Episode 41: The Art of Social Engineering: Insights from DEFCON's Stage with Neeha Kadavakolanu

Narrator:

Welcome to 9 0 9 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer at Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for 9 0 9 exec, episode 41 with Neha Kadavakolanu.

Den:

Hey everybody. Welcome to another episode of 9 0 9 Exec. You're a trusted source for the executives and text journey and every week we have fun guests, and this time we have a returning guest. Neeha, I think you are the first returning guest, so I'm delighted to have you back. Now, just so I don't fuck up your last name, I'm going to introduce, I'm going to ask you to introduce yourself because as we were prepping for this, I can probably nail it, but I don't think I'll get close. So why don't you introduce yourself, tell everybody who you are, where you're working these days, and a little bit about the journey of getting to where you are now.

Neeha:

Yeah, so hi, and my last name is Kadavakolanu, so yeah, done. You got it before, but I totally feel you. So yeah, I'm a security engineer at Cisco currently. I've been here for a few years now. I was originally an intern and then a full-time employee for a couple of years. And then basically I started in college with a background in cognitive science. That was my major. And then I minored in computer science. I've always been curious about human behavior and then how it applies to solving problems, which is the tech aspect. So I've kind of done a lot of different things. My work is also around behavior analytics and then data as well. So I kind of been really exploring and growing a lot in security. And so this year I decided try something out and kind of go in that realm of exploring human behavior and security, that intersection in a different way than my job is. And that's through social engineering. And so it's been a cool experience to learn more about that new space of security for me.

Den:

That's excellent. And I think, yeah, I'm delighted in so many ways. I think if anyone's been following my nonsense in the last few months, I've been talking a lot about interns and this concept of interns, blended apprenticeships as part of launching our 9 0 9 ic, and you're one of the people for me that kind of helped inspire that kind of journey because I look at it, if we're struggling with the skill gap in cyber, then we should be looking at people like you. And I kind regard you as one of the success stories. And I think of it, I think we spoke at RSA, then we caught up at Black Hat, which is probably our annual time for us to catch up.

I'm just delighted. And this year, yeah, this year you shared with me, you're like, I'm going to be doing some competitions at DEFCON this year. And I'm like, holy shit, that's brilliant. Let me know more. And when you were on the show last time, so I think it was our Banyan podcast, which was get it started, get it done a few years ago, that was your first ever visit to Defcon. So we had you on the show with our friend Ken Porte, who's a veteran of going to Defcon, and we wanted to know about what's it like for this newbie turning up and stuff. That was a great episode. And I think now, I don't know if you'd call yourself a newbie now, right? Because you're hitting the competition stage, so why don't you share a couple of things. Right. And it's funny because the cognitive background for me just absolutely plays into this game. So why don't you share a little bit about, well, what was the competition and then what inspired you to want to compete?

Neeha:

Yeah, so I did the social engineering vision competition. And it's funny actually, when I went on your podcast a few years ago and I was talking about my first time at Defcon experience, that was one of the standout events for me was being in the audience and watching this competition. And I was like, that's so crazy. Basically you have people in competitors are in a soundproof of a live audience and they have to live their target company and there's certain questions that they have to ask them and get a response and the companies are not in on it. So it's a true form to educate the audiences at DEFCON about social engineering tactics and how it's important to create security awareness training companies because it's so easy to get this kind of information. Even with the advancements of technology, humans are still an important component for running a business.

So they also, you need to teach them to protect the business as well. So I was really in awe with that and I thought the next time I go to Defcon, I kind of want to something more active and I decided to step out of my comfort zone, the big crowds, and doing something like this, it was a little intimidating at first, but then I thought, I want to grow and I want to challenge myself to do something different. And also it's something that I found so exciting that I was like try, I went to BSides, I think it was two years ago, and to BSides San Francisco where one of the speakers was Artie Boy who won the competition before and he was speaking about social engineering techniques and stuff, and I spoke to him after and he said, I had no experience in social engineer competition, so you should just apply and do it. So I kind of sat with it. That was a little too late to apply at that time I was cutting it close. So this year I thought about it and I was like, I mean I thought about it for a whole year. So I, it's time I knew when the application time was, so

Did my application, it's like a written portion and then a two minute video. So I submitted that and the videos, it's basically about why they should pick you to compete. So yeah, I did my video based off of L Woods, if you know the movie where basically she in Legally Blonde, she submits a video for Harvard and it's kind of convict. So I knew that they kind of like creativity applications. So I said, this is how I use social engineering techniques in my daily life. And I kind of went through that for my two minute video and I guess they liked it enough that they accepted me and then I competed. So yeah, it was a cool thing that I got to do and I'm glad that I stepped out of my comfort zone.

Den:

So I want to dial back a little bit just in case I'm going to assume some of the audience might not know what the social engineering village is, and so we'll explain that a little bit just in case not sure. So at devcon there's a lot of villages and one of them is a social engineering village and they contract with companies where we are allowed to basically hack via social engineering those companies. So we're not breaking the law, the village isn't breaking the law, but they have a contract with certain companies to be able to go in and try and do the hack. And in the competition, you guys get 15 minutes? I think.

Neeha:

So it's 22 minutes this year,

Den:

22 minutes. Oh wow. You get

Neeha:

Longer. And also they have a very strict ethical guidelines that every competitor has to abide by. And there's actually a whole step process and I can get into that, but that's the other thing, even with all these strict guidelines. So we're not allowed to ask personally identifying information. We don't ask for credentials. So that's not part of this. It's only about the education. We don't want to harm these individuals and expose those. So it's very contained in that way. All of the ethical guidelines we have to abide by. It's crazy how much you can still get to seemingly innocuous. You think there's some information you might not think about too much. For example, one of the things, the shredding company that they use uses and how often does that get picked up? And you think about it, it's like, oh, well important documents need to get shredded. So if you find out that information and when they pick it up, that can be used to an escalated attacks. This is just building information. So yeah, there's a whole process before the day of too I can get into.

Den:

And so they give you a set of questions that are basically given points, right? Yes. And there's a couple of things. Yeah, I'd love you to share a few things. One is they go through phases of the things. There's the pretext, then there's the thing, and then there's the explanation out. And ultimately I think of it like the goal is you get your questions answered. Usually there's the get them to go to a webpage where you give them a URL, and if you get there, that's the crown jewels almost, right, where you then put malware on their device if you were the bad actor. So why don't you explain what prep did you do and what was the guidelines and all that, and then what was the pretext and what the differences between those two things?

Neeha:

Yes. So basically for the competition, once you find out you're accepted, after some time they assign every competitor with a target company and the teams are either made of one person or two people max. So I was a solo team and my team name was Vish, full thinker just to play on names. And because it was my first time I figured it was apt. But anyways, basically they assign you your target company, and then you have about one month to share an OSINT report, which is basically an open source intelligence report. So they give you about 25 objectives that are essentially your flags of information that you have to get about the company. And it's essentially like it's a full detailed document about you have pictures, you find this flag online. And open source is basically we can only use publicly available resources to collect this information. So that's the first step that accumulates to your overall score. So once

Den:

And then sorry, as part of that as well, you're not allowed to visit the actual victim, right?

Neeha:

Yeah. So I think you can visit, but you're not allowed to interact. So I think you can see, but then basically once you're visiting, you're interacting. So there is that guideline and trust that hey, you're going to not interact with the, and that's the same thing with social media stuff too. They mentioned you can use social media as one of your sources, but you cannot probe and ask direct employees for questions that you want answered. So it's just what's available. So it really shows, okay, what are people posting? I got a lot of information off Reddit employees will post on Reddit about things that they're sharing. And then I think social media's a great one. Some companies, if they have a big social presence, sometimes employees will post their badge, and I've mentioned that to teams. If they have a team outing and they share that on LinkedIn, make sure your badges aren't present because that's information,

Things like that where we don't really think about, but it's important. And so then after the report, that Osint report, we have a second report due, I think it's less than two weeks after that OSINT report is due. We have a ving plan that we have to submit that is essentially all your pretext. What a pretext is is basically your scenario for how you're going to get this information and getting someone to divulge information. So that is, it's basically kind of like a script and your identities that you're going to mark. So for example, a common one in the competition, is it help or What I did was I was pretending to be corporate security audit. So I had a company where they had retail locations and then they had headquarters and I pretended I was calling from. And when I was calling the retail stores and I would say, and I had a whole script ready, I was like, okay, I'm from the corporate audit and we also have to collect information. So I knew who the head of corporate audit security audit was, and so in case I needed to name drop, I have something

And all that information you collect and you also have to give them, you get extra points. This competition is kind of fun where they get extra points for how you dress up. So if you dress up as your pretext, so for security audit, I had headphones in the booth around my neck and then I had a tech T-shirt on, I had a Rubik. And so that's kind of how I played up that. And then I had a second pretext as well that I used. And I was pretending to be a liquidator. My company was actually going bankrupt, which is actually not supposed to be by design, but had to roll with it. And so it was a fun challenge.

Den:

Did you know they were going bankrupt before or was that during, so because you get assigned the company, which at the point of assignment they're fine, good standing. So between there and you submitting this stuff, then now they're going into bankruptcy. So then you're like, okay, shit, I got to roll with this one.

Neeha:

Yes. That's brilliant. Yeah, so they have never had that happen before. So it was an interesting experience because stores were closing down as I was leading up to the competition date. So that was a very interesting to collect information. So I decided to take that to my advantage and decided I found out the company's liquidation company that they're using. Again, Reddit was a great source for that for me. And then I googled some information as well and marketing details, I can get that information. Oh yeah, you guys are, I just confirmed that they were liquidation companies. So then I pretended to from there and then I had a clipboard, and then I had a formal top underneath my tech teacher and I had these glasses on and I actually posted on my booth store closing the liquidations signs that they had.

So I did that, got a lot of laughs from people and then you kind of just sit in there, but with the phishing plan. So I had all those pretext set and then you have to also submit your phone numbers. So all the phone numbers you have to collect. So the only thing that the competition they give you is your assigned target. Every other information you collect is on you. So yeah, we had to get at least a minimum of 20 phone numbers to a max of a hundred. And we submit them, we find the source, and it has to be only their work numbers. We cannot, if we find a personal phone number, it's not allowed. And the judge and mark, which ones are approved phone numbers, they'll be inputted into the system day of for you to use.

Den:

Yeah, because that's where they mask the number then that's what the receiver sees as the number. So they're spoofing those numbers, right? So

Neeha:

You have the list of numbers that, so you have to provide a list of numbers of all the employees that you're trying to call day of for the actual VING part. Then you have a separate list of spoofed phone numbers. So I was keeping track of area codes for, if I'm going to be calling from corporate, I need to make sure I have the corporate area code number or making sure I have this correct. And when you're in the booth, so day of you,

Den:

Lemme pause this here just for a quick message everybody and then we'll be back in a second. Thanks. Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to subscribe and share the show with your friends. If you know of anyone else that would benefit ideally for us that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion. So now you're in the booth day of what happens?

Neeha:

Yeah, so you have 22 minutes in a soundproof booth in front of the audience and actually right before you start, so the live vision call, there's a lot of overlap in the objectives that you have for the open source intelligence report, but there's actually a few extra ones and it's a little different. So there's about 28 of for the live call and there's in additional, there's one crowd picked objective. So when you're in the booth, the crowd gets to vote on a few random questions. And I believe that my question that I got was what cartoon character do you think you most embody? Imagine with all these security questions randomly having a cartoon question is super random. So I had to figure out how am I going to weave this into,

Den:

That's a question that you have to ask the person that you're talking to, right?

Neeha:

Yes.

Den:

Now I want to step back one second just before you go in the booth. So what time of day was your segment and how many people went before you?

Neeha:

So I think I was smack dab in the middle. My session was one, my call time window was one 30 to two. So I had my company also headquarters will be in east coast. So I was like, okay, and we're allowed to test the phone numbers. We can call the phone numbers, but then we can't, we just hang up. So that's also part of the prep is you have a list of phone numbers, who's picking up and then moving that up to the top of your list in the likelihood that they will be the ones to answer when it's your turn. And I have to mention part of the competition, they also have coaches. So that's usually people who've been previous competitors or they have experience with social engineering. So they had, I think it was four coaches and you get one hour total with each coach during prep process before the competition. That's Want

Den:

To ask you one thing though, and this is why I was asking what time of the day you're sitting there, never done this before. You've prepped, I know your attention to detail and I know how much you would've prepped for this, but I got a sneaky feeling that morning and then 30 minutes or the hour before, what was going through your head from a nerves perspective, how were you feeling and how did you try and keep yourself calm?

Neeha:

Yeah, so I also had the morning of, remember one of the coaches mentioned to me, Hey, there's leading up to the competition a few days before and then also morning of, so don't want to deal with surprises during the booth. So I luckily remembered that advice and took it because some of my stores that I was contacting, they closed up day of. So I started scrambling making sure I had a better list. So I was a little bit out beforehand, but I think the community of the social engineering community was super nice. They had one of the judges there to really comfort the competitors, let them know, Hey, you got this. So that was really nice and I think I kind of stayed out of the, I actually didn't end up not watching any of the competitors before me, which sometimes it's a benefit, you understand what people are doing right and wrong and you can take it.

I ended up just like I wanted to be in the zone, focus on what my plan is. So I just looked at, okay, I have these points. I think for me the strongest thing was a script for my pretext. So I knew exactly what I was going to say when they picked up my phone. And I guess this was kind of a spoiler, but that's what I got an award for was most convincing pretext. So I was really happy about that. I mean, I have it right here, but you got the award. Yeah, so it was really cool. So I think that really calmed me down. I was like, okay, I'm going to put on a customer service voice. And one of the coaches, not judges, one of the coaches said, oh, you need to make sure that you are doing this day in day out.

So you need to seem even because if there's nervousness, then if it doesn't apply to your pretext, then people catch onto that. So there's a lot of psychological techniques that were at play, and I kind of noted those down as a part of my techniques throughout the call and we could talk about that too. But prep wise beforehand, it was very much like, okay, I know least before I know what my overall plan is, of which objectives I'm going to ask for a second. And then in the booth I kind of wasn't really thinking about the crowd picked objective, but I knew with my first call I was like, I'm just going to get it out of the way. And I managed to weave it towards the end of the conversation. It was going really well my first call, so I was like, it was really easy to kind of slip that question in. But yeah, so my prep was just kind of you're

Den:

Having, hold on. So you're having this naturally technical asking you technical question shit, and then all of a sudden you're like, what's your favorite cartoon character?

Neeha:

So security audit from corporate for my first call and I had my script ready, I was like, I'm calling from corporate, we have an audit for our remaining opening stores, and I have to ask you a few questions so I can check you guys off my list. I mean, the script was better than this, but that's a summary of that. And I just said, I need a few minutes of your time. I didn't ask them for time, I just told few minutes. And that seemed to work a lot better, I think is what I've noticed. And that's what the judges commented on afterwards. It was very succinct, this is why I'm calling you. And I think I apparently sounded very even toned. So I think I was really trying to make sure I sounded like this is what I do. She immediately was like, yeah, sure.

I kind of started, I also incorporated, I said, is this store number, blah, blah, blah. And that helped gain credibility because no one else really talks like that other than people who work there and it's publicly available. Every address for that store has store numbers. But that built my credibility, something simple like that. And the goal was to start getting them to say yes at the very beginning of the call. So that was one of the techniques. So I was like, okay, is a store number, blah, blah. And then I'd asked, is this the store manager? And they said, no, I can bring them. I was like, that's okay, you're perfect. I can speak to you about this. So kind of affirm them because the goal was I need to talk to someone. I have a time limit, so the faster the better. And I started talking, I would ask certain questions and I decided to make it, even though it's a checklist I was running through, I tried to add in some of my own statements to build a conversation with this person and build rapport so that they like me basically, so they give more information.

For example, I was like, oh, what browser do you use? And she says, I was Google, I was giving options, Google Chromebox. And then she was like, oh, Chrome. And I said, great, that's my favorite browser. And then she kind of laughed, left phone, and that little laughter kind of loosen someone up asking all these questions. And it's important also when I would ask, oh, do you guys get phishing tests? And I was also explaining what they were. So I was like, when we send you guys, I say we right? I am trying to make it seem like I'm actually calling from corporate. I was like, no, these emails just to see if you're going to click on it, just using layman terms also is very important and seeming very conversational, which even though I'm coming as a technical person, their aspect that they're like, oh, I understand what you're asking me.

So yeah, that was really cool. So by having that rapport, by the end of it, I ended with, okay, so once I had asked all my questions that I needed, I said, okay, so for the stores I've been calling today, I like to end on a fun question. And that's when she was like, okay. And then I asked the crowd host question, I was like, what cartoon character do you think you must embody? And then she said, Danny Phantom. And I was like, wow, I love that cartoon. I said, thank you so much for your time. I hung up and then I heard the audience cheering. So that was a really cool moment to kind of weave in.

Den:

That's awesome. And it's really funny because when you're in the booth, I mean, I've never been in the booth, I've not had the guts to do it. I mean, I've had the inclination, I've just never had the guts or really, yeah, I've never made that effort. So when you're in the booth, there's a couple of hundred or more people now. I mean, how many people do you think were in the audience? Because over the years, that number just seems to grow and grow and grow. And then this year is at the convention center, I think it was, well, it was last year too, but it's a bigger space now. So I mean, are they in the 200, 300 people, do you think? I mean, what's that number?

Neeha:

I actually didn't get the number, but I feel like it was easily over a hundred. That room was huge. I actually took a picture of it and I ended up seeing also the line out the door. It was insane as it usually is, but I think it's only been growing. So yeah, I'm assuming there was at least a hundred people. And when you're in the booth, they have this one glass window, see the tech guy with the phone calls, make sure if there's anything going on, they communicate. And he was amazing during my call, but he can see the audience. But it's very interesting. So you're in a vacuum, so soundproof that I could barely hear the audience other than after every call kind of cheering. But then otherwise I was just like, okay, I'm so locked in because there's so much that I had to look at as a solo competitor too.

I'm thinking about what pretext am I going to use? Am I going to change costumes now for the extra points and then change my script and then which phone number am I going to target next? And then what objectives do I still need to hit? Because some of them you can only get points one time, and then some of them you can ask them multiple times, different callers and you can get multiple points. So I was keeping track of that as well, which ones? And so it's kind of like all of this is going on the timer, so you have to make all these choices in that moment. So I'm kind of just super focused in on what I need to do. So that kind of helped not pay attention to the crowd, but there is so many people, I don't think it hit me until I was done.

Den:

So from a competition perspective, what's the maximum number of points? I mean was there a maximum number of points and then how close do you feel you were getting to that?

Neeha:

Yeah, I think the max number of points is somewhere in the thousands, 1000 something I think. So I don't remember the exact number of points, but the most you can get is from the live calls. So it was really cool. My first time ever I made it, even with the company difference too of this is an unprecedented stuff, I managed to make it in the top five. So I got fifth place and it was a huge moment for me. And I think the scores were actually pretty close for the top five. I think everyone did really well. And so it was crazy. I think I was just objectives from me and fourth place and two objectives, or maybe three for the third place, but probably two for the third place. So it was so close together. So that made it more like, wow, I didn't realize we were all kind of neck and neck almost.

Den:

And then are you inspired to then do it again next year?

Neeha:

Yeah, it's a lot of work. I know, I think it was a lot of hours to put into on my free time and prep, but I think now knowing what the competition is like and having done it before, I'm like, okay, I definitely want to come back and shoot for hire and see what I can do. That would be the goal

Den:

For sure. Yeah, it is really funny. So you and I have had conversations over the years, and I've always shared, everybody knows that I'm always happy to share opinions of shit, but I shared with you, here's thoughts and ideas for your career and how to network and build your network and what's important. I never once in my conversations ever thought about this, and then I think you jumping in on this is just admirable and it's brave and it really pushes you. I mean, I know you're pushing yourself because I'd never thought of you really as an extrovert, and I think for you to jump in front of an audience and do this and the pressure and all of that and to be so successful on your first run is just brilliant. I mean, I'm super proud. Nevermind how you must feel, right? And I've only had a little blip of a slice of your journey. So when you go back into work and you tell everybody in Cisco about this accomplishment, I look at this, holy shit, this is brilliant. What do your teammates at work say? What do they think about it?

Neeha:

So they're kind of in awe, just in terms of the competition in general, what it is. I think some of them haven't really been to Defcon before, and so I was explaining what exactly this competition is about. And I think some people were a little nervous now about, I got to be careful with what I say to you because it seems like especially winning the award for most convincing pretext that they were like, I don't know, it came so naturally to you, is that, and so it's kind of funny like, yeah, maybe this is not the best thing to go around telling people that I'm really good at lying. I guess

Den:

I was just sitting there thinking, man, your partner must be shitting bricks.

Neeha:

Yeah, yeah. But then I was, some of the techniques that I used and I was like, Hey, actually I had a coworker that was like, oh my God, I need that. I put together a PowerPoint, actually was presenting to my team and about this competition. They wanted me to share more about stuff. So I was saying like, Hey, these are the sources I used. There's something called Google Dorking for example, and that's just basically exploiting Google's way of how they index webpages. And it's a different thing on search that you can get certain information that you can't do with a regular Google search or here's the psychological techniques that I used that also falls under ethical guidelines. One of the things is we're not allowed to threaten the employees. We're not allowed to make them seem like they're going to get in trouble or anything like that.

And it's important to remember that also when you're in a time situation, and I had one caller give me pushback when I was pretending to be the liquidator, and I said, I'm from this company. I'm following up on something. We have some loose ends to tie up and she's answering my questions. And then partway through, she goes, I can hear her talking. I think she was talking to our manager, she's like, wait a minute, which company they were from again, because we did an internal liquidation for our store. And I said, oh. And so in that moment I was like, okay, we have to kind of prepare a little bit for what pushbacks we get, how we're going to navigate that.

But in the moment it's very different. So that's also part of, out of my comfort zone is a little bit of improv in front of this audience and stuff. So I just said, oh, I reiterated what company I'm from. I just kept it cool. And I said, are you store number? I just asked it again. And she says yes. And I was like, okay, yeah, you're on my list. And then I just kind of rolled with it and then I added some information. I made up a name and I said, so-and-so was in charge of these lists, but he's patient. And so I have to take it up and you guys are the last ones for me for the day. So if you could just answer one more question, I'll be out of your hair. And the next level that I could have gone to is, hey, if they keep pushing back, another last ditch attempt is giving an where you kind of are taking away their theoretical pain. So what that means is another technique is like, Hey, I'm going to have to escalate this and you're going to be sent a 30 page report to fill out, or you can spend one more minute with me and just answer just one more question and I'll be done. So that

Den:

Yeah, that's brilliant. Because you could be like, yeah, the formal thing is we can email you this report and you can manually go through it yourself, but I only have a couple of questions.

Neeha:

I'm trying to make your, it's like you're helping me out, but I'm also helping you out. And that kind of immediately people are like, well, I don't want that. So they're just think about what's easier for them. And so I made it clear that they were the last ones that I've already spoken to someone, but it plays into that social norms as well where people are like, well, oh, another person already did this. Even if it's not true, but people believe what you say sometimes. So it's these kinds of techniques that's so important to, because anyone can fall for it. And that's the point. It's not to shame these people, it's about to educate. These are people will use and in fact, worse in the real world,

Den:

And you're really playing on human nature. I mean, I think that's the thing is human nature is that we are trying to be helpful, especially if somebody calls you up or knocks on your door and stuff like that. Unless you get a grumpy old Scottish guy, then you're fucked. I mean, normally normal people are good. So you're planning to do it next year. One of the things I was thinking as you were talking, I was like, well, this just feels like a great blog. So neither Cisco or 9 0 9 cyber, I mean, I guess somebody could have you write a blog on this shit, I look at this, there's way more to this and we're going to cover in today's pod, right? So I think of this as a blog, and then I then look at the whole next year, what's your goal for next year, right? You're going to reenter, you're going to chase the dream. I'm guessing the dream is you win the show, right?

Neeha:

Yeah, that would be amazing. Especially because I don't know about this year if they've announced it yet or not, so I'm not sure, but I think all the previous years, I think this competition's been running for over a decade, and I think for every year it's been running, they've been a black badge contest for Defcon. So that basically means that you get free admittance to the conference for life if you win. And I think it's also partly just the prestige of winning the black badge. I think it would be a dream to just make it up to the top, but that's my goal for sure. I have a lot of, the blog is something I actually considered because I mentioned one of the competitors I spoke to, he actually wrote a blog about his experiences and I read those blogs and that helped me with the mindset of going in because I had no idea what it would be like to apply to compete. So that helped me. So I thought maybe I should write something to help with my perspective.

Den:

We always have a guest blogger series on our website, so anybody is allowed to reach out and do a guest blog for us because we don't have that many people on the team that want to write that many blogs.

Neeha:

And

Den:

I just look at the more content that we can push out on our website and educate people the better. And it doesn't even have to be us, and it doesn't even have to be our company. I mean, I don't mind whose company it is, although I do try and avoid the competitors' companies, but Cisco's not a competitor. So yeah, I mean this is brilliant. You have, right?

Neeha:

It's planning more I think for next year is I think what I'm going to take away from this. I planned this year, but I realized in the heat of the moment, there's so much more, I think the way I would lay out my objectives and everything have a better system for it. I think some of the things kind of blurred. There was objectives that I could have asked that I didn't realize I didn't ask in the moment. So that kind of stuff I am taking away and I am going to the next year.

Den:

Yeah, as lessons learned to then do better next time. I mean, shit, it's impressive on how well you've done this time. But I think the first, I mean to think this is your first ever run at this is just crazy how much, so let's go back to your education when you're at college though, right? Cognitive science and how much of that learning there did you think applied or helped in this competition?

Neeha:

Yeah, so I think there's a couple different things. I think the obvious one is one of the fields in cognitive science because cognitive science is an interdisciplinary science. There's six different things. There's psychology, philosophy, linguistics, ai, neuroscience, anthropology, and so it's all these fields on the lens of the mind and behavior. So I think with all of that, my coursework was about intersections. That's something I'm so interested in is how things connect to one another. And so I think for this, it was very interesting to, I'm a naturally curious person, and so I think when I was trying to find information about my company, I was like, okay, what resources do I need to use that research mind comes in, we have to state our sources for how we're finding this information. So I was doing a lot of research on what tools I could use.

I was new to this, and then from there I was like, okay, this is how I'm going to organize this information, all of that, because there's the technical aspects of that degree as well as writing portions. So I had to do a mix of things. So I think putting all that kind of research mindset that I took in from my studies was a big way of how I approached this and obviously the human behavior, psychological techniques aspect. I think sometimes we naturally do certain things, but then making sure I have very specific terminologies. So I was like, oh yeah, this kind of thing, like social proof or trying to pull in terms and okay, see what's convincing to a user. And I like to lean more, okay, let's build a rapport. I understand that people to help people that they feel like they have things in common with or that they like to speak to.

And I also was, that's why I used Reddit. I knew this was a tough time for people, companies going bankrupt, they're losing their jobs. So how do I make sure that the kind of persona I embody is someone that is nice and not a jerk because that's what they're used to, or if they're dealing with that they don't want to help you out. So I was like, okay, I'm going to make sure when I was going to do the liquidator pretext, I remember someone saying, some people were discussing the forum like, oh, this liquidation company. It's like they're not talking to each other and they're frustrated and they're like, oh, they're, they're not even helping us out. Then someone was like, oh wow, I had a really nice one. And it was a really easy process like, okay, I'm going to channel that obviously one because they're part of this process, I don't want to be targeting someone and making their time worse for them. But also psychologically you are going to want to keep talking to someone who's being jerk to you and being really rude or someone who's like, Hey, I get what situation you're going through. I just want to help you out and kind of making it easier for you. So that's kind of what I decided to lean into. And so that's kind of how I put in my studies into this. But yeah,

Den:

That is excellent. I know we're way over time, but I mean I could talk about this forever. For me, the social engineering village was the place, what I learned, don't train your companies on your normal security awareness bullshit. Teach them about how to protect themselves and their families online and they'll bring that knowledge to the business. I mean, there was a woman who talked about that and it was about 10 years ago I think. And for me sitting there watching people like you do this for me, I was just like, I think I probably learned so much just in that village alone. Nevermind the other ones. Although the lock pick village is kind of cool too.

Neeha:

I actually picked up a lock picking set this year. Yeah, I love that village a lot.

Den:

Yeah, I got that from my son and I probably five years ago and got him into lock picking and then I picked up a pineapple. So for people that don't know what a pineapple is, it's a very cheap device, about 50 bucks or something and enables you to hack people's wifis and set up your fake wifis and demand and middle attacks. That was fun. And then this year, nine, nine Cyber, we got to sponsor the packet capture village. So for me that was because devcon traditionally didn't allow sponsorships really. There was no vendor sponsors and stuff, so they've obviously relaxed that a little bit so they can bring in some cash and for us just to get our logo in that village, I'm like, holy shit man, this is brilliant. So I mean, I do love Defcon. The only reason I never went this year was because last year I think I spent more time in lines than I did in sessions. And even though they moved to the big conference center, which I'm thinking that should have solved that problem, it still seemed to not solve that problem. And I'm like, even though the DEFCON merch line, their store, the line for the store, I think I was in that lane for an hour and a half.

I'm like, this is shocking. So I hope they solve that problem because I do want to go, but I don't want to be standing in lines for four hours a day. It's not bloody Disneyland.

Neeha:

Yeah, that's what I think the social, I think they would wish for a bigger room because even with this space being bigger than the past spaces, this room, there's still a huge line out the door where people are waiting for a long time just to get into watch. And I mean that was so defining for me being in the audience I would want. And I think what's really cool also is that lock picking and some of these villages, there's no huge intimidation of barrier to entry. I feel like this kind of concept is something that everyone experiences they know, okay, yeah, I've gotten spam calls before, but obviously it's at a deeper level. But people know phishing emails, phishing emails, and they understand this concept. And I think when they see human behavior like this being at play and it's not highly something that they can also witness as kind of like a show, I think that's when it attracts a lot of people and they understand.

I think the way that they deliver this information I think is so successful and eye-catching that I kind of sticks with everybody as they go. And that's how I was able to share with so many people afterwards, Hey, this is what this is about. And everyone understands it right off the bat when I tell them about this competition. So that's really cool to be able to spread the message in such an easy way. I think it gets people excited also about security and it's like, hey, it's everyone's importance and knowledge to know this stuff. So I think that was a cool aspect also for sharing people at my company to even non-technical friends, they have no idea about security and they're in completely different spaces. I would explain it, they got it. So everyone can relate.

Den:

I think for you personally in your career, it opens up a lot of doors as well because all the networking meetup groups and all those things for them to even think of having you be there and talk about that experience, I mean what we're doing here, but you being on a little stage and just talking and like ISSA or ISAC or some of these things. I mean, I think it's great opportunities. Yeah. Okay. I guess we should wrap up N right? So future black badge winner. That's all I'm hearing, right? Kickass a s social engineer, intern turned crack superior person in cyber now. I mean I'm like, shit, in four years. I mean, I dunno, this is, you're going to conquer the world. I think so, yeah, future CISO in the making I'm seeing or you'll just be working for some agencies. You infiltrate the world with your social skills.

So yeah, everybody watch this space. Neeha, thank you very much. I appreciate you coming back on this show. I am impressed. I am super little proud. And for me, it's amazing when you get to be part of someone's journey and then you see their journey just explode and you're so successful. And I knew that when we met when I was at Cisco, I was like, this woman's going somewhere. You got your head screwed on straight, you're smart and you're hungry and you're chasing it. And this is just a great example. I think it's like if you set your mind on something, you can really do it. So I would love to work with you on a blog and if it's not in Cisco's website, then you should get one for our website. And yeah, thank you very much. It's been great to have you on the show.

Neeha:

Thank you, Den. It's been great too. I'm really glad that and honored to be back and to be able to speak about this. So I really appreciate it and thanks for being part of my journey. You're a great mentor that I have and I definitely respect and look up to you a lot. So it's been exciting to have this conversation.

Den:

I appreciate that. I did think you look up to me, not even 5'2", so I knew that regardless, I

Neeha:

Love you on a good day, but

Den:

I know you do wear big heels actually sometimes those Nia, thank you very much. I appreciate it. Take it easy. Yeah, see you. See you everybody.

Narrator:

Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.

‍