DeepSec 2023 Training: Security Intelligence: Practical Social Engineering & Open-source Intelligence for Security Teams – Christina Lekati
Social engineering attacks remain at the top of the threat landscape and data breach reports. Reports tend to oversimplify breaches as just phishing attacks, but current research shows it’s more complex. Social engineering attacks have been evolving. Successful phishing emails are usually a result of a larger attack based on research and intelligence that identifies organizational vulnerabilities. But it doesn’t stop there. Weaponized psychology is still a powerful component of social engineering attacks.
Security professionals and testers need to know how social engineering works and how to stop attacks.
This class aims to provide participants with the necessary knowledge on open-source intelligence and social engineering, to help security teams build better protective measures (proactive & reactive) and to inform their security strategy. It also aims to help penetration testers improve their recommendations and provide better and more realistic insights to their clients.
Attendees will leave this class having acquired the psychological knowledge along with the technical capability to tackle this challenge, whether they want to simulate social engineering attacks or prevent them.
We asked Christina a few questions about her workshop.
Please tell us the top 5 facts about your training.
- You will get to wear 2 hats: you will have to become both the criminal mastermind and the defense strategist
- The vast majority of the material is based on real-life cases – and we will work on them
- You will learn some serious (and really practical) OSINT skills
- We will cover some neat psychological principles that are applied in social engineering- prepare to mold your mindset
- I will share some anecdotal stories from the trenches of social engineering work 😊
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
While working with different security teams, I realized that the security industry needs a better understanding of social engineering attacks. As an industry, we like to simplify or generalize social engineering threats as “a phishing attack” or a “result of a vishing call” but once you peek under the hood, the reality is more complex. For one thing, attackers often have a more elaborate imagination. But that part rarely gets reported. How did the social engineer know who, or which department to target? How did they come up with their plan? What were the invisible steps that were taken, before sending out a phishing campaign? Were there more steps to that attack than the phishing emails that were found? This is where I started thinking that we need a more practical approach against social engineering in Europe.
Eventually, I was asked to develop this class from a certain company that had hired us multiple times in the past for awareness trainings to their security team. Now they wanted to learn the very practical skills behind the theory. I jumped at the idea, and this class came to life.
And it went quite well! As the feedback came back, the class proved to be both informative, but also really fun! Soon after, other companies asked for the same training, even though at the time we had not even announced this offering on our website at Cyber Risk GmbH.
This year, we are allowing a broader audience to join this class by participating at DeepSec. The goal is to get a more realistic view on how social engineering attacks work, to provide the participants with the skillset necessary to simulate these attacks, but also to show them how to strategize and defend against them.
Why do you think this is an important topic?
Social engineering remains one the top most prevalent cybersecurity risks. It has remained one of the primary attack vectors for years now. Not only do they prevail, but they also facilitate the technical attack vectors that also land on the top 5 cybersecurity threats, according to most industry security reports, including the yearly “Thread Landscape Report” from ENISA. Chances are that you, your team, or your organization will soon have to deal with this threat, if you haven’t already. Better be prepared, and ideally, be proactive!
Is there something you want everybody to know – some good advice for our readers, maybe?
Investing in your skill set will always pay back with dividends. Especially in InfoSec. This is an industry in which the more knowledge you have, the better you can appropriately see the big picture, but also handle its individual pieces more appropriately.
When it comes to social engineering, it is often viewed as an attack vector that you cannot defend against, either because the attacks are “too sophisticated” or the humans in the organization “the weakest link”. Humans are not the weakest link. Just like some have the capability to create elaborate attack plans, others also have the capability to develop a keen eye for scams, as long as someone properly shows them what to look for and how, and gives them an understanding as to why it matters. Just like you have the capability to create strategies that decrease your risk level -and I wish to show you how.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your workshop in particular?
The time comes where seeing will not be believing. At least in the online world. With the rise of artificial intelligence, like voice cloning and ChatGPT, things are about to get really interesting for the security industry! I expect to see more synthetic attacks, and more personal approaches. As security measures and technologies develop, attackers will become more creative in compromising humans to gain access to technology and other organizational assets. We cannot afford staying behind the curve.
Christina Lekati is a psychologist and a social engineer. With her background and degree in psychology, she learned the mechanisms of behavior, motivation, and decision-making, as well as manipulation and deceit. She became particularly interested in human dynamics, passionate about social engineering and in extent, open-source intelligence.
She is currently working with Cyber Risk GmbH as a senior social engineering trainer and consultant. She is also conducting targeted Open Source Intelligence (OSINT) vulnerability assessments to help organizations or high-value individuals identify and manage risks related to human or physical vulnerabilities.
Christina is the main developer of the social engineering training programs provided by Cyber Risk GmbH. These programs are intertwining the lessons learned from real-life cases and previous experiences in the fields of cybersecurity, open-source intelligence, psychology, and counterintelligence.
She was an active Executive Board Member at the OSINT Curious project, contributing to the international scene of Open-Source Intelligence (OSINT) with the latest news, updates, and techniques for collection and analysis.