Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast called Advanced Persistent Security. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone.
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful Awareness Program
1. Phishing: It’s Not Just for Pentesters
Using Phishing to Build a Successful Awareness Program
2. Intro
www.hackerhalted.com 2
• Enterprise Security Consultant at Sword & Shield Enterprise Security
• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner
• Served in the US Navy, Navigating Submarines
• Holds the CISSP-ISSMP, GSNA, and GCIH certifications
• Frequent Guest Blogger
• AlienVault
• Tripwire
• ITSP Magazine
• Sword & Shield’s Blog
• Maintains blog and podcast at https://advancedpersistentsecurity.net
• Trains (spoken taps out a lot) in Brazilian Jiu Jitsu
4. Goals
www.hackerhalted.com 4
• Open Source Intelligence (OSINT)
• Social Engineering
• Pretexting
• *ishing (Spear phishing,Vishing, and Smishing)
• Whaling
• Baiting
• Dumpster Diving
• Applied Social Engineering
• OSINT in enabling more effective social engineering
• Tools andTechniques for collecting OSINT
• OSINT and Social Engineering integration
• Mitigations of Social Engineering
• Training ofTeams
5. What is Social Engineering?
www.hackerhalted.com 5
• Human Hacking
• Exploits the human factor and often bypasses technology and
expensive equipment
9. Psychology of Social Engineering
www.hackerhalted.com 9
• Everything goes back to Dr. Cialdini’s 6 Principles of Persuasion
1. Reciprocity
2. Commitment and Consistency
3. Social Proof
4. Liking (Likability)
5. Authority
6. Scarcity (Urgency)
10. Applicationof Social Engineering
www.hackerhalted.com 10
• Social Engineering aims to influence the users to:
• Provide some sort of data (ideally, sensitive data)
• Tell us something that is not online and readily available
• Tell us who could do something or tell us more (give us better targets)
• Tell us about the operating environment and issues within
• Perform an action
• Clicking a link
• Making a change to the firewall rules
• Open an email
11. What is OSINT?
www.hackerhalted.com 11
OSINT is drawn from publicly available material, including:
• The Internet
• Traditional mass media (e.g. television, radio,
newspapers, magazines)
• Specialized journals, conference proceedings, and think
tank studies
• Photos
• Geospatial information (e.g. maps and commercial
imagery products)
21. SE and OSINT Relationship
www.hackerhalted.com 21
• They share similar properties in terms of human psychology
• OSINT can be used to build a dossier or profile about a SE target
• This can provide context for the contact
• Better pretexting
• Better (spear) phishing
• Better “other” technical stuff like password guess (or even
passwords)
27. Is this one and done?
• Several rounds may be required.
• You may find something interesting towards the end that
causes you to look at everything again from a different angle.
www.hackerhalted.com 27
28. Collection Considerations
• What is the Endgame?
• Is what you’re doing ethical?
• Do you have an ethical obligation to do this a certain way?
• Is this legal?
• Does the state that I am doing this in require Private
Investigator Licensure?
• I have collected all this data, how do I protect it?
• How long do I retain it?
• How do I dispose of it?
• What value could be assigned to it?
www.hackerhalted.com 28
29. Weaponizing OSINT
• We can’t be like the South Park underpants gnomes…
www.hackerhalted.com 29
31. Contact Me
Social Media
• Twitter: @C_3PJoe / @advpersistsec
• LinkedIn: linkedin.com/in/billyjgrayjr
• Facebook: facebook.com/joegrayinfosec
Email
• jgray@advancedpersistentsecurity.net
• bjg@swordshield.com
Blog and Podcast
• advancedpersistentsecurity.net
Podcast is also on iTunes, Stitcher, Google Play, and other fine platforms
www.hackerhalted.com 31
32. Future Speaking Engagements
October 17-18: EDGE Security Conference, Knoxville, TN
October 20-22: SkyDogCon, Nashville, TN
October 26-17: Lone Star Application Security Conference
(LASCON), Austin, TX
November 11: Bsides Charleston, Charleston, SC
November 15: Metro Atlanta ISSA Conference, Atlanta, GA
www.hackerhalted.com 32