1.5 Social Engineering Manipulating Human Behaviour presented at deepintel 2017

by Dominique C. Brack,

Summary : Social Engineering is an accepted APT and is going to stay. Most of the high-value
hacking attacks feature components of social engineering. Understanding of the
methods and approaches used behind the scene of Social Engineering will help
you to make the world a safer place. Or make your attack plans more successful!
Social Engineering is a topic that does not really fit into technical hacking and
is also underestimated by security professionals. My presentation is based on
a book I recently wrote about Social Engineering. As a bonus to my talk I will
present the participants with ebook-versions (PDF, epub, mobi) of my book for
further study.
1. Social Engineering is an APT to be taken seriously. Most attacks feature Social
Engineering.
2. Social Engineering attack execution and prevention needs training and skills.
Don’t be fooled, there are no tools you can solely rely on to prevent Social
Engineering attacks.
3. Social Engineering has progressed and professionalized more than you think.
It is deadly effective.
4. With the help of Social Engineering you can deliver exploits effective and
efficient.
As a successful participant of the Social Engineering Capture the Flag (SECTF)
competition at the Defcon 22 conference in Las Vegas I do know very well why
Social Engineering still works brilliantly and what risk it presents to the corporate
world. Social Engineering is another very important puzzle piece in everyones
security posture. As the developer of the open source based freely available
Social Engineering Engagement Framework (SEEF) I want to share how Social
Engineering works today and why this understanding ultimately helps you to
better protect yourself and your company.
The content I am going to share is brand-new and has been developed over the
past years based on experience as an international consultant (Big 4, KPMG, Deloitte,
Australia, China, Switzerland, Singapore, Malaysia etc.) by myself and my
colleague and has not been presented anywhere else.
At DeepIntel I will share our work results for the first time publicly and exclusively.
Just recently we decided to open source our knowledge with sharing the
content of our Social Engineering Engagement Framework (SEEF), which looks
at Social Engineering from a brand new point of view: Most Social Engineering
frameworks are based on technical tools but rarely focus on the business and risk
side of Social Engineering. But, on a corporate level, there is no methodology
making Social Engineering engagements planable and secure and the achieved
results comparable as well as repeatable. Most Social Engineering definitions are
technically focused. We take a different point of view by defininig Social Enigineering
simply as “The elicitation of information from systems, networks or
human beings through methods and tools”. For the presentation I will select elements
from the framework in order to show the audience how to successfully
plan, document and execute a professional Social Engineering (attack).