Exploring Information Security

View Original

Social Engineering for the Blue Team

I am happy to announce that I will be doing a workshop at Converge and BSides Detroit this year. The conference is May 10-12 in Detroit, Michigan, at Cobo Hall. Tickets are currently available for this event. It's a great conference with some really great trainers and speakers. I am humbled to be a part of the experience again this year.

I decided I wanted to do the training on this topic, because I think it's something our industry needs. Building relationships is very important for security. It's what allows us to get buy in from leadership, probably the most important factor in setting the tone for security at an organization. It's also what allows us to more easily get security implemented from a compliance and technical stand point.

I tried submitting this idea to some conferences (DerbyCon) at the end of the year last year. I wanted to avoid the use of the term social engineering, because I saw it as a sexy word. Something the red team only did. I didn't get any traction on the idea. I had a really long title. Something like, "Building relationships to get more security blah blah blah (boring!)."

After I read, Chris Hadnagy's book, Social Engineering: The Art of Human Hacking I realized that it's more than just a red team activity. In fact Wikipedia has multiple entries on the topic. It's not just security focused. It's also political. Reading the book it's even more than that. Sales and marketing people use social engineering. In fact, we all do it, to varying degrees. Some better than others. The book is focused on red teaming for social engineering. A lot of those concepts, though, I could easily apply and even provide examples of doing on a day-to-day basis.

Maybe I should backup for a moment and explain what I do. I sit with a development team. I don't sit with the security team. I am their security resource. I liaison security needs to them and development needs to security. The role has expanded to working with multiple teams and multiple departments. A large part of that is because I seem to have a knack for getting along with people. And that's because I apply a lot of social engineering techniques that red teamers us to breaking into a building or network. I never truly understood why until I started studying social engineering.

That has resulted in me not only understanding the why, but also how I can be even better at what I do. I would like to share that with the infosec community. I think we can all be better at interacting with other departments. I think using these techniques we can get even more done. We can reduce frustration and stress. We can have more opportunity to talk about security and influence others into a more secure mindset.

I've submitted this topic to multiple conferences. I was accepted as an alternate for BSides Nashville (tickets go on sale February 14.2018). I'm waiting to hear back on others. In the interim, I've started working on my slides and training. I plan to use the podcast and this blog as an opportunity to get my ideas and thoughts out of my head. Feedback is encouraged either in the comment section below, on Twitter, or email (timothy[dot]deblock[at]gmail[dot]com).

This blog post first appear on Exploring Information Security.