Speaker 1: 0:04

Welcome to the Audit presented by IT Audit Labs. I'm Joshua Schmidt, your co-host and producer. We have Eric Brown and Nick Mellon from IT Audit Labs, and we're joined today by Alith Dennis from Bishop Fox. Alith is quite prolific with her social engineering skills and pen testing, so that's what we're going to focus on today with her. Welcome to the show, alith. Thanks for joining us.

Speaker 2: 0:22

Yeah, thanks so much for having me. It's a pleasure.

Speaker 1: 0:25

Yeah, let's jump right into it here with an icebreaker question. I'll have Eric start, so you can think about it for a second. But who is your favorite action character or spy movie hero?

Speaker 3: 0:37

I got to go with James Bond yeah, and the original James Bond, sean Connery.

Speaker 4: 0:42

Like Thunderball and those from the 70s, I had a tough choice a little bit for this one, and I like how Eric brought up James Bond with Sean Connery because he's just classic in Indiana Jones, so that was a close one, but I have to go with John Wick, john Wick.

Speaker 1: 1:00

Yeah, I still haven't seen John Wick 4, but one of my favorite spy movies is Burn After Reading, which is a comedy by the Coen brothers who are out of Minnesota here, the Minnesota guys, but Brad Pitt, George Clooney pretty funny movie. How about you, alith? Do you have a favorite spy?

Speaker 2: 1:17

Man, that is a tough one. You guys came way more prepared than I did for this question.

Speaker 4: 1:22

He's feverishly Googling for this question.

Speaker 2: 1:27

It's feverishly googling. I am feverishly looking up options because I've drawn the biggest blank and I'm trying to figure out like, where, where do I go with this? I I love james bond, so I love that. But I always go back to like roger moore as the original James Bond. He is by far my favorite. But if I had to say like spy movies and going back to like spies that have influenced me, I would say like Mr and Mrs Smith. And Angelina Jolie in that role was just phenomenal and so very entertaining, just so enthusiastic in her portrayal of that character. It was just a lot of fun to watch.

Speaker 1: 2:09

I saw that at a drive-in movie theater fun fact. So we still have one of those here in Minnesota. Yeah Well, we'll jump right into talking about. You won the DEF CON Black Badge Social Engineering Capture the Flag competition in 2019. Can you share how that experience shaped your career or inspired you to pursue pen testing? And maybe you were doing it before then, but maybe you could give us a little overview of how you became a social engineer?

Speaker 2: 2:33

Yeah, absolutely. So. I was doing social engineering without knowing what it was or using those skills outside of the information security universe. And I found DEF CON, kind of later on in life, and I discovered the social engineering village and the competition, the social engineering capture the flag where, to put it briefly, they throw you into a soundproof booth and you are tasked with finding information ahead of the competition on a target company that you're assigned, and you have to find the phone numbers and come up with a compelling pretext in order to elicit specific items of information from the people that you are calling. And you have 20 minutes and it's timed and you're in front of an audience on a stage. It's like the most insane scenario, but that looked to me like the most terrifying thing. But I also felt like it would be a really great challenge for me to overcome a lot of social anxiety, and so I thought, why not? I'll apply, they'll never pick me. They picked me. And then I was like, oh no. So I went to compete in that competition twice. The first year I ended up in sixth place out of 14 contestants and I thought, oh, I might actually be okay at this. And so the second year, when I came back to compete, I won the contest and DEF CON bestowed upon me a seat in their Black Badge Hall of Fame.

Speaker 2: 4:08

After that, I gained a little notoriety for my efforts in social engineering and I decided that I may have a career in information security, doing social engineering, and at the time I thought social engineering was a job. It's not really's not really a job Like. You can't find a job title called social engineering anywhere. It's actually a really incredible skill that you can use in a variety of different industries doing a ton of different jobs, and prior to that I'd been using it in competitive intelligence and doing research and other non-information security type roles. So I was able to transition a lot of those skills and my experience in consulting into information security and I made that leap in 2020. And I've been operating in the consulting side of information security since then, doing assessments focusing on social engineering, but now in the assistance of the red team and furthering their activities during red team engagements.

Speaker 3: 5:18

What is competitive intelligence?

Speaker 2: 5:37

Essentially, gaining information on competing companies in your industry, or learn from them and do something different so that we can compete and have something more appealing to our target demographic, or go after a different target demographic, different sector of the market, so to speak, when we're positioning our products.

Speaker 3: 5:58

And when you started to go down the DEF CON path, even before you competed on stage at DEF CON did you have to enter regional competitions to kind of be able to even compete at DEF CON? So funny story.

Speaker 2: 6:15

There aren't really any qualifiers when it comes to the social engineering capture the flag.

Speaker 2: 6:21

It was something that I had watched at DEF CON a few years in a row and just been fascinated, thought there was no way that that was something I could ever do myself. And then one year I just figured, hey, why not? I'll apply. And I honestly did not think that they would select me. There were a lot of really wonderful talented competitors, contestants that I'd seen in previous years, and I thought, with only 14 seats it was highly unlikely that I would be selected. But I submitted an application. They asked me to submit a video essentially selling my personality, and, if we're being honest, this competition is sort of like the circus act that gets folks into that village at DEF CON so that we can all talk about social engineering and raise awareness for that attack vector in general. So I was able to compete at DEF CON doing social engineering and I made my very first social engineering voice phishing call live in front of hundreds of hackers on a stage in a soundproof booth in that village. Wow.

Speaker 4: 7:33

Talk about throwing yourself into the deep end.

Speaker 2: 7:35

Yeah, it was a little intimidating.

Speaker 4: 7:37

So you're OG.

Speaker 2: 7:38

I'm OG yeah, I'm also very old and crusty. I'm also very old and crusty. I'm very thrilled to see new energy injected into that space, and I've also met in attacks that are being perpetrated not just by the most basic spray and pray type scammy campaigns, but in the more advanced ones that are going after things like the large casinos and giant corporations.

Speaker 4: 8:29

I'm always curious when I talk to other people that are deep into social engineering. Like how do you prepare, you know, for an engagement? Is there a list of things that you're checking off before you get to that engagement? Is there a backpack of items you bring, maybe something that helps you with your social anxiety? Like, is there a couple different tools? It's like I can't, I can't go to this engagement without that.

Speaker 2: 8:51

So it is true I have like a ton of social anxiety just in general. I have ADHD and just am a. My baseline is filled with a lot of anxiety.

Speaker 2: 9:04

My baseline is filled with a lot of anxiety, so I tend to over-prepare and I tend to spend a lot of time coming up with pretexts. I typically base those pretexts on the research that I do when I do open source intelligence gathering against the target company and their employees target company and their employees. I try to find information about the specific job functions that I'm going to be targeting, what their processes are like, who their people are. I agonize over the smallest details and just try to have a lot of backstory.

Speaker 2: 9:38

In the event that I am challenged or the people that I'm speaking to have objections, I want to be as casual and make my answers seem as organic as possible. So just being overprepared is the first and most important thing Having answers for those challenges that seem like me recalling things from memory versus making things up on the spot. I want to look like a good liar, but as far as physical engagements, which are by far my favorite, I do not like to have like fidgety items or like pens click pens in my hand or anything like that, because it's going to make me look suspicious. So I try not to do that. But I will do things like hold clipboards or something to keep my hands busy, so I can add an extra layer of authenticity to the pretext in the prop, but also so I can add some stability to my presentation of myself to the person.

Speaker 4: 10:44

You wouldn't believe how far you could get with just a clipboard. We did an engagement this is a little while back but we our whole thing was at this organization big building. But we went in with fire department, uh polos on and, uh, a clipboard and we just acted like we were checking the fire extinguishers and not a single person questioned us. No, no problems, got everything we needed, got a shark jack in and we did all our fun stuff and we got out. So yeah, just your nod to a clipboard, it's.

Speaker 2: 11:16

It's amazing how easy it can be with that I have a van van yeah, I have a white, uh white, nondescript, like it, technician type, looking van uh, it's full of ladders and dewalt tools and all kinds of things that I can use for props yeah, it's a little ridiculous, but a ladder just in general. Nobody just carries a ladder into a building.

Speaker 3: 11:43

Have you ever gotten? Just totally busted. Oh yeah, then what did you do?

Speaker 2: 11:50

Oh man. So there is a very fine line to walk with clients, and sometimes you know you have to be collaborative, you have to be communicative. They need to know when you're going to be on site, they need to issue you letters to authorize the test, and sometimes information is leaked in organizations and you can't control that. Very unfortunately, sometimes this information that is leaked can invalidate the test, and what does that mean? That means the clients can cheat, and so this information can be disseminated to the very people that you are attempting to test, and usually I can tell if they're expecting me in big quotes, and in some situations it's a little harder to tell, so I never know if, when I am quote busted, if they knew I was coming or not.

Speaker 2: 12:44

And there was one situation where I had attempted to get a an individual who worked for my target company, my client, to scan their badge in order to let me go through a revolving badge door, because we were not allowed to use any badge cloning or any you know hacker stuff.

Speaker 2: 13:10

I'm redacting bad words in order to get into the building, and so we had to rely solely on social engineering in order to convince the employees to take pity on us and help us and get into the building. And so I was trying to convince the employees to take pity on us and help us and get into the building. And so I was trying to convince an employee to scan their badge let me go through and then they would be able to scan their badge for themselves to get into the building. And this employee was so close inches from you know their empathy, enabling them to be influenced to help me. They looked through the building glass of the doors and saw a security guard, thought better of it, backed out and kind of told me you know, I think you should go talk to security. And I was like, ah, and so I was like, yeah, no problem, I'll just walk around the front of the building and go talk to reception. I had no intention of doing that. I was going to run away.

Speaker 2: 14:04

So I casually started to walk. Doing that, I was going to run away. So I casually started to walk away. I was going to go walk the quarter of a mile around this giant building to the front and the security guard comes out of the building and motions for me to come back to where they're standing. And I was like this person is literally open, carrying a firearm. You don't say no.

Speaker 1: 14:22

Maybe we could take a little round robin and talk about some social engineering and pen testing experience stories. But just to back it up for our listeners that are a little more average like myself, what is social engineering or pen testing and how is it relevant to security in an organization? Kind of just the big picture. How does that fit into the the infosec world?

Speaker 3: 14:43

well, I do have a good story and does it involve umbral? Shorts uh this one does not, but it involves you, nick, and I hope you don't mind. Oh, not at all. Not at all, please. It also involves wild west hack and fest.

Speaker 4: 15:01

Oh yes, I know exactly where this is going.

Speaker 3: 15:05

I know you were there last summer. Were you there for a couple of days, Alif.

Speaker 2: 15:09

Yeah, I was just there for the conference itself. I arrived after the training.

Speaker 3: 15:14

Okay, so you're familiar with the steak dinner night here we go here we go yes.

Speaker 4: 15:22

It's just a setup. This isn't even.

Speaker 3: 15:25

For those who haven't been there, the steak dinner night. It comes as part of your ticket. You get access to have a steak dinner and essentially you're standing in a really long line, defcon-esque line, to get your steak dinner, which some of us on the team Alethe are vegetarian, myself, nick is not and so Nick and a couple other folks from the team are in line and apparently maybe not real happy with the size of the piece of meat that was offered to them.

Speaker 3: 16:03

So, what Wild West, hackenfest and Black Hills was doing was if you're a vegetarian, then they give you vouchers to go to the restaurant downstairs. So you know, I've got my voucher, I'm going down to the restaurant there. Um and so then Nick was like well, you know, maybe I'll pretend I'm vegetarian too and get the voucher.

Speaker 4: 16:28

I'm going to have to redact this story.

Speaker 1: 16:29

I'm cutting this story out of post-production.

Speaker 3: 16:33

After this we had to promote Nick to management because he had failed this M-Test. He couldn't even get a voucher for the restaurant downstairs.

Speaker 4: 16:47

They didn't believe he was a vegetarian I think I'll have to leave this one alone but it was a total setup, total sabotage.

Speaker 4: 16:55

We'll leave it alone client cheated thank you for having my back, elise, but actually staying on the note of Wild West is where I first saw you. We were all gathered around listening to your stories and the good ones and the ones that you failed being very transparent, and I think that's something I really appreciated hearing that sometimes it doesn't go the way you planned, even though you could have spent weeks or however much time planning it out, because I feel like I would do do the same thing. You know, you make that laundry list of what could go right, what could go wrong, what if he's sitting at the desk, what if he's not sitting at the desk? Or what you know, so you think about these scenarios. Uh, sometimes maybe being over prepared is bad, because then you're not on your feet.

Speaker 2: 17:40

If you over script it or you're over dependent on your script of the situation, it will always lead to a tough, tough, tough situation for you, because then you can't really pivot. You can't predict who you're going to run into or how they're going to react, what escalation pathway they're going to take if they challenge you right, um, it can lead to freezing up just the deer and headlights, which is just the worst.

Speaker 4: 18:06

Absolutely. And I guess, do you ever work with multiple people? Do you go or do you like to do these by yourself? Well, there you go.

Speaker 2: 18:15

Usually it's me and one other person on these engagements to make sure that the pretexts fit and suit our own natural personalities and particular set of skills, so to speak. Because if you are comfortable and confident in the pretext then you'll be a lot more capable when it comes to pivoting in the moment. So, for example, if you have a very robust IT background, then going in as a IT person that's potentially part of their vendor IT, it, msp may make sense. It, uh, itmsp, um may make sense. Um, if you used to work for a company that did HVAC, then hey, maybe you can draw on that skill from back when you were in your you know earlier parts of your career to position yourself as maybe somebody that's out there to work on the HVAC system or something like that.

Speaker 2: 19:25

And so we try to take that stuff into consideration also when we're developing pretexts and it's sort of like acting, you know you want somebody who's got experience in that type of role and that's why you see the same actors over and over and over as FBI agents in like every movie show, tv show or other type of thing, and it's because they've got that experience and they carry that type of persona really well. For me, I usually have to take into consideration unconscious bias, which I think is also a really fun angle when we're talking about social engineering, and it's also something that was brought up quite a bit in the comments section of a recent article that was written about some of the stories that I shared at Wild West Hackenfest, and it's like well, she's only successful because she doesn't look like a pen tester, and I'm like what?

Speaker 1: 20:18

What does a pen tester look like?

Speaker 2: 20:19

Can you paint me a picture? Go for it. I'd love to see you walk into this one, but it's tough for me to try to create pretexts for everyone on the team that makes sense for them. So I tried to focus on enhancing pretexts for myself and using that unconscious bias to my advantage.

Speaker 4: 20:48

I learned that same thing very early on in my social engineering career of play to your strengths right, the easy ones that you're saying.

Speaker 4: 20:56

right, you might not look like a fire marshal, Well we had an engagement at a hospital and we were cloning badges and first off we went to the cafeteria but, and after we completed that, we did clone roughly 12 badges, so fast forwarding past that. The next day we went back to try to do more infiltration, see where we could get with the badges. And my female co-part she dressed up as a nurse, whereas I probably wouldn't have looked like a nurse. So you know she did that and we were able to get so much further because nobody questioned her. So we played off each other's strengths and I did other things like a delivery guy right, get that UPS outfit or a maintenance guy or something like that where she would not have. You know, you see a smaller woman come in. Not that they can't do this, but they're probably not going to be doing heavy mechanic maintenance on an AC unit up on top of the roof or something. So absolutely, totally agree, that's something I learned early on.

Speaker 4: 21:56

Again, I want to go back to Wild West real quick and the only reason is because you know you mentioned before that you do a lot of training. Also, I think you worked with the Department of Defense a lot. Obviously, we heard you speak at Wild West and then also this breaches into after these engagements are done. Do you, you know, are you doing a lot of follow up, training, follow on for organizations? If you, if you are successful, you know what does that look like.

Speaker 2: 22:22

We are very specialized in the types of social engineering that we're doing. You know what does that look like of attacks using social engineering in the context of that red team style attack rather than in the support of a social engineering security awareness type exercise.

Speaker 4: 22:55

Well, especially with social engineering, it's widely overlooked, right. A lot of organizations. They don't even know they need to do it until a breach happens, right? We don't want to get to that point. So the outreach, teaching people beforehand right, is how we would love to see it happen. It doesn't always work that way. So, and funny enough, this happened to me at an organization yesterday where we had a real world phishing attempt where they they got an email and all of us on the call. You look at this email and want, don't even read a single letter or anything on this page and you know it's fake. Yeah, exactly, this person did click. They called the number from the PayPal receipt. After clicking, got connected to the machine. Luckily, crowdstrike knocked it out right away and we were able to isolate the machine. But I just bring it up because you know we're we love social engineering and it's not talking about enough. So, again, kudos to you for speaking at like Wild West and things like that, because all these people know about it, but we want to continue.

Speaker 2: 23:59

I find that, like in our industry, we're all sick of hearing about it.

Speaker 2: 24:02

We're like, oh please, social engineering, please stop, I don't want to hear about it anymore. Like there's so many talks about social engineering, there's so many social engineers, like it's enough, like let's hear about, like the real hacking. And so I hear that a lot. But I still walk into rooms and you know I'm a member of the InfraGard and I will walk into their symposium every year and I go who's heard the term social engineering? And still not many hands go up in the room and we're talking about people who are in charge of critical infrastructure in our local, of critical infrastructure in our local.

Speaker 2: 24:43

You know cities, counties and government, as well as private companies that do agriculture. They're in charge of our food, they're in charge of things like you know, our water and every other thing that's very important to keeping our society going. So I think that it is important that we continue to talk about it to keeping our society going. So I think that it is important that we continue to talk about it and that others continue to talk about it in places within our community and outside of information security, at other conferences and in the media.

Speaker 3: 25:15

You know what you say there about just the general awareness is interesting and I equate it to still being able to walk into a room and talk about the pineapple and even though pineapple has been around I don't know 15 plus years, but show people how it works and it's still like mind blown of something that's been around for so long and probably isn't even a viable attack path anymore. It's still interesting, where you kind of just step outside of security a little bit and you're not involved in it from the day-to-day perspective, that there's all this stuff going on in the real world that people really aren't aware of all of the things that could happen to them.

Speaker 2: 26:03

Right, I mean well, and you mentioned the pineapple. But this last week I had a client employee tell me that they had just recently gotten in trouble for plugging USBs into computers. But of course I could plug my USB into their printer and print something, no problem. And you know what this is.

Speaker 4: 26:30

Funny, how that works.

Speaker 2: 26:32

This is very much a rubber ducky.

Speaker 4: 26:36

I'm glad you brought up the rubber ducky, just because one of the questions I did want to ask is there tools that you prefer over others, or do you do you bring many tools so you know different events, um, or if you're able to speak to one tool that's kind of your favorite, that'd be fine. But I'm just curious what you use.

Speaker 2: 26:53

I typically love the rubber ducky because they're very small and I can carry a bunch of them and then just opportunistically put those places if I'm especially in a big office. I also love the OMG cables because they look so close to the real thing that we can swap out the actual charging cables for employees, especially in office buildings where there's like bazillions of cubicles and things. We can like take their cables and leave ours, um, and see if they'll, uh, allow us to compromise their things. Anyway, I know we're horrible people, so, uh. And then, on and above that, there's like some other devices that we can use in more, uh, niche types of situations, and sometimes we create these situations just so that we can use the fun stuff.

Speaker 2: 27:47

But there was an engagement where we were, I'm able to propose the use of the screen crab recently, and I just love the screen crab because it's just like such a silly device, but it can be used in very compelling ways. And so the hack five screen crab. What it does is it sits in line between a device and a monitor and it has the ability to capture images that are being sent from that device through the HDMI cable to the monitor. So it'll take screenshots, and so we set a goal of placing this device between the client's conferencing software and the monitor that was displaying their video conferences in their conference room, and we were 100% able to infiltrate the office, gain access to the conference room, implant that screen crab, get power off the TV and then have it come up. It connected to their corporate Wi-Fi network using credentials that we found in the trash, and then we were able to exfiltrate the screenshots of their meetings out over their wireless network for the rest of the week sensitive data from their meetings.

Speaker 3: 29:12

That's awesome.

Speaker 2: 29:13

They were thrilled that we were able to, because it gave them the ammunition, so to speak, to convince the executives to allow them to advance the security around these networks at that client and make the networks and the policies and procedures more secure at the client, the policies and procedures more secure at the client.

Speaker 3: 29:35

And you know, as I think about these tools and the innovations that we're seeing in the general marketplace, it's always fascinating to me to think about like well, you know, these things were probably used in the 80s by the CIA and other governmentored spy organizations, right?

Speaker 3: 29:54

So 40 years from now, it's going to be really exciting to see some of the tools, like where they're listening to the vibrations on glass, with lasers to be able to hear conversations, and you know all sorts of stuff. That's really hard to comprehend, but it does get down to the basics of helping organizations understand where their security posture is, and certainly if you're involved with critical infrastructure. However, if it's anything from trash handling to water, sewer, transportation, any of the sectors involved in critical infrastructure and I think there's like 16, rest assured, nation state is interested in what it is that you're doing. And if nation state took enough of an interest in your environment, they're going to bring to bear things that you haven't even seen yet zero days and whatnot. So having the discipline to prepare, test and continually improve the security in your environment is really important. So that's a great story to share. Just that. You know, the customer was that engaged and they wanted to bring that forward because that's absolutely relevant for certain industries.

Speaker 2: 31:23

Yeah, I like to jump in here Go ahead. I often compare myself to like the anger translator for the security team, and I don't know why, but typically executives will believe consultants, but they won't believe their own employees, and so I find tremendous joy in being able to deliver them what they need.

Speaker 1: 31:48

Employees are often the target of malicious actors inside organizations. What strategies or methods do you use to kind of prepare or train people to combat that threat?

Speaker 3: 32:00

I like to just start with the basics of lock your credit. If you don't remember anything else that I said, lock your credit and do that for your children, your loved ones, help your family members, your friends, whatever, because that malicious actress can't open credit in your name. That's going to save you a lot of headache down the road and just make you a little bit more secure. And then you know, from there we can go into password managers and other things. But I think it's just continual basic information that you can build upon and help people just be better stewards of their own information.

Speaker 4: 32:37

Yeah, I mean if we're working with specific organizations. You know, I think a lot of times we start or want to start by we pull back the hood a little bit, we want to see what they're already doing right, and then we can approve on that right, provide education and training on what they're already doing, right.

Speaker 4: 32:53

You, you know, and a lot of times that will help an organization because you have wide knowledge gaps between, uh, different people, right, you're gonna have some that know, you know, don't click on that email like we had yesterday and some that don't, right? So I think we can lean into that, you know, figure out a good starting point, a good baseline, and then provide education on what they're doing well and then move to what we're maybe not doing so well, the three strikes you're out for a phishing email, it's good because it can educate us on a specific user, but it doesn't necessarily help users that are maybe. So, a lot of times in organizations that I work with closely almost daily, we like to push for more in-person training, a little bit more talking head to show what we're seeing. So we're being transparent. There's a lot of things we could touch on, but those are a few.

Speaker 1: 33:45

So, alif, it's your job to kind of know that about organizations and then kind of work around it and poke holes in that. Are there tactics that you've seen that have been effective when you reach an organization to do a pen test and you go, oh, they really have their stuff together? Or you shared a story with me a couple of days ago about people that, other than whispers around the water cooler about hey, there's a pen tester coming in on Friday, what have you seen that's effective in kind of stopping those threat actors?

Speaker 2: 34:14

Same company. I was tasked with sending them a phishing email the week prior to try to elicit that Wi-Fi guest network password, and I spent a lot of time learning about their you know building landlord property management company and creating a fabricated multi-level thread of emails between this fictitious person at the property management company and a technician that was coming on site. It was a very compelling email, in my opinion. They received the email and they immediately routed it to the correct person who handled these types of requests. That person immediately responded and said you're not the person that I deal with at this property management company, Can you elaborate? And then they routed it to the IT and security person at the company, and that was exactly the right thing to do.

Speaker 2: 35:17

I was horrified. I was terrified that I was going to get you know filleted when I went to do the onsite physical the following week, and so what I learned from that is when the employees of our client organizations follow the proper procedure, nine times out of 10, they will block me from being successful, and the only chance that I have as an attacker against that as if I can somehow distract them or compel them to ignore that procedure and so, where companies can ensure that they don't fall victim to social engineering is training employees to stick to that process and procedure and to follow the company policies around authentication and verification, specifically Because the second that an employee starts asking questions, I know I am toast. That's great.

Speaker 1: 36:29

So we have talked quite thoroughly at this point about, you know, actual physical penetration tests and things like that. Um, now it's kind of moving over to some deep fakes. We know phishing's been around for as long as email's been around, but, um, what do you see the new threat landscape and how that's emerging? Um, and are you using any of those tools, uh, to do virtual pen testing and things like that?

Speaker 2: 36:53

um, instead of actually showing up and trying to get past my I have the cat that ate the bird grin on my face, because I've always said that the it guy is like the nigerian prince of voice phishing pretexts and you know, it's just like the tried and true voice phishing pretext. When it comes to red teaming in particular, I find most red teamers will fall back on that. Well, I'm just the IT guy and I'll just call them and tell them to give me their password or some such you know reformation of that pretext. And so, with the ability for us to create these very compelling audio and now video and audio deep fakes at Bishop Fox, we've been able to create real time deep fakes that we can use in the context of social engineering in our red team engagements, and it has taken things to a completely new and amazing place when it comes to our red team assessments and the engagements that we're performing right now.

Speaker 2: 38:10

This is something that I don't know where it's going, but it's going there really fast. There are a lot of organizations that are attempting to make this something you know, ready to go out of the box, tool wise, and that's really exciting to see things recently that are making this much more accessible to just the general public, as well as other teams that want to utilize this in the context of testing. But what we're doing right now actually enables us to make a phone call and use essentially what amounts to a voice changer to transform our voice into our client employee's voice in real time and have a conversation with another employee at the organization as if we are that person. And it is compelling, believable and very realistic and terrifying how realistic.

Speaker 4: 39:18

We're getting pulled into the future real fast and furious and there's not much we can do about that, but it's really cool to hear you guys are using that technology so, as we look towards the future 2025, it's a new year.

Speaker 1: 39:29

Are there any plans to be at wild west hackenfest this year or any conferences coming up?

Speaker 2: 39:33

Yeah, so I have some fun conferences happening. I will be presenting a keynote at CactusCon in February. I'll also be presenting a keynote at the Layer 8 conference, which is a conference focused on open source intelligence gathering and social engineering, in Boston in June. And then I still have some spots open on my dance card but I'm looking to fill those out for the remainder of the year. I will absolutely be at DEF CON supporting the DEF CON group's board and in the community there at DEF CON as well. But, yeah, still trying to figure out some other conference appearances, so we'll see how things work out.

Speaker 1: 40:23

Thanks so much, alith, for your time today. It's been really interesting hearing about your experience and some of your fun stories, and thanks for taking the time to chat with IT Audit Labs today. Anyone have any final questions or thoughts before we sign off for the day?

Speaker 3: 40:37

Yeah, I would just say, Leith, if you're ever in the Minneapolis area, hit us up and maybe we can figure out how to socially engineer Nick a vegetarian meal.

Speaker 2: 40:51

Thank you so much for having me. It was wonderful to chat. I really enjoyed the conversation.

Speaker 1: 40:56

Absolutely. You've been listening to the audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer. Today we've had Eric Brown, managing Director, and Nick Mellum, and we've been joined by Alith Dennis from Bishop Fox. Thanks so much, alith. Please like, share and subscribe. We have episodes coming on every other week so you can find us wherever you source your cybersecurity infotainment. Check us out. Talk to you soon.

Speaker 3: 41:20

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.