Social Engineering and Open Source Intelligence (OSINT) are silent modes of compromising businesses. This presentation takes experience from the field and from a simulated compromise of a Fortune 500 from a Social Engineering Capture the Flag and applies it to help organizations better understand the threat landscape and arms them with actionable advice to employ internally to minimize the impact of such attacks. We also identify places to find data, which provides insight for more valuable data sources. This includes a demo of OSINT techniques, phishing, and a pretexting discussion. This aims to help penetration testers, social engineers, and other interested (and authorized) parties find ways to gain information about an organization and its people to be able to overcome the technical limitations of the perimeter and gain access to allow further exploitation.
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.