SEVillage: 10 Years in Review

Ten years ago, when Chris Hadnagy, Founder & CEO of Social-Engineer, LLC, was first approached by DEF CON founder Jeff Moss and asked to start a social engineering event, he knew he wanted to do something exciting. Until more recently, social engineering was typically only regarded in terms of scoring a free pizza or someone’s phone number, and was not widely demonstrated in a meaningful, beneficial way towards the corporate world. Chris led the Social-Engineer team to challenge this status quo and help people become more secure through education at DEF CON 18, held in the Riviera Hotel and Casino on July 30, 2010. The floors were sticky, and the room was closet-size small, but it was there that the inaugural Social Engineering Capture the Flag (SECTF) competition was held. If someone would’ve told us a decade ago that this small handful of social engineers running a competition would one day grow into an 11,000 square foot social engineering village, we probably would have laughed.

Over the past ten years, more than 100 SECTF contestants have targeted dozens and dozens of Fortune 500 companies, proving time and again that social engineering was—and still is—a real, viable threat to organizations. From that first competition, the larger Social Engineering Village (SEVillage) was born. Additional competitions were created for the kids and teens in our community, which have become a valuable teaching tool for helping our youth decide on future careers and overcome massive obstacles in their life. Breakthrough speakers have poured their hearts out all over our stage, both educating and enlightening the crowd. It’s been quite the decade for SEVillage, and on this momentous anniversary year, we want to thank you from the bottom of our hearts for these past ten years. We couldn’t have accomplished this without your support, and we can’t wait for you to be part of our next ten. In honor of the past 10 years, we wanted to look back and review all that has been accomplished.

A Decade of the SECTF

Each year, Social-Engineer.org (SEORG) calls out for a fresh batch of SECTF contestants. Contestants are asked to make a 90-second video that shows why they should be chosen to compete. This helps the SEORG team determine the contestant’s reasons for entering the competition. As this is an educational event, the ultimate goal is to help the status of corporate security and not just “win” a competition.  After the contestants are chosen, they are sent their target company to start the Open Source Intelligence (OSINT) gathering portion of the competition. Given about 3 ½ weeks to complete their OSINT research, the contestants have the chance to collect as much information as possible on their targets and then write a report that is submitted and graded by the SEORG team. This portion is crucial, as it not only counts for half of a contestant’s score, but it is also what will give them the edge in the booth for their live calls. Armed with OSINT and numbers to call, contestants one-by-one enter the soundproof booth and have 20 minutes to complete their calls on the day and time that they are assigned.

Each year, the SECTF has its own unique highlights and features, which provide insight into social engineering tactics that work against the corporate world.

  • 2010, DEF CON 18: The use of deliberate false statements made the employees of several target companies feel compelled to correct the wrong information presented to them. By using this tactic, not a single question was asked, and the employees never realized anything was being asked of them.
  • 2011, DEF CON 19: One of the most difficult pretexts, the “fellow employee,” was successfully employed several times to gain a great amount of detail each attempt. Because co-workers are often seen as part of the trusted inner circle, employees did not feel uncomfortable handing over sensitive information.
  • 2012, DEF CON 20: This year, the SECTF garnered so much attention that the competition was put on hold because NSA Director General Keith Alexander requested to meet with Chris to congratulate him on the work that was being done to teach youth and others how to use social engineering for good. Later on, Alexander observed a portion of the SECTF while our youngest-ever contestant was in the booth.
  • 2013, DEF CON 21: The winner of the SECTF this year was not a professional social engineer, yet surpassed the runner-up by more than 200 points! She did an extensive amount of research on her target company which she used to develop effective pretexts and was extremely prepared for her live-call portion of the competition.
  • 2014, DEF CON 22: Unlike previous years, we saw a complete reversal in the scores between the points for the OSINT-reporting portion and the live-call portion. It was also the first year that we asked for videos to be submitted to aid in selecting contestants.
  • 2015, DEF CON 23: This year, the contestants flipped a coin to determine whether they could use caller ID spoofing. However, there seemed to be little correlation between the success of the call and the use of caller ID spoofing. Even though social engineers rely heavily on caller ID spoofing, this evidence seems to show that it gives more confidence and comfort to the caller opposed to giving those feelings to the target and resulting in increased compliance.
  • 2016, DEF CON 24: Social media played a large part in this year’s competition, and it persists as a potential vulnerability to corporations and their employees. Within the OSINT reports, contestants relayed finding a plethora of posts that often revealed sensitive information e.g., hardware, badges, and details about physical space.
  • 2017, DEF CON 25: This year highlighted one of the biggest challenge enterprises are facing: the inability to completely control the social media postings of current and past employees. The competitors gathered valuable information through these sources, thus confirming these avenues can absolutely be used by malicious attackers in phishing, vishing, and onsite impersonation attempts.
  • 2018, DEF CON 26: One of our competitors employed a rapport-building strategy of relating personally to every target’s name. For example, a target would answer, “Hello, this is Joe,” and the competitor would return, “Joe? No way! That’s my dad’s name.” Having instant rapport set that competitor up for success on each call.

“If you manage to get in the booth, you’ve already won.”

Every year, we never cease to be amazed from the talent that walks in and out of the booth. The line between who is the novice and who is the pro is now so thin, we often can’t presume to differentiate. One of our favorite competitors is Chris Kirsch, who won the SECTF competition in 2017 at DEF CON 25. Prior to competing, Chris was fairly interested in social engineering. But after attending the SECTF competition at DEF CON 23, he was totally hooked. One year later, he applied and was accepted to compete, however, his first attempt was difficult. He recalls, “My target was a firewall company, my call time was on a Saturday afternoon, and the only staffed number during that time was customer technical support. Knowing that these departments have very strict processes (and often long queues), I didn’t want to phone that line and opted to call personal cell phones of employees, spoofing the HQ’s number. Nobody picked up their phone, and I learned later that employees at this company are getting worked so hard they never pick up their cell phones on weekends.” Despite having a really good report score, Chris scored zero points on his live-call portion. However, he didn’t let that complication stop him. The next year, he was chosen to compete again. This time, Chris managed to get every single flag during one phone call that was so impressive, it brought the entire SEVillage to their feet in applause. He even reenacted the call with Chris Hadnagy to highlight how just one phone call can completely compromise a company. Chris finds many ways to use his experience competing in both his off-stage life and career in marketing. He says, “My primary life lesson out of these experiences for social engineering and marketing: Know your audience before you open your mouth.”

Rachel Tobac became known for her scarily entertaining videos and her ability to step into the booth and smoothly collect flag after flag. She quickly became one of our most famous contestants, known for her competitive spirit and her encouraging attitude, always in the front row rooting on her fellow competitors. She has gracefully placed 2nd place for 3 years counting. Like Chris, her first visit to the SEVillage is what hooked her on social engineering. She says, “My husband convinced me to come to DEF CON even though I was convinced it would all be ‘over my head’. He plopped me down in the SECTF room and I got to see two calls (both went to voicemail). I was absolutely hooked and felt like I had found my calling—SECTF combined all my favorite hobbies and fields of study. From then on, I knew I needed to compete the next year even though I was a noob.” Even though Rachel was a “noob,” her ambition paid off. “The first time I ever did a vishing (phone) call was in front of 500 people in a glass booth at DEF CON so that was definitely a highlight. Watching the crowd’s face through the glass booth as I got flags my first year is something I’ll never forget.” From that very first call to present day, Rachel says that the SECTF has changed her life drastically. “The SECTF has radically affected the trajectory of my life—since getting 2nd place for the past three years in a row I’ve started my own social engineering company and get to do this all the time now! Without the SECTF I would have never known that this niche of InfoSec existed, had the opportunity to learn and deeply practice, and I’m so thankful for Hadnagy and the SEVillage crew for supporting me as a social engineer!”

A Little Advice

One of the things we most often get asked for is advice on competing in the SECTF. As veterans of the booth, we asked Chris and Rachel what advice they would give to anyone thinking about applying for the competition. They did not disappoint. Here are their words of wisdom:

  • While there are many people who apply for this competition, there are very few slots. Make certain you meet all deadlines and follow all rules religiously, otherwise you will be screened out. The video you submit will be used by the judges for evaluating candidates. Make a video that is entertaining for the audience to watch while you are getting set up in the booth. Ensure you come across as a person who both has the right personality to succeed in the competition and is entertaining in the booth.
  • Don’t wait until you receive your target company’s name before you begin researching and learning about social engineering and gathering OSINT. Chris says, “I listened to all Social-Engineer.Org podcasts going back three years and read Michael Bazzell’s book ‘Open Source Intelligence’ as my main prep for the competition.” Rachel notes, “I highly recommend reading all of Chris Hadnagy’s books, and reading SEORG’s Social Engineering Framework from the start to finish.”
  • What gets you into a company in a real-life SE engagement may differ from what helps you win the competition. Be aware of rules and time limits. For example, in a professional engagement, you may be able to build rapport over several calls and days but in the booth, you cannot.
  • Practice vishing by calling your personal service providers without enough information to authenticate accounts.
  • Pick phone numbers that are staffed during the time of your call but don’t choose a personal number. Strongly prefer numbers that don’t follow a strict process. Individual numbers are bad because people may not be at their desks, and process-driven numbers (tech support, customer service) are harder to get away from their script onto your script. Phone your target numbers with your phone on mute (per SECTF rules) on the same weekday and at the same time of your call to see if that number is staffed.
  • Have fun in the booth! The DEF CON and SEVillage audience is incredibly supportive and kind. If you manage to get into the booth, you’ve already won.

 

Empowering a New Generation of Social Engineers

For DEF CON 19, the SEVillage added another competition aimed at educating the next generation of social engineers. The SECTF4Kids was created to teach kids how to safely and effectively use social engineering and how to enhance their critical-thinking skills. Over the years, we’ve hosted kids aged 5-12 who enter with eager minds and take on every assigned task. We have had the privilege of watching a few of these kids grow up before our eyes. Ashley is one of them. Ashley started competing in the very first SECTF4Kids when she was 13 years old. She previously told us that the SECTF4Kids is what helped jumpstart her love for robotics, “…the SECTF4Kids sparked my love for solving puzzles and for competition. And because of those reasons, I joined my school’s robotics team.” Her team eventually partook in competitions worldwide! Ashley says her desire to keep persevering despite when things were going wrong is something she learned competing in the SECTF4Kids, “Without all of the critical thinking skills I learned from SECTF4Kids, I definitely wouldn’t have been able to—or would have had a more difficult time—solving the problems robotics presents.”

DEF CON 25 was the launch for our SECTF4Teens competition. As we watched the kid competitors grow each year, we realized there was still so much for them to learn. Built specifically for the 13-17-year-old crowd, we took our kids competition to the next level: more challenging tasks, harder puzzles, and more critical thinking required than we have ever asked of them before. The youth who have entered this competition have not only showed us their talents but have also touched our hearts. One teen in particular who competed in the SECTF4Teens at DEF CON 26 impacted us greatly. He arrived among a school group who brought a few students to compete at DEF CON. Just a few weeks prior to the contest, he unexpectedly and suddenly lost one of his parents. Naturally, he was devastated and wasn’t sure that he wanted to compete anymore. With encouragement from his family and school instructor, he decided to attend anyway. His instructor later told us that, beginning the morning of the competition, the teen was afraid he made the wrong decision. The teen was quiet and somber, and acted like he didn’t want to be there. But by the end of the event, he was smiling, laughing, and to this day still speaks with excitement about his experience. His parent later told his instructor that the SECTF4Teens transformed him and that he started to turn around for the better after his time in the SEVillage. We are proud to play a part in any of the lives of the kids and teens who we meet at the SEVillage. Their willingness to learn, their drive to compete, and the strength they must hold to conquer anything placed in front of them is tremendously motivating to us. We are proud of each and every one of them.

The Next Ten Years

As we enter our tenth year of running the SEVillage, we’ve been able to reflect on how one little competition has grown into something much bigger than we ever could’ve imagined. Throughout our tenure of fostering the structure, professionalism, and awareness of social engineering as a whole, we have strived to continuously evolve this exciting and compelling field. To maintain this momentum and advancement, we are proud to announce the next evolution in social engineering: SEVillage Orlando 2020.

SEVillage Orlando 2020 is a comprehensively elevated and next-level venture. For three days, attendees are immersed in an unprecedented training experience, including:

  • Choosing up to 5 multi-hour workshops taught by world-renowned leaders in human behavior, physiology, OSINT, and psychology;
  • A variety of speaking sessions from expert-level presenters, varying from fast-paced concentrated content to panels and keynotes;
  • SEVillage’s signature competition, the SECTF;
  • Exciting breakouts and challenges;
  • 3 Evening Events plus many opportunities for networking; and
  • All-inclusive lunches, beverages, and breaks

We hope you’ll join us on Thursday, February 20 through Saturday, February 22, 2020 in Orlando, FL for this never-before-seen training conference bringing together sought-after speakers to deliver exceptional content. With an absolute maximum capacity of 1,000 attendees, we urge you to visit SEVillage.org and register soon.

Thank you for your continued enthusiasm and support.

We look forward to seeing you soon and to shaping the next ten years with you!

Written By: Amanda Marchuck and Allie Hansen 

Sources:
https://www.social-engineer.org/ 
https://www.social-engineer.org/sevillage-def-con/the-sectf/ 
https://www.social-engineer.org/sevillage-def-con/ 
https://www.social-engineer.org/general-blog/sectf-8-years-review-2010-2017/ 
https://www.twitter.com/chris_kirsch 
https://www.veracode.com/blog/security-news/how-single-phone-call-can-compromise-your-company 
https://www.social-engineer.org/?s=michael+Bazzell 
https://www.social-engineer.org/category/podcast/ 
https://www.social-engineer.org/general-blog/sectf4kids/
https://www.social-engineer.org/framework/general-discussion/
https://twitter.com/racheltobac