October 8

Event takeaway: Layer8 Conference


My key takeaways

HUMINT phrases to identify background characteristics

The great casino heist: key takeaways from my first big social engineering engagement

  • "get out of jail"-cards must be signed to work
  • career pages on websites may have some kind of maps from the site for orientation if someone comes for an interview
  • a suit, a clipboard and some confidence might bring you very far esp in a service industry
  • heist a casino without access to the cashier room? Get access to the CFO account with a phishing attack

Beyond Influence Techniques: Broadening your Social Engineering Skillset Through Psychology

  • 3 important pillars of human behaviour in SE
    • understanding
    • predicting
    • influencing
  • There are universal elements like "laws of trust" and individual elements like "beliefs" in understanding people
  • 4 domains of studying basic human make-up:
    • social psy
    • perception
    • cognition
    • biopsy
  • the halo effect is handy for SE: eg the dress may make you look trustworthy
    • works mainly through social learning
    • a coping mechanism to handle perceptions
    • this know how can also be used in creating persuasive sock puppet accounts
  • Makes you look trustworthy
    • look happy & relaxed
    • calm stead voice
    • look like you counterpart (tribal effect)
  • we have "behavioral script" for every environment
    • know them to blend in
  • with COVID there have a lot of lay-offs and new hires
    • employees may don’t know anymore who is allowed and who is a stranger
  • employee statements on company review sites may indicate for a SE who is esp stressed out, so an easier target as stress reduces analytical thinking
  • Attentional processes are the brain’s way of shining a light to what is relevant to the person and filtering out the rest.

  • 3 filters for our thinking outcomes:
    • experience
    • knowledge
    • emotions
  • a pause before speaking might indicating cognitive filtering
    • that’s why SE try to avoid space for thinking for their victims
  • "What’s in it for me?" is a great question to answer in a first encounter
  • emotions, stress and fatigue are created through hormones
  • these positive hormones like dopamine, serotonin and oxytocin are highly addictive
    • if you "like" someone, they are released and you don’t want to stop them eg by denying a request from this person
    • stress has the ability to rule over a lot of other priorities we might have
      • Fridays might be more dangerous to fall for an SE attack

Pivot, Pivot, Pivot!

  • start with a specific goal like the location, phone number, latest image,… not all you can find

Illuminating Maritime Supply Chain Threats using OSINT: A Suez Canal Post Mortem

  • the MV Ever Given (stuck in the Suez canal) is 218 Nicolas Cages long :rofl:
  • IMB Piracy & Armed Robbery Map 2021
  • The event shows how important shipping is for our world economy
    • maritime IT systems can be found via Shodan and are attacked with ransomware already

The Psychology of Attack and Defense

  • children are trained to fit into social norms also if it means lying or masking their true opinions
  • 50 cognitive biases
  • If the facts don’t fit the frame, it’s the facts people reject, not the frame. — Susan Bales, President of FrameWorks

  • Lures that get you manipulated by SE:
    • greed
    • curiosity
    • self interest
    • urgency
    • fear
    • helpfulness
  • Dark patterns are an upcoming issue in UI Design
  • astroturfing:
    grass roots campaigns started under false pretexts
  • Cheap-fakes are more damaging in RL than deepfakes
    • e.g slow downed vids to make a politician look drunk
    • a statement took out of context
  • even if we know something, it doesn’t mean that we intent to act on it. Even if we intent to do something, it doesn’t mean that we act on it.
    • Security awareness is not the same as secure behaviour
    • What somebody knows never stopped a breach
  • We are lazy, social and creatures of habit — BJ Fogg

  • his "Fogg Behaviour Model" is used in social media to increase interactions

From the Dumpsters to the Front Page

  • security people should be ambassadors for the whole organization
  • Data may be spread over eg
    • home office
    • corporate office
    • business partner office
    • is reliable data disposal available everywhere?
  • big companies like Micro$oft, Oracle and Kraft have admited to have once gained knowledge through dumpster diving
  • the optimistic bias is an issue in cybersecurity
    • ever tried to text while driving?
  • if you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. — Bruce Schneier

  • Maginot line of France vs Germany in WWII
    • well planed an executed but useless, as it didn’t include the border to Belgium
    • cyber security must be seen holistically
  • security might not be your job, but if the company get’s crushed by a cyber attack, it might also be your job that is lost
    • everyone is a part of security
  • How to fix it:
    • know your digital footprint
      • involve your users to figure this out
    • think outside the box
    • build an army and train them
    • create awareness
  • testing only to pass or "checking the box" is a surefire to fail
    • try harder to fail, so you can find all the faults
  • 95% of security breaches are human error based. If your test is 100% technology driven, … :shit:
  • security is like car insurance: if you don’t need it’s a waste of money. If you need it, you are happy to have it

Psybersecurity: The Signs and Symptoms of a Mental Health Attack Surface

  • security professions like medical professions work in
    • high stress environments
    • have to make decisions with incomplete and unknown information
  • look for horses (common), zebras (rare) and more

No1Slav: Dark Web Identity Resolution

  • Stronghold Paste is/was a pastebin on the TOR network
  • Dread is a darkweb forum where people talk also about marketplaces


additional links


darknet, data disposal, HUMINT, OSINT, penetration test, social engineering

You may also like

Unlock Effective Cybersecurity: Simplify Policies with the Clarity of the OSI Model

Unlock Effective Cybersecurity: Simplify Policies with the Clarity of the OSI Model

Leveraging Psychology in Cybersecurity: Strategies for SMEs

Leveraging Psychology in Cybersecurity: Strategies for SMEs
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}