Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:15

Hello and welcome back to the Audit by IT Audit Labs. Nick and I are very excited today to welcome guests from Team Spilt Beans who won the DEF CON 30 Vishing Competition Black Badge. Please help us in welcoming to the show Jennifer, matt and Sean. Hi guys.

Jennifer Isacoff: 0:42

Hi, thank you so much for having us Thanks for being here.

Mandi Rae: 0:47

Jennifer, do you want to kick off introductions?

Jennifer Isacoff: 0:51

Yeah, that sounds good. So, hey, I'm Jennifer, otherwise known as Jackoff, and I was the team captain of Spilt Beans from DEF CON 30. I've been practicing social engineering for about 10 years now, and you can follow me on Twitter at underscore jackoff J-A-C-O-F-F. And with that, I'm going to pass it over to Matt.

Matt Probst: 1:15

Hey, yeah, hey, I'm Matt Benkert. I've been pen testing for about three years and I've been in security defensive side for probably five years before that Relatively new to social engineering Kind of Jennifer forced me into the competition. I'm just kidding, but yeah, that's about it. My Twitter handle is at BNGRSEC, bangersec Sean.

Sean Hopkins: 1:45

Hey, I'm Sean Hopkins. I've been in security for about 10-ish years now. I'm a red team lead over at a Fortune 50 company and I like to social engineer. I did break-ins and stuff like that in the past and you can find me at underscore Seahop S-E-A-H-O-P.

Mandi Rae: 2:04

Great. Thank you so much. We're very excited to have you here. So let's dig in and let's talk about DEF CON 30. It was this past August in Las Vegas. Was this your first DEF CON?

Jennifer Isacoff: 2:19

Yeah, so for me this was the first DEF CON I've ever been to, which was pretty exciting to walk away with a black badge. I'm going to say it was definitely unexpected. I know, Sean, I think you'd been there before, right.

Sean Hopkins: 2:31

Yeah, I've been to one previously, I think 2018.

Matt Probst: 2:34

Yeah, it was my third DEF CON.

Mandi Rae: 2:39

So this one did it blow your mind? I was very impressed by the production, very impressed by the production. The previous year, with the pandemic, it felt a little bit smaller and intimate, being in a hybrid, both virtual and on site. So this year I was so impressed with the graphics, the music, the parties and all the different tracks you could take.

Jennifer Isacoff: 3:00

Yeah, I had an amazing time. I know I don't have anything else to compare it to, but I do want to give a shout out to the social engineering communities founders, JC and Snow and the Twitter is at SEC underscore DEF CON but I mean their whole community was executed flawlessly, as if they'd been doing it for years and years.

Mandi Rae: 3:21

It was amazing doing it for years and years. It was amazing. I'd agree with that. The experience and being in the social engineering area was so exciting. Just to set the stage for people listening, you walked in a large meeting conference room, was dark and you actually got to watch the competition live. Tell me more about the competition. How did you guys decide to enter, what did that look like? And then, what was the actual experience of vishing people live in front of a huge audience?

Jennifer Isacoff: 4:00

Yeah. So I'll say it was not a last minute decision to apply, but I did definitely strong arm these other two guys, matt and Sean, into joining me because I was a little intimidated to do it by myself initially. But we made a YouTube video as per the requirements of the admission and were selected to be one of the competitors, which was really exciting. From there, we had a few different requirements and different sections of the competition. The first stage was that the judges slash contest organizers would give you a company, so every single team received a target company and that was basically all they would give you just the name of the company and that's it.

Jennifer Isacoff: 4:49

And from there you had to put together a report that included a series of objectives that the contest organizers identified ahead of time, and this could be things like what operating system does the company use? What's the name of their shredding company? It's a large variety of objectives, but you put those together in a report, you submit it to the judges and you also create a list of phone numbers and targets that you would like to call for the live calling section of the competition, which happened actually at DEF CON. So, aside from that preparation work, then it brings us live to the DEF CON portion, where we had soundproof booth, which was so incredibly helpful given the amount of people that were there in the room in which you'd place live calls to the people you had previously identified and hope they answered so that you could give them your pretext and get even more objectives. Does that make?

Mandi Rae: 5:47

sense it does and it sounds incredible.

Jennifer Isacoff: 5:50

Oh my gosh, it was so much fun.

Nick Mellem: 5:52

Yeah, that's a question for Matt or Sean. I'm also curious what your prep work looks like as far as tools go. What kind of O-Center are you using? Do you have any goals? Are you trying to get something specific before for that report, or what does that look like?

Sean Hopkins: 6:09

to some degree. Uh, actually matt had a novel, find I think for the entire uh engagement, like amongst all the teams. Actually, matt, you want to go ahead with your dns thing you found yeah, uh, I saw I found a found.

Matt Probst: 6:22

one of the requirements was to determine what antivirus the target company was using via OSINT, which is kind of hard to do. I believe it comes standard in Kali Linux that you can actually recursively search a company's DNS servers for specific AV vendor strings, and then it kind of put together an assumption that oh hey, there's lots of hits on McAfee-owned domains. They probably use McAfee. That was one of the more fun ones to get.

Jennifer Isacoff: 7:10

Yeah, and I do want to say I forgot to emphasize the fact that in this entire competition, we were only allowed to use open source intelligence, otherwise known as OSINT gathering, in order to obtain all this information about our target company. We were forbidden from having any direct contact with the target company, which includes things like calling them, emailing or physically visiting or otherwise communicating with them in any manner aside from the passive OSINT. Ahead of the live calling competition that happened at DEF CON.

Sean Hopkins: 7:44

So, and Matt's technique was probably my favorite and definitely the coolest from my perspective, sean, yeah so the rest of the stuff that would go into a normal pen test, like looking up subdomains and things like that, didn't really apply to this competition, which was unique for me because that was always part of it was like hunting for bad certs or subdomain takeover type of things, but this was purely a phone call, which, you know, the normal pen testy type of searches don't, you know, always equate to this type of competition and this is why I'm fangirling so hard over having the opportunity to have you guys on this podcast.

Mandi Rae: 8:22

This is epic to hear what you were able to accomplish and the methodologies you used.

Jennifer Isacoff: 8:27

Yeah, thank you. So much about the methodologies. Actually, one of the judges, chris Kirst, wrote a really cool article about I guess every single OSINT technique technique that was used by the various competitors in this competition, and I'll send you that link. But it's definitely a really cool read.

Mandi Rae: 8:47

Great Thanks for sharing that. We'll also include that for our audience so they can check it out.

Nick Mellem: 8:53

So you guys created the YouTube video, you created this report. You haven't had any contact yet with your company. And then the next step you show up to DEF CON and then you start making phone calls. Can you jump into that a little bit, what that looks like? Or you just go up on stage. I wasn't there, so I'm really curious about how this is looking.

Jennifer Isacoff: 9:12

So this is a good time to say that the judges this year gave us a huge twist, which ended up being super fun. We didn't know it at the time, until we arrived to DEF CON, but actually so I think there's a total of 16 teams. Matt and Sean, do I have that right?

Jennifer Isacoff: 9:31

Yeah, that's right and there were only a total of eight target companies, which means that two teams had the same target company, and we didn't know until we arrived at DEF CON. And so what they ended up doing is a live coin toss, kind of akin to football, with the two team captains or team members to flip a coin to see who had their section first, so who could make their live calls first. And this was really important for two reasons One being the time of day, and this was really important for two reasons one being the time of day. So the time that we were making our call just happened to be around 5 pm on the East Coast on Friday afternoon, and so it was either going to be like 4.30 pm or it was going to be like 5.30 pm, and so we didn't know when our time zone was going to be based on this coin toss. And another reason why this is super important is because we don't know if our opponent has the exact same numbers that we found, Because you know the DEF CON organizers didn't give you any people to call directly.

Jennifer Isacoff: 10:41

This was all in your lane to figure out who you wanted to call and identify them ahead of time. So there was a potential that you know the other team also found the same list of people that they were going to call and if they call them first and might spook them, then it kind of messes up. It would mess up the potential for us. So that was a really fun twist to find and I know I was. I didn't want to go up and do the coin toss.

Mandi Rae: 11:07

I was trembling and honestly, I have goosebumps for you, even though we know how this ended. Just the way you're setting the stage like this is already a big enough beat. But then to be sharing and then have the time zones to contend with Holy buckets.

Jennifer Isacoff: 11:26

Yeah, sean, do you want to walk? Through what that was like.

Sean Hopkins: 11:28

Yeah, yeah. So I fell on the sword for the coin toss and lost it for our team. And then the guy who won the coin toss he won first, of course because end of day, you definitely want to kind of get a better time. And thankfully he went through his sales pitch type of campaign and luckily none of his phone numbers lined up to ours, but he didn't have many people pick up. So in our minds I'm like, oh man, what if no one picks up? I mean, they're already not picking up for him. That could possibly be what happens to us the entire time. Luckily it didn't turn out that way.

Mandi Rae: 12:06

And how does that not shake your confidence? I think that's one of the ways I'd say you guys are incredibly resilient and masters of your craft. You had all these other things outside of the competition to contend with and you still nailed it.

Sean Hopkins: 12:20

The trick is to go with zero confidence.

Mandi Rae: 12:25

Great approach. I like that.

Matt Probst: 12:26

One of the things that definitely helped us while he was on his call and we were waiting kind of off to the side is we had our list of oh, I don't know 20, 25 phone numbers and one. We were checking every phone number he called. You know we were trying to highlight on our little clipboard if he called it. But also Jennifer and I were sitting there and calling our numbers and if they were to answer we would immediately hang up and then highlight it or circle them and say, hey, these people answered. We'll call these people first because we know they might answer again. That way we didn't want to waste time kind of going down the list top to bottom, if that makes sense.

Mandi Rae: 13:09

That makes a lot of sense. Good strategy and amazing teamwork to be doing that Really. You said you fell on the sword with the coin toss, but I think you made that opportunity work to your advantage where most people would have felt pretty defeated.

Sean Hopkins: 13:24

It did work out with how it worked out. But also, you know, having to watch someone, you know you watch that time, click down, you know, and it takes, it feels like it takes forever on the outside, especially when you're next and all you can see is it getting closer to five o'clock on a Friday and you know, just kind of had to get over that part of it, but that was that hurt a little bit.

Mandi Rae: 13:44

I can only imagine. Did you want to give us more about that?

Jennifer Isacoff: 13:49

I mean I will say, as Matt and I are standing off to the side, kind of behind a panel waiting, he was like walking me through breathing exercises. I mean I cannot emphasize how nervous we all were going into this, but once you walked into the soundproof booth it was honestly like your own little oasis. It truly was soundproof and JC and Snow are absolute geniuses for having that component in there, because one second you had a room with over 100 people in it and then the next you really could get into the zone pretty easily and that was awesome well, what that's?

Nick Mellem: 14:24

I did not know. You were in a soundproof room, so you go into into this room. Are you able to see out? Or is it you're kind of segregated from the world and then people are just listening to the call, or how is that working?

Jennifer Isacoff: 14:34

Yeah, so it was. If you picture it, it was off to the front left of the room and it was facing the back of the room, but it was off to the side, so you didn't see the crowd through the window to the side. So you didn't see the crowd through the window. What you're looking at is a person they have for actually placing the phone calls part of the social engineering community staff and so, from our perspective, when Sean and I first walked in, really we could see Matt and the staff member that was helping us place our calls, and you can't hear anything aside from the headset that they give you and they could speak directly to the staff member, but outside of that, it's nothing.

Nick Mellem: 15:16

Yeah, that's really cool.

Sean Hopkins: 15:18

You can hear some of the crowd, though when you get a flag and it goes and the room will erupt and you can hear just the faintest little, like you know, in the background, like through the doors, but it's not much.

Nick Mellem: 15:30

OK, so you go into the booth with your objectives that you're going to be judged on, or what? Can you speak on that a little bit? I'm just curious on how this is actually judged and like what objectives you're actually looking for to get points.

Jennifer Isacoff: 15:42

Yeah, so I had a list of the objectives all out in front of me.

Jennifer Isacoff: 15:47

So there is an overlap between the objectives that they required for the report ahead of time and for the objectives that you were going to obtain during the live calls, but there were slight differences.

Jennifer Isacoff: 16:02

Fun part I think I would say they introduced new this year is the ability to have wardrobe changes and you can also use background noises and things like that would get you extra points from the judges. But so in addition to the objectives, it was you know the number of pretext you used per phone call any background sounds, wardrobe changes, for example, sean and I went in first, into our booth first and I was pretending to be an IT intern. So you know I wore jeans, a funny IT catch shirt I think I had, and I made actually made a fake badge for our target company based on our OSINT knowing what their badges look like, with my name on it and my photo and let's see what else. I think I had a fidget spinner as well, so things like that. And then I could speak to also just the general objectives that you get from on the call if you'd like.

Nick Mellem: 17:00

Yeah, absolutely Please.

Jennifer Isacoff: 17:01

Yeah, so there's a list of, I think, 29. But there is things like do they work from home or the office? Do they take social engineering training or security awareness training? Do they have security guards? If they do, what are their hours? What's the Wi-Fi SSID name? What VPN do they use? What operating system do they use? I mean, there is a large variety to these questions, which is particularly difficult, but because you have to find a pretext that can fit the most amount of information possible in there.

Nick Mellem: 17:36

Yeah, that's talk about stressful in front of the crowd and then going through that. Man, I would have been with you. I'd need those breathing exercises.

Mandi Rae: 17:44

I was going to say you guys, straight up, sound like Superman. You've got wardrobe changes, you've got your OSINT badge stuff put together. So how did those things come into play? When you get someone on the phone? What types of methodologies?

Sean Hopkins: 18:02

did you use to get them talking? So what I found that worked was so there's a couple parts to leading up to this. So we did a lot of work leading up to, you know, DEF CON. There's like homework assignments more or less along the way and reports that were due, so you had to come up pretext, which Jennifer covered. There's also a whole nother report that we do, with some information in it. That kind of shows that we're not just slacking off and it's worth some points as well.

Sean Hopkins: 18:26

The thing that worked out best was the amount of work put up front. Instead of asking someone what their antivirus is, getting them to confirm their antivirus is a better way to get a response from them. So, for example, like, hey, you know your computer has a McAfee on it, right? Blah, blah, blah, and they're going to say yes. Versus like, oh, you know, if you had to approach it as hey, what antivirus do you use, that's suspect. You're not an insider, right? You're someone that doesn't know. If you confirm to them that they should have this installed, a yes from them will get you points quicker than trying to pull a thread from them that they might not feel comfortable giving you.

Matt Probst: 19:03

Yeah, I think definitely to that point. I mean pretty much, just to reiterate, pretty much every single flag that we got was just confirming what we had already found during our OSINT report. So, like you know, first off you ask them like hey, your email address is this right? And then they would say like yeah, this is my email address and that's one of the flags. And then like okay, are you currently in the office, are you currently at home right now?

Jennifer Isacoff: 19:28

like oh, I'm at home right now, like okay, that's another flag, and kind of go from there, walk through each step, you know, kind of confirming what we already found previously yeah, and I think one thing that really helped us also is also new this year is jc and snow introduced a component of having coaches that were available to contestants, and so we met with Corgi and I'll give you guys her Twitter handle for after the show, and she offered to help us walk through our pretext.

Jennifer Isacoff: 19:59

So we ran through our ideas for what our pretext might be and and helped us pick which ones would be best, and emphasize the fact that you want to pick a pretext that will get you the most amount of information as possible, because what kills you in this competition is not getting people to answer the phone. Once you have someone on the phone, you need to make use of every single second you have them for, and when we were practicing actually my pretext, she gave an objection that I necessarily wasn't anticipating, but it helped me practice on the fly, and during the actual DEF CON live calling, I received that exact same objection from one of the callers, and so I was able to seamlessly just go through it because you know Corgi and I had already practiced it. So that was also a really helpful component this year.

Nick Mellem: 20:49

Yeah, I'm glad you actually brought that up, because that was actually part of my next question was you know you're getting these people on the phone. Do you have any? How are you? What was your strategy to keep people on the phone? I know we've all made these phone, or a lot of us have made these phone calls before. You know, you get people that are super talkative, that maybe are willing to give up this information, and it's very natural, but then you get people that want to get off the phone and jump off. How did that work? Were you able to utilize any strategies to keep them on the phone, or what was your goal there?

Sean Hopkins: 21:21

So with my phone call I was the only one that got a little bit of pushback because of time of day. So my phone call was the last one and it was definitely like a someone just sub of C level, right, so he's you can tell he's in a suit and ready to go home. So when I pick up the phone I said hey, I need to ask you some questions about you know, your computer or whatever. And then he's like really man, like it's end of day, like he was not wanting to do this, and I said, perfect, it'll take just a few minutes. And then that was just kind of what led it on. From that point was just like I swear this will only take like two minutes of your time and I'm out of here. You're the last person on my list.

Mandi Rae: 22:06

I'm curious when you guys are employing, like overcoming objections and working with someone like the mental game, are you playing a character Like how do you get yourself ready mentally to look calm and composed, to be within this role? Like, tell me more about that, yeah that's a good question.

Jennifer Isacoff: 22:19

That's a very good question. I know a lot of people in the social engineering community not specific to DEF CON, but just in general people that practice social engineering really recommend doing things like improv. I've heard very great things about it. I personally never have, and so for me, instead of being in a character, I kind of I go in by over preparing for everything.

Jennifer Isacoff: 22:40

So the people who I called I knew absolutely everything I could find out about them. I knew what their family life was like. I knew I mean all of it. I knew what their job life was like, based on their social media. And so I called people who are particularly wide open so that, you know, I could pivot to something like something we have in common or something that I know that they enjoy to. So to build more rapport, should I face some kind of hesitancy from their end? So and that helps me feel more secure in the fact that you know I'm not going to bomb, because I have a lot of different backup avenues to go- yeah, research rapport building that relationship, establishing that trust, like congratulations on the black badge guys, it's pretty amazing.

Nick Mellem: 23:25

Yeah, thank you so much how many phone calls did you guys make during the competition?

Matt Probst: 23:30

um, I think, jennifer, you made two or three phone calls that you took up most of the time with two people, and sean, I think you made one or two as well yeah, I think I had one successful yeah when it came down for me.

Sean Hopkins: 23:44

I was going top to bottom on mine and I just was not getting hits. And then I was surprised when I the person who picked up the phone picked up the phone, I was like oh crap, like um, I thought we're just gonna wear out the time at that point yeah, I think we had how much?

Matt Probst: 23:56

time was on the clock to begin with. Was it 25 minutes, I think, or 30 minutes, 25 yeah, yeah and then by the time Jennifer's turn was done, we had all but like seven minutes left on the clock. I think Sounds about right.

Jennifer Isacoff: 24:11

Yeah, well, I mean, you guys are making it sound like I hogged the time.

Mandi Rae: 24:15

So what happened was? I was going to say, it's because your girl killed it yeah.

Jennifer Isacoff: 24:19

Thanks, yeah, well, what's?

Sean Hopkins: 24:21

funny is her second call was an accident to some degree. We were going to actually go round Robin and her first phone call just killed, and then all of a sudden I realized it's my phone call. But to get the maximum points I had to be, I had to do a costume change real quick, and it wasn't one. We didn't want to have downtime. So I said, hey, make one more call, I'm gonna go change real quick outside, come back in. Except her next phone call she killed it. So I mean, I'm like I'm not going to tell her to stop, you know. So I hopped back in the booth and we kind of have our little back and forth and then, you know, then it was leftover time and that was then the last call I made after that.

Mandi Rae: 24:59

That's incredible and honestly, after being there and seriously, when we say standing room, room only, this was one of the most popular events this year. I personally had went in, watched in the morning, used the restroom and sat in line for an hour and a half to get back in the room. So even you trying to navigate a costume change, getting out of that room, out of your booth and back in such a short amount of time is just a testament to how prepared you guys were and just completely badass.

Jennifer Isacoff: 25:30

Thank, you so much. Yeah, it was so much fun.

Mandi Rae: 25:34

Nick, should we transition from DEF CON and maybe just talk about social engineering in general?

Nick Mellem: 25:39

I think that's a good idea. I had mentioned before that this is kind of something I'm really passionate about too, so I'm looking to pick your guys' brains on a few things. For example, when you're making these phone calls outside of the DEF CON competition, if you get somebody that's agnostic to the call, what kind of information can you still get from that person? Is that something you could just maybe ditch and hang up on, or are you staying with that phone call and trying to still get more information to maybe continue down the rabbit hole? What does that look like for you guys?

Jennifer Isacoff: 26:09

Yeah.

Jennifer Isacoff: 26:09

So I would say specific to the DEF CON competition if you get someone on the call, you need to use every single minute and you know you never just hang up because it's a lost cause, unless it's truly a lost cause and they start to question you or they hang up themselves Because the odds of you getting another person aren't necessarily in your favor.

Jennifer Isacoff: 26:31

Outside of DEF CON and just in general for social engineering practices, I would say it's not always a lost cause for somebody who might seem as though they're disinterested interested In fact, a lot of the times you can use that in your favor, saying things like you know it's only going to take a few minutes of your time and then emphasizing whatever benefit it will be to them, because a lot of the times somebody doesn't want to be on the phone with you because they have other things to do. You know they don't want to spend their time talking to somebody about something when they have 50 other things they have to do before they leave for the day. So if you can emphasize how it's going to benefit them to talk to you for five minutes, you can get them to give you more information than you probably would have gotten otherwise.

Sean Hopkins: 27:14

And the biggest benefit to help you help them is to let them think they're helping you. So, like, don't make it seem like you want to bark an order. Pretend that you are some. You know like they can help you with your task for the day that was proving useful for Jennifer's pretext.

Jennifer Isacoff: 27:31

Yeah, I was just a lowly IT intern and I needed to check a box, Otherwise I'd get in trouble.

Nick Mellem: 27:37

Yeah, so you're trying to create that relatability to them?

Mandi Rae: 27:40

Yeah, and a sense of urgency for yourself and your own livelihood, especially as you guys were talking, and depending on what level of people you're engaging with. I think sometimes those who are in the most position of power are most empathetic to the lowly IT person and honestly just want to check this off their list to move on, and that's where we find our opportunity right.

Matt Probst: 28:04

Yeah, I think that's a good point. Jennifer, one of your pushbacks you got initially was like the guy said, hey, I just got a new computer. I don't know if I'm the right person. And you said, well, hey, you're on my list. Do you mind if I ask you these questions anyways? That way you know you don't keep getting these phone calls, because you're just going to keep getting the phone calls.

Nick Mellem: 28:32

So that that you know, kind of helps him out so he doesn't get annoyed in the future. Um, going forward, you know, absolutely. Yeah, man, that's a great point. You know, I guess for the audience. You know how should, how should, how could we better train somebody at a company to, uh, you know, spot somebody actually wishing them? Do you have any advice for a company? How, how would you train somebody? Is there anything that comes to the top of your mind?

Jennifer Isacoff: 28:50

Yes, definitely Sean go ahead.

Sean Hopkins: 28:56

We saw a few of the good practices happen during some of the other fishing engagements or fishing engagements. For example, someone called this person from a non-void phone right inside of their company, right? So they're getting a call from a stranger. And this person said, hey, let me look you up inside of our gal or our internal person lookup. And that was one thing that stopped that call completely was because the validation that that number and that person did not exist would have been just a complete standstill, right? So that would be a slight technical implementation plus a user's awareness type of implementation as well.

Jennifer Isacoff: 29:36

Yeah, for sure. And so you know. I typically say, first and foremost, avoid answering calls from numbers that you can't identify. When in doubt, just let it go to voicemail and then you can't identify, when in doubt, just let it go to voicemail and then you can listen to the message carefully. But a lot of times it's not necessarily practical. Maybe it's part of your job to answer unknown numbers, for example someone in sales. So what I would recommend is pretending to be immediately busy and basically asking them for their callback number, asking them for their name and any other department or other information about them, and then hang up, say you're busy, you can't talk now and independently verify, so never call back the number that they actually give you.

Jennifer Isacoff: 30:18

Go and research another, what it should be. So, for example, if you get a call from somebody claiming to be from your bank, what it should be. So, for example, if you get a call from somebody claiming to be from your bank indicating that there's a fraudulent charge on your credit card, you need to do X, y and Z to make sure it's remedied. You say, okay, what department you're calling from, what's your name, and then you have to go and you hang up and then you go to your credit card and you look at the number on the back of the credit card that's meant for fraud and you call that number on the back of their credit card. That's meant for fraud and you call that number. So never trust somebody who's calling you immediately you have to verify who they are and search independently for that information and, sorry, go ahead, sean.

Sean Hopkins: 31:00

And kind of tie into that. And if there's usually a sense of urgency, it's probably fake.

Jennifer Isacoff: 31:05

Yeah, I mean this and you know it can come in so many different forms. So scammers use things like deadlines, intimidation and, like Sean said, the sense of urgency. But they can also be very polite and confident in their way to trick you. And so if you think you're divulging too much information, you probably are and just hang up. You can be polite to the person and say you have to go. But hang up is your best option.

Jennifer Isacoff: 31:32

And from a training perspective, I recommend you train users to recognize all different types of information that is potentially sought after by bad actors sought after by bad actors. And most people know not to give their username and password to their personal accounts to somebody over the phone. But they may not know that it's also bad to give away things like physical building access details. You know your supervisor's name, the department. All of that can be useful information for a bad actor. But it's not necessarily innately evil. When somebody calls you and asks you that, it can seem very benign. So educating users that of the potential use to those kind of that kind of information can be very beneficial to help them recognize if it's a phishing attempt.

Mandi Rae: 32:21

This is all such valuable and good information. Those threat actors are trying to evoke an emotion, right? Oh yes, always. Well, your strategies are impressive. Your award won is definitely something to be recognized. Before we wrap up today, we are curious what is the craziest story you can share on the record? Is it something in your professional life, social engineering, or doing it as a sport? Is it something from DEF CON? Does anything come to mind?

Sean Hopkins: 32:54

Yeah, I guess I got some war stories, I guess.

Sean Hopkins: 32:58

So I was on a red team that hacked how can I say this that hacked non-commercial entities, and so they would send us out into the field and we'd be playing war games with military and one time I was a human relay to perform this hack over like a radio frequency.

Sean Hopkins: 33:17

So I'm crawling through some grass and then all of a sudden I see like the camp of military, their lights light up and I'm like, oh, I should probably get back to the car, crawl my way back to the car and we're sitting in an SUV and all of a sudden a Hummer comes up right behind us, or a, just not a Hummer, it's a, anyways, big military vehicle, bigger gun on the back, and all of a sudden just starts lighting up the place. Just, we didn't know it was fake rounds. So we're sitting in the car with this giant gun behind us shooting and we thought we were just in the biggest world of trouble. Turns out we weren't, but we had to sit there for like 10 minutes while they had their war games go on and just be lit up by gunfire all around us. That's terrifying. It didn't take too long to figure out if they were fake rounds or blank rounds. The first few you're like oh, that'll get this car.

Nick Mellem: 34:10

Yeah, that's awesome.

Mandi Rae: 34:11

That's a great story. I want to thank our guests, uh, jennifer at underscore jack off J A C O F F Twitter handle, sean at underscore C, hop S S-E-A-H-O-P and Matt at BangerSEC that's B-N-G-R-S-E-C if you want to get a hold of them. You've been listening to the audit and we thank you for joining us. If you want more information, please visit our website at itauditlabscom, and we can't wait to chat with you guys again on the next podcast. Thanks, team Spilt Beans. Great job this year. Thank you so much for having me.

Mandi Rae: 35:00

Take care guys Take care.

Eric Brown: 35:06

Want security leadership without the headcount. As an extension of the team, IT Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation to improve cyber posture while reducing risk. Contact IT Autolabs to find out more.