods for dealing with Social
Engineering in its many facets, and eventually I wrote a book about it. I realized I couldn't address all my clients
at the same time and I also felt that the problem of Social Engineering is systemic and grossly underrated even
by security professionals. Out of this I decided, with my partner in Germany, to write the Social Engineering
Engagement Framework (SEEF) – FIRST CUT book, which is available as paperback and ebook. With this
book we want to raise awareness among all stakeholders who have to deal with it, for Social Engineering is one
of the most dangerous APTs. We will give away free ebooks to the participants of DeepSec 2016.

2. Why do you think this is an important topic?
Let me try to explain the importance of the threat of Social Engineering with an analogy. Think about this
asymmetry for a second:
Machines like personal computers, devices and mobile technology have their established defense mechanisms,
ranging from the standard mechanisms like user ID and Password to role based access and highly sophisticated
security technology like intrusion detection systems, malware detection, data leakage prevention, etc. Of course,
as we all know, these mechanisms are not perfect by far. At conferences like DeepSec we continually get
reminded of their failings and possibilities to circumvent those security mechanisms. But, people like you and
me have no sophisticated security technology whatsoever readily available to help to protect themselves from
being hacked.
If you think about this analogy, what do you think how important this topic is? For me this is the reason why I
believe Social Engineering is one the top subjects to work on. Of course working on the technical side to
improve your security posture is unquestionably important. But when it comes to Social Engineering there's a
vast security gap yawning all through the corporate world and its high time to deal with it.
Is there something you want everybody to know - Some good advice for our readers
maybe? Except for "Come to my talk."
Of course "Come to my talk". I mean not just "Come to my talk" - If you just come to my talk and treat it as a
filler then you better go out and have a coffee, talk to your partner, or write some e- mails. If you are not
convinced you will learn something, then have a piece of Sacher cake at the Hotel Sacher. It's delicious. But join
my talk if you want to learn, cause even as a pro you might learn something, in the worst case just about the
crowd joining social engineering talks ;-).
From my side I will give everything. I love information security and Social Engineering. Come and join me if:
You are a Social Engineering nerd and want to get insights on some of the latest concepts and
developments in Social Engineering.
You have to integrate SE into your risk framework.
You are seeking advice from Social Engineering consultants and you want a more robust risk framework
for scoping.
You are curious about Social Engineering.
You want to become a professional social engineer.
Don't join me if:
You are looking for one-to-one instructions.
You expect a totally finished and polished, politically correct speech. I am rough, it will be incomplete
and probably biased.
You are a superstar social engineer and resistant to learning or advice.
You are a know-it-all.
A prediction for the future - What do you think will be the next innovations or future
downfalls when it comes to particularly your field of expertise / the topic of your talk?
Unlike in the past, Social Engineering has become an engineering discipline with precise tools, selected
dynamic approaches and execution plans. This makes it also so damn hard to define counter-measures against

3. SE attacks on the receiving end. You really never know where you could get hit next.
Based on this my prediction for the future (I am already working on this) is the combination of the Internet of
Things (IoT) and Social Engineering.
I'm thinking of IoT and the whole advancements in technology. Wearables and insideables combined with
Social Engineering offer endless potential for very serious even life threatening scenarios.
In the hyper connected future, we already have seen a proof of concept for this type of attacks. I am referring to
the attacks based on the augmented reality app Pokémon GO. Pokémon GO is not only about searching for
Pokemon, it includes also PokeStops and is basically one big hunting game.
PokeStops are places of interest or other hotspots located in your actual community. They can be buildings,
monuments, public art, etc. You must walk about your town or city, find these PokeStops, and pick up the
special items they spit out in order to advance in the game.
As you can imagine the Game, respectively the hunt based on your mobile phone has already linked to injuries,
bad driving and opportunistic robberies. People don't watch where they go, the drive into other cars, overlook
traffic lights or fall down stairs.
And there have been reported cases where this so called PokeStops have been hacked and misused in order to
steal Pokemons or change rankings of players. With fake or hijacked PokeStops you can practically 'lure' your
victims into traps and direct them wherever you want them to go. It appears the safeguards of the players are
completely off when playing Pokémon GO.
This is a current example.
If you now extrapolate this to the world of IoT, where millions of actors, sensors and devices are
communicating over low security networks then you can imagine what could happen in the future.
For example:
Just imagine your insulin is low and your wearable will detect this. It will also inform you about the nearest
location of a pharmacy, hospital or doctor where you could get some insulin. As a diabetic, for a while you
might just endanger yourself a little and reset the respective alarm, but at some point you have to go and fetch it.
Just imagine that Insulin has become rare and expensive. The organ transplant mafia has gone cyber. They
create a business model for selling original medication to rich people. Hackers installed malware on IoT
endpoints and collect the communication of health wearables. Within minutes your location is determined and a
capture team will rob you of your insulin. Far fetched I know…
What will be connected to IoT?
Check on the baby
Remembering taking the medicine
Activity tracking
Smart home (heating, cooling, electricity, treating your water)
Intelligent traffic management systems
Waste management systems
Smart parking-space management
Internet-managed assembly lines
Snow Level Monitoring
Forest Fire Detection

4. Chemical leakage detection
Are this all topics where you don't mind low-level security?
dominique-c-brack
Image not found
http://blog.deepsec.net/wp-content/uploads/2016/10/Dominique-C.-BRACK.jpg
Dominique C.
Brack is a recognized expert in information security, including identity theft, social media exposure, data
breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-
performing professional with outstanding experience and achievements within key IT security, risk and project
management roles, confirming expertise in delivering innovative, customer-responsive projects and services in
highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and
provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be
counted on to capture attention, and – most importantly - inspire and empower action.Dominique C. Brack on
LinkedinDominique C. Brack on Xing.com Dominique C. Brack on Slideshare
Posted in:Conference,Security | Tagged:APT,DeepSec,IoT,PokemonGo,Social Engineering,Talk | With 2
comments