The Layer 8(th) Day of Christmas: Rapid7 Pen Testers Reveal Social Engineering Insights at Recent Conference

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Santa, there’s a problem! Social engineering attacks are on the rise, with naughty children trying to trick you into believing they are actually good children and getting the best toys. We can’t let this happen, so we are putting some of our best people on it to help.

In fact, four Rapid7 pen testers recently gathered at the brand-new Layer 8 conference in Rhode Island to present on social engineering and open source intelligence (OSINT) gathering. In this post, we will detail their findings and tell you what you need to know about the current state of social engineering.


First, a little background. Have you heard of the Open Systems Interconnection (OSI) model? It’s a description of how computers talk to each other, all the way from physical wires in the wall to the computer to the operating system and applications we use. There are seven layers in this OSI model to describe this process, and each layer has been under attack by grinches and hackers for years.

Fortunately, defenders have gotten better at protecting these layers with defenses such as firewalls, network segmentation, and multi-factor authentication. These defenses have forced naughty children to move along each time new defenses are introduced, and now more than ever, these naughties are even moving beyond the seven layers to what can be called an unofficial eighth layer: the human. Yes, that even includes you, Santa! Attackers are constantly targeting people and elves using all available social engineering methods, including phishing, vishing, smishing, and any other types of “ishing” you can think of.

Whitney Maxwell: “The Size and Impact of Digital Footprints”

Whitney Maxwell talked about “The Size and Impact of Digital Footprints” regarding information disclosure and how it affects all users online. Data collection is invisible, privacy notices are difficult to understand, and sensitive data regarding health, finances, or children are collected for behavioral advertising. The majority of users show concern for information privacy, but few have adopted protective behaviors.

Whitney’s research concluded that personal information is readily available online and easily acquired, regardless of age or demographic. Protecting personal information should begin with identifiers such as email addresses and phone numbers, since they were proven to reveal information across all levels of sensitivity. Whitney’s research project allows users to understand exactly what types of information are exposed and how they can be discovered. Little other research has attempted to extensively research individuals using a small number of identifiers and analyze the resulting information exposure. Furthermore, her project has adopted and modified the FICO metric to create a new PIVA metric that encapsulates the vulnerability and extent of exposed information to educate users and provide insight into areas of greatest risk.

Emile St-Pierre and Robby Stewart: “Proven Methodology for Open Source Intelligence Gathering and Social Engineering”

Emilie St-Pierre and Robby Stewart gave us a glimpse into their thought process and how they use OSINT to conduct social engineering attacks with their “Proven Methodology for Open Source Intelligence Gathering and Social Engineering.” In one example, they shared how using a reconnaissance tool led them to discover that their target, a global economy, used regional domains (think a .us or a .cn) for every country except Germany. By registering the .de address, they were able to impersonate a real employee in Germany and set up an inbox for that user. Using an email template from the security vendor they had in place, they then created a pretext with a “secure message” coming through from that employee that ultimately led them to internal access. By looking through a target’s external presence and selecting the right pretext, the path to compromise is fairly easy.

Jonathan Stines: “How to Make Vishing Suck Less”

Jonathan Stines provided quick-fire tips with “How to Make Vishing Suck Less.” In this presentation, he shared his top techniques for increasing the success and outcome when performing a telephone pretexting exercise. He described the background of why we are not as effective as we would like to be and how the social dynamics of talking on the telephone have changed over the years. Jonathan also provided real-world methods to increase the buying temperature of recipients, including how to build your own automated caller ID spoofer.

More conference fun

The Layer 8 conference was not the only place where Rapid7 pen testers excelled, as Whitney was crowned the champion of the Social Engineering Capture the Flag competition at the DEF CON held in Las Vegas. Competitors in this annual conference are put in a soundproof box for 20 minutes in front of an audience of hundreds, while they make vishing calls to a pre-arranged target company and try to get as much information out of employees as possible. Some valuable information may include how long the employee has been at the company, what operating system they use on their laptop, what company they use for custodial services, and whether they will load a URL in their computer as described by the contestant. Whitney captured most flags and the most points during this competition, earning herself the coveted DEF CON “Black Badge,” which confers lifetime free admission to the conference!

The Rapid7 penetration testing team focuses on social engineering on a daily basis, staying up-to-date on the latest attack types and methodologies and using this information to help our clients, the community, and yes, even you, Santa!

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?