The Weakest Link with Alethe Denis Artwork

The Entropy Podcast

Nibble Knowledge is delighted to bring you "The Entropy Podcast"—hosted by Francis Gorman.

The Entropy Podcast centers on cybersecurity, technology, and business, featuring conversations with accomplished professionals who share real-world knowledge and experience. Our goal is simple: to leave you better informed and inspired after every episode.

We chose the name “Entropy” because it symbolizes the constant flux and unpredictability in cybersecurity, technology, and business. By understanding the forces that drive change and “disorder,” we can create better strategies to adapt and thrive in an ever-evolving technology and geo political landscape.

You can also check out our YouTube Channel here: https://youtube.com/@nibbleknowledge-v7l?feature=shared

Disclaimer: The views and opinions expressed on all episodes of this podcast are solely those of the host and guests, based on personal experiences. They do not represent facts and are not intended to defame or harm any individual or business. Listeners are encouraged to form their own opinions.

Please note: Some episodes may have varying audio quality due to the challenges of remote recording and occasional environmental factors.

We apologies if this occurs as we strive to keep audio at an optimal quality.

All Episodes

The Entropy Podcast

The Weakest Link with Alethe Denis

December 10, 2025 • Francis Gorman • Season 1 • Episode 38

In this episode of the Entropy Podcast, host Francis Gorman speaks with Alethe Denis, a senior security consultant at Bishop Fox, about her experiences in social engineering and the DEFCON community. Alethe shares her journey into the world of cybersecurity, her participation in the Social Engineering Capture the Flag contest, and the strategies she employed to succeed. The conversation delves into the ethics of social engineering, the impact of AI on security practices, and the importance of understanding human behavior in cybersecurity. Alethe also offers advice for those looking to enter the field of social engineering, emphasizing the value of mentorship and foundational knowledge.

Takeaways

Alethe Denis emphasizes the welcoming nature of the DEFCON community.
The Social Engineering Capture the Flag contest is a significant event for learning and showcasing skills.
Understanding human psychology is crucial for effective social engineering.
Ethics play a vital role in social engineering practices.
AI is changing the landscape of social engineering and cybersecurity.
Organizations need to align their testing with realistic attack scenarios.
Mentorship is essential for those starting in social engineering.
Building rapport is a key strategy in social engineering.
Human behavior is often the weakest link in cybersecurity.
Continuous learning and adaptation are necessary in the field of cybersecurity.

Francis Gorman (00:02.152)
Hi everyone, welcome to the Entropy Podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever you get your podcast from. Today I'm joined by Alethe Dennis, a senior security consultant on the Bishop Fox Red team. is proficient at advanced social engineering and human psychology, where our team helps organizations strengthen their security posture. Alethe is also with DEFCON Black Badge Hall of Fame inductee, which is super cool. Alethe, it's great to have you here with me today.

Alethe Denis | Bishop Fox (00:30.144)
It is wonderful to be here. Thank you so much for inviting me on.

Francis Gorman (00:34.23)
Alethe, I've been intrigued ever since your episode on the Darknet Diaries to ask you about your experience at DEFCON where you were... Actually, I don't want to ruin the surprise. Can you explain the situation to me and what was involved that you ended up in the Hall of Fame eventually after taking part in a number of these?

Alethe Denis | Bishop Fox (00:50.862)
Sure. Sure. So I'll try to not go too deeply into the weeds, but you let me know if there's any part that you want to explore further. I'll start somewhat from the beginning, maybe not as far back as the diary goes. But around the time my husband and I were running an IT MSP where we were doing IT support for local small to medium businesses, we decided on the advice of one of our engineers.

that it was probably a good idea for us to start going to information security conferences and to finally make our way over to DEFCON. We'd heard about DEFCON for quite a number of years. My husband especially had wanted to go since he was a teenager. I am not nearly that old, but I'd heard about DEFCON and had wanted to go. I'd seen the movie Hacker, been fascinated by hacker culture. I was afraid that I wouldn't fit in, that I wasn't neat enough.

for that kind of community, but my engineer and my husband were like, you're going, so we went to Vegas. And the first DEF CON that I went to was DEF CON 24. And when we first arrived, I was just immediately like swallowed up by this crowd of what I'd now call my island of misfit toys. And I absolutely adore DEF CON.

and everything about it. My experience from the very beginning has been this just very welcoming and education driven community. DEF CON has always been focused on sharing knowledge freely, openly, and without, you know, the excessive fees that some other conferences charge. There is of course, a, you know, entry fee for your badge, but it is relatively low compared to most industry conferences.

And so when I started going to DEF CON, the badge was like under $300. And that has changed as the cost of Vegas has risen, of course. But I know in the beginning it was something like 30 bucks to go to DEF CON or less. So, as I was at my first DEF CON, I sort of found the lockpicking village and that seemed something that was very approachable and easy to get into. And I bought my first lockpicking set and I...

Alethe Denis | Bishop Fox (03:17.218)
sat down in a chill room and one of the people at a neighboring table just walked over and was like, you're doing that wrong. And I was like, please help me. And so they sat down and they literally taught me how to pick my first lock. And I popped my first lock at that table in that chill room with DJs playing and it was like, this is my place.

this is where I'm coming and I have not missed a single DEF CON since with the exception of course of safe mode, which everybody was virtual. But it was one of those things that it was like a fork in the road life journey wise. And when I was exploring all the villages, walking around DEF CON, our engineer friend was basically showing us around.

DEF CON introducing us to each one of the villages. And the way that DEF CON works is it has its own main stage content. There are people who submit talks to DEF CON. Those talks are on the main stages around DEF CON, but then there's also these little pockets of sub content or villages. And each one of those villages focuses on a different area of content. And that can be like car hacking village. It can be cryptography village.

It could be blacks and cyber. It could be a variety of things. Everything from red teaming to blue team village to just a variety of things. I think there's over 20 villages now and there's over 60 different communities. I think was the last count. I may be off. Somebody will tell me in the comments. But one of the villages that completely captivated me was

the social engineering village. And at the time that village had a contest called the SCCTF, the social engineering capture the flag contest. And that contest had a, an objective of achieving essentially what amounted to elicitation of information. So getting somebody to tell you specific flags of information over the phone, in a timed

Alethe Denis | Bishop Fox (05:38.935)
series of calls and you had to do all of the research prior to jumping in this soundproof booth on a stage in this social engineering village in front of an audience and that looked extremely intimidating the first time I watched it I was like I could never do that it was absolutely insane watching people get into a booth and make calls to people that were not expecting a call and then try to get them to tell them bits of information that they weren't even remotely

you know, authorized to request.

Francis Gorman (06:13.135)
is that is fascinating and I assume you were very good at getting that information out of those people hence the accolade. When did you realize that you could manipulate your way through a business and that was actually a skill set that you could leverage?

Alethe Denis | Bishop Fox (06:31.704)
So the first time I watched the contest was the second year I attended DEFCON. I missed it the first year, all the contests were done. And the first time I watched it, I was like, that's really cool. And the second year, I decided I would apply to compete. I didn't expect that I would get picked, but I ended up getting selected as one of the 14 contestants. And I thought, know, worst case scenario, I'll go through the reporting phase. I'll do the research, submit the report.

And I may earn some points on research, online, OSINT, and gathering of information alone. but I didn't expect that I would do terribly well during the call round. And I ended up misunderstanding how the points worked during the first part of the contest. You go look for the information online. You can only get each flag once and get points for it one time.

So I assume that that was the case during the call round in Vegas when you go to Vegas, get in the booth that I could only get each flag one time. So my pretext strategy was to try to get each flag once. And so when I got to Vegas and watched other contestants do their calls, I realized that they were essentially trying to get the same flags on different calls.

And I went, oh no, like my whole strategy is totally wrong. And it's kind of too late to change how I'm approaching this effectively enough to, you know, overcome the situation. So I did relatively okay. I ended up placing sixth. Ultimately, the first time I competed out of 14. And I was like, Hey, maybe I'm not, maybe I'm not bad at this. And so between the first year I competed, which was DEFCON 26.

And the second year that I competed, was Defcon 27, I made it like my life's mission to learn everything and anything that I could get my hands on about social engineering, human psychology, behavior, elicitation, like everything. I read everything. I researched everything. I got every single book from every single person that knew anything about human behavior and psychology. And I just like sucked everything up like a vacuum.

Alethe Denis | Bishop Fox (08:50.433)
And then I was on maternity leave during the time period that we were doing the research and the OSINT and compiling the report the second time that I competed. So I literally made it my job like eight plus hours a day, more like 16 hours a day. I was working on doing everything for this contest. And so when I went to Vegas the second time, I took a three month old baby with me to Vegas to compete in this contest.

because I just, couldn't back out of my commitment to the contest runners and to myself to go back and try to win this thing. And, I was the last contestant on the first day. So I came out of the booth and I knew I did relatively well based on how many flags I was able to elicit, but you sort of like, sort of black out when you're on the phone because you're just like mission.

focused and so you're just like, do the thing. And then you get off the phone and you're like, I don't know exactly how that went, but everybody's clapping. So I think I did okay. but there was still another seven consultants or seven callers that had to call the next day. Some of those people were consultants. Some of those people were outside of the industry. but some of them were really well positioned to win. In fact, the second time I competed, the people who had submitted reports.

who were placed ahead of me, at least one of them was competing the next day. So I was currently ranked third based on the reporting before we went into the call round. And so I had to overcome a, a competitor with a perfect report score, the first, and I think the only one that has ever achieved a perfect report score in the history of the contest.

and then second place report right above me. and then I was third points wise. So I'd overcome those scores with my call scores and, the other, think both of those consult, those callers were going the next day, but I'm not entirely sure. So, after the calls, the second day, they still don't tell you anything about the points until Saturday night of DEF CON. And then I've.

Alethe Denis | Bishop Fox (11:17.121)
I finally learned that I had placed first. And the person with the perfect report score placed second. And at the end of everything, when they finally released the final report for the entire year, during the call round, the person that was closest to me points wise was over 100 points behind me in points on the call round alone. So I

demolished the call round. And it was strictly because I put together this strategy where I had lumped all the high value flags into one pretext. And I shaped a pretext around just a way to build completely instant rapport. I switched the first year from pretending to be somebody that was a vendor outside of the company.

to then the second year pretending to be somebody who was internal to the company, who was a coworker. And when they picked up the phone, I told them exactly who I was, where I was calling from, and the reason why I was calling right when they picked up the phone so that there was no need to waste any time with any questions whatsoever.

Francis Gorman (12:38.122)
The only way I'm going to be more impressed with that story is if you tell me you got 100 points ahead of your nearest competitor with a three month old in your knee.

Alethe Denis | Bishop Fox (12:45.999)
So what's insane is that I was like, please do not let the baby start crying. Like when I'm on the phone, because there's something that she was three months old and there's something about that maternal instinct, especially after a baby's brand new that just kicks in that sort of overrides all logical thought processing.

when you are a new mom. And she is my fourth baby. But I was so afraid that she would start crying and it would just completely derail all of my tactical strategy and like logical thought processing centers of my brain. And it was like, the moment they dialed the first number and the call started ringing across the entire ballroom because they broadcast the sound of the call throughout the ballroom.

She started crying. And I just had to like, I had to like put myself in a black tunnel and just like block everything out. And it was just me and the paper in front of me and the contest runner to my left who was dialing the numbers for me. Cause all you have is a headset and a microphone in front of you. And you're in this like sound resistant booth.

And there's, there's nothing you can do. You have no way to control anything. You're completely helpless and you're at the mercy of the person who's dialing the numbers, even with like how much time is, you know, delayed between your calls. It is nerve wracking. So you walk up and you kind of hand the contest runner, the list of the numbers that you plan to call and those that you plan to spoof with your pretexts. And then you're completely dependent on them.

to dial those numbers for you. So if they miskey the number that you're trying to spoof or they misdial, like that's time that you lose. It's very, very, very insane. The first year I competed, I was so anxious that by the end of the calls, my whole body was so full of adrenaline that my knees were bouncing on the stool that I was sitting on. And that first year I competed, I think...

Alethe Denis | Bishop Fox (15:11.468)
It was like six, almost seven minutes into those calls before I got an actual human on the phone. So the second time I competed, I was like, this will never happen to me again. I will not end up in voicemail. Not again. And so I became a little obsessed and I actually took all the numbers of people that I plan to call.

And I made certain that they would answer at the time that I was assigned to make my calls. We could make the calls, but we had to stay on mute. We couldn't engage at all with the people that we were targeting before the actual call time during the contest round in Vegas. So we could call and make sure that somebody picked up, but we couldn't engage with them. had to hang up. So I would call, spoof a number. When I was at home, I'd spoof a number that was known to be spam from, you know, whatever area that person lived in.

and they would just, you know, brush it off as a spam call. But I wanted to make sure that they picked the phone up. And then because these were regional salespeople, I knew that they would be answering their phones because their livelihood depends on answering the phone. And they had to cater to a lot of local retail stores, so they pretty much always get calls from random numbers. And so I would call them and then I would rate.

how happily they answered the phone. And so if they answered the phone and they sounded very eager to please and eager to help and very, you know, polite and friendly, I'd give them a 10. And if they answered the phone very, you know, annoyed or troubled to be bothered, then they'd get a three or a four. And if it just went to voicemail, it was a zero. And then over time, I would, you know, average the scores and then the people with the highest score, those were the ones I called first on the day of the contest.

So it was a little insane, but it was very strategic the way that I decided who I was targeting.

Francis Gorman (17:14.134)
You went after the happy people. That is so bad.

Alethe Denis | Bishop Fox (17:16.246)
I went after the, God, it's the most evil thing. And you know, it's insane because the contest was, it was devilish because there's no way to relieve yourself of the guilt. Now with clients, the, the people that I have as point of contacts within my client organizations, I can sort of relieve myself of the guilt by explaining.

Why did what I did, how we did it, the purpose of giving over the report, making the explanation and sort of making amends for how we approach the engagement. I've even had clients that are like, why are you apologizing? It's your job. I'm like, I feel terrible. and in the case of the contest, like there's just no way to relieve the guilt because they don't know they're part of the game. They have no idea that they've been targeted.

And if they ever did suspect that this was part of a social engineering campaign, there's, there's no way for me to like contact them without it being super sketchy. and from what I understand, none of the organizations I targeted ever contacted the contest runner to request the report or to ask about it. They never managed to trace it back to the contest in any way, but I still remember.

Every single person that I targeted, I know their names. I know everything about them, their spouses, kids, where they live, like everything about them, because I did so much research to make sure that I could build rapport with them, that I would know how to, you know, talk my way out of any challenges or objections to what I was asking for. I even had a person, this I did not find in my research cause it was pretty new. but he answered the phone and he was like, I'm actually on

paternity leave right now and I was like gosh don't let me bother you like we can just hang up the phone we'll do this when you come back to work and he said no no let me go get my computer and I was like no you really don't have to do that I was like I just had a baby too and like the whole audience in Vegas just starts losing it to the point where I think the contest runner had to tell them to shush because it's not totally soundproof in the booth

Alethe Denis | Bishop Fox (19:36.178)
so it would have been a little awkward for him to hear an entire audience of people laughing. But it was probably one of the most insane experiences of my life because walking out of that booth the entire audience is just losing their minds because I was so diabolical in the way that I was able to stack the flags together and just like knock them out. But I will say I had a lot more fun.

competing the first time because there was one scenario where I was able to make the first call into the main desk at reception and then I pivoted and had the receptionist transfer me to the person that I originally targeted at the start who didn't answer the phone and because the call was transferred internally that person then picked the phone up and I changed pretext mid-call from somebody at a catering company

to somebody from a charitable giving organization, changed my name, changed the pretext, like mid-call, and the audience lost their minds. I felt like I scored a touchdown. It was so much fun. I just, I see the contest as like the circus act that gets people into the village to teach them about social engineering, to drive that educational component, to do the work of giving people something to see.

and learn from rather than it being about the contestants or even the, you know, target humans. So in the future, I'm hoping that we can create contests that are a little bit more ethical as far as the targets go so that we can sort of wash ourselves clean of the guilt of the folks that we are targeting in these scenarios. But I will say that it has

been an incredible experience being able to see how social engineering has evolved over time and how we're now considering those ethics in the scope of the work that we do on an ongoing basis.

Francis Gorman (21:43.156)
I'm so happy I'm the pessimistic old cybersecurity guy who doesn't trust anybody.

Alethe Denis | Bishop Fox (21:47.281)
It's absolutely true. I've just stopped answering my phone if we're being honest.

Francis Gorman (21:56.183)
Elite, so this is fascinating because you're just talking about human psyche. We always say humans are the weakest link when it comes to the technology landscape. Every time you get a third party compromise or a successful phishing attack or whatever, you can almost link it back to somebody clicking an email or somebody answering a call from Elite Dennis. Don't answer a call from Elite Dennis.

When you get the person on the hook, there a point where you just know you have them? Because I get the sense your scoring system is, no, he's no good, he's no good, he doesn't answer the phone, aha, nice guy, you're my target. And then when you get nice guy on the phone, or a nice girl, is there a point where you kind of know you have them and no matter what you ask them from that point on, they're gonna oblige you?

Alethe Denis | Bishop Fox (22:41.488)
Yeah.

Francis Gorman (22:53.042)
or is there certain tells that you can pick up on? Or do you need to have that deep research of the individual done beforehand?

Alethe Denis | Bishop Fox (23:02.253)
Yeah, there you don't always a lot of the time our clients will ask us to test things like their help desk or people whose job it is to answer the phone. And so they're trying to balance. How, how do we focus on excellent customer experience and excellent customer service, even on an internal level? How do we give our help desk the guidance to serve our employees with excellent.

you know, customer experience for help desk, but then also be very cautious on the validation and authentication of users requesting things like password resets, et cetera, especially when you've got audio deep fakes and things like that, that are coming out of the woodwork, right? So what they want us to test is how well employees are adhering to internal verification policies and things like that.

And usually what comes out of these types of assessments is not do good or training. That is never a recommendation I'm going to give a client. Because at the end of the day, we are all humans. We are all susceptible to being influenced by other humans. And there are humans who are just not going to be able cognitively

to discern whether they are being manipulated or influenced or the subject of a social engineering campaign. It is not possible for them to understand that they are being manipulated. So we, as security people, need to make sure that not only are we empowering our people to challenge authority, to properly verify and adhere

to policies and we need to give them the signs to point to, say, I'm sorry, I cannot take this action, even though you say you're the vice president or the CFO or the CEO, because this policy will not allow me to, and that takes the burden off the human to make the rule or, you know, have to be the bad guy in the scenario. But we also have to put the technical security controls in place.

Alethe Denis | Bishop Fox (25:21.51)
that will prevent the humans from doing the bad things wherever possible. So what I mean by that is I have been in scenarios where I've sent phishing emails and the human targets of those phishing emails have actually replied to my phishing email and said, hey, your link isn't working. I can't get there. And I've been like, that's so crazy. Let me try to help. Can you send me a screenshot of what's happening?

And they've sent me a screenshot of their browser and the browser is basically restricting them saying you can't go to this domain. It's bad. So it's like a newly registered domain and they have browser rules that prevent them from going to those. And that's good. That organization is doing good things to prevent their employees from going to newly registered domains that could be suspicious and preventing that human from making a mistake, which is fantastic for them.

You know, not everyone is going to be at the top of their game all the time, every day. And so, yes, to answer your question, when I do get somebody on the phone, which is a little bit more rare these days, people don't like to answer the phone. But in the event that I do get somebody on the phone, yes, I can tell when I'm going to have somebody who will comply with my request. And I have been able even recently to get tier one tech support.

to change the callback number for the COO I'm impersonating for a help desk ticket. And then I have tier two tech support call me back on my phone instead of the actual COO's phone number. And then I have that person ask to get me on a Teams call to verify my identity as the COO. And I say, oof, that's so weird. Teams isn't on this computer. You think maybe we could just...

Do something else? Sure. Does your phone have FaceTime? Nope. can we do a zoom call? It's not installed on this computer. And I've managed to talk my way out of all those things. And because I sound like such a nice, friendly person and I'm the COO, big quote marks around that. they feel like they can't challenge my authority because I'm so high up in the organization and they don't want to be the person to say no.

Alethe Denis | Bishop Fox (27:49.437)
They're very uncomfortable with that. So they just kind of roll over and say, well, it's okay. guess we could do it this once. And I know after overcoming their three challenges that yes, they will absolutely do whatever I ask. They're ready to do whatever I ask. And so in this case, I was at a point where this tier two technician was willing to

essentially deactivate the user account of the COO and set up a new computer for that COO and I stopped them. Because at this point I know I've managed to overcome all their objections. I've managed to prove beyond my shadow of a doubt that they will not verify the identity and will proceed.

But at this point, in my opinion, if I allow them to proceed, all I'm doing is causing headache to the organization and specifically to the COO I'm impersonating by deactivating their account, replacing their computer, doing all these crazy things. Like I'm adding insult to injury that isn't necessary to prove my point in my opinion. And that in my opinion is unethical. From the perspective.

of me as a as an ethical hacker and that may not even be the opinion of my employer or my client but I could not proceed beyond that point. I know for a fact that human would have done whatever I asked him to do. He was prepared to set that COO's profile up on the Mac computer that I was holding in my hand. He was ready to do it and I said

You know, actually I'm not comfortable having you tech support remote into my personal, like my as the CEO personal computer. How about you just go ahead and email me those instructions and I can do it on my own. And I stopped it there.

Francis Gorman (30:03.348)
I was going to say you're a really bad person, but you do have a soul. You stopped. You stopped short.

Alethe Denis | Bishop Fox (30:06.47)
I do actually. I know I couldn't I couldn't handle the guilt or the I and this is the one that I was referencing earlier where I actually like I had I had the point of contact that I was working with from this client company talking to me in real time. I was going this is where I'm at this is where I'm at this is where we are this is what they're offering to do this is what I've overcome these are the challenges I'm getting I've overcome that one they're prepared to do this like what do want me to do and they were even like go ahead and

like see how far you can go and I was like, no, I'm not, I'm not, I'm not willing to do that. I don't know where the COO is. I don't know what they're working on today. I could completely take them out of something very important right now. That sounds like a terrible idea.

Francis Gorman (30:52.138)
like the bad fairy on your shoulder saying go on, check her out.

Alethe Denis | Bishop Fox (30:54.521)
Yeah, it was literally like, just do it. No, don't. So it ended up that COO was at home. And so if I had deactivated their account, they would have had to go all the way into the office, get the replacement computer. And so I argued it with another manager at Bishop Fox later in the reporting. were like, this, isn't compelling enough impact wise.

Like you didn't actually get this account compromised. And I was like, but they were going to do it, but they didn't actually. And I was like, listen, they were so close to doing it. I'm the one that told them to not to. And I did so in a way that they had no idea that I wasn't actually the COO. didn't say, just kidding. It's a test. Like.

I managed to talk my way out of this without them being even suspicious that this was not actually the COO and I was able to replace the callback number on this person's user profile as like my burner phone. Like tell me that this didn't have impact. I said if I was in the town where this client headquarters was, I got this person to agree to set up a new computer.

for the COO without deactivating the profile. I said, I'll set this up on my own on my personal computer. Please go ahead and provision me a new laptop and put it in my office. So they ended up setting up a new laptop for her and put it in her office. said, and if I had a physical assessment in scope for this red team, I could have gone to the office as a courier picking this computer up for the COO who I said was headed to the airport.

And I could have lifted this computer from her office pretending to be a courier who was getting the computer for her and managed to get access to it. Like there's 18 different ways that I could have won this and I was the one that sandbagged myself. So I don't know. You tell me in the comments, dear listener, what you think.

Francis Gorman (33:04.95)
When you lay it out, it's so simple, but my God, the impact could have been astronomical if you had a play, you know.

Alethe Denis | Bishop Fox (33:12.677)
like detrimental on so many levels, but I was not prepared to take it to that point. A, like I didn't feel comfortable kicking the tier two tech support person when they were down because I felt like I made my point. My goal was not to compromise them that hard. It was to prove that they were not verifying the identity of the callers. That was the only goal. Prove that they are not

validating the callers before they will take any action requested on the accounts. And this was an outsourced IT vendor to the client organization. So I'm already testing an organization that is not my client. So keep that in mind too.

Francis Gorman (34:06.474)
Fairpoint, which are illustrating my supply chain worries. So that's my third party services provider that I've outsourced my help desk to and I've access to my reset capabilities across my identities and my passwords. You mentioned something there and you kind of said nobody really answers the phone anymore and AI is changing things. Like basically with AI, it's incrementally just ballooned every six months.

Alethe Denis | Bishop Fox (34:09.844)
Hmm.

Mmm, yeah.

Alethe Denis | Bishop Fox (34:20.212)
You

Francis Gorman (34:37.366)
how much is that gonna change the social engineering capability when you can almost scour the internet, become anyone, sound like anyone? Like we're on the internet now doing this conversation. So within a couple of seconds, you can be elite Dennis or Francis Gorman and interface with, so maybe bad elite will be an AI driven avatar of yourself that's going to follow us through and all this stuff. But where are we headed? How do you defend against, like if you can't use

Alethe Denis | Bishop Fox (34:42.194)
be anyone.

Alethe Denis | Bishop Fox (34:53.352)
Mm-hmm.

Alethe Denis | Bishop Fox (34:57.181)
I'm

Francis Gorman (35:06.198)
touch and feel anymore, you can't really verify something is actually real.

Alethe Denis | Bishop Fox (35:09.492)
Mm-hmm. Yeah, it's becoming quite scary, if I'm being honest. I have so many engagements now that are focused on testing around AI deepfake, like audio deepfakes, and also the AI audio and video deepfake engagements are becoming more and more popular. What I am concerned about on that side of things is the fact that that testing doesn't

really align super well with our client goals. And what I mean by that is everybody wants the new shiny toy, but they aren't really aligning that testing well with the objectives of the organization. So the test doesn't doesn't really validate whether or not the controls of the organization would stop a social engineering campaign that is

using or leveraging AI deepfake audio and or video in the campaign. A lot of the time the scoping or the rules of engagement will make the test sort of invalid or they'll say, well, you can do it, but you you can't target our executives or you can do it, but you have to deepfake this person. Or a lot of times they'll say you have to do this.

But we want you to source all the material from public recordings, in which case we can only really source a CEO or somebody who has a public profile who's in a lot of media. But then the pretext or the department that we're targeting will be like the help desk. And the CEO would never call the help desk. So it doesn't really match up very well. So anyway.

The point I'm trying to make is the assessments that we're doing for testing whether or not organizations are susceptible to social engineering campaigns that incorporate the use of deep fake audio and video aren't really matching what attackers are using audio and video deep fake for in their social engineering campaigns against organizations. And that's where we have a misalignment.

Alethe Denis | Bishop Fox (37:37.63)
But I do think that that is going to increase, but maybe not in the way that we've seen the testing interest increase. So.

Sometimes we have tests where they say they'll give us the source audio. They'll have someone submit recording of themselves so that we can deep fake them. And it's mainly because they're interested in hearing a deep fake of themselves, but they don't see how that aligns well with a realistic attack scenario. And I'd love to see us think about this more from a realistic attack.

scenario perspective and align the way that we are testing with deepfakes with how attackers are actually leveraging deepfakes in the wild and to learn more about how that is happening. But I think that a lot of organizations are shy to share what they're seeing because it is embarrassing when you've been compromised by something like that to share it publicly.

A lot of organizations don't like to reveal when they've been breached or when there's been an issue and if it's not legally required, they won't. but there was that one incident that was talked about a few years back, if it's been that long already, where the employee in Hong Kong received a phishing email. They flagged it as phishing. They tried to confirm it with their European executives.

got all five European executives on a video conference call only to transfer what was it like one point or twenty six point five million dollars. Somebody will correct me if I'm wrong. I think it was like twenty five point six million and then later they found out it was like five. It was five executives on the call and each one of them was a deep fake video and audio deep fake.

Francis Gorman (39:35.318)
It was a lot at the time, yeah.

Francis Gorman (39:46.986)
And that's when it was crummy.

Alethe Denis | Bishop Fox (39:47.178)
Which is exceptional. And that was, yeah, that was back when it was like bad. Right. Yes. I really, I'm so curious as to how, a, how they pulled that off, b, what it actually looked like, how long the call lasted. Like I have so many questions. I would love to know more about what that actual experience was like.

Francis Gorman (39:53.153)
We're talking two years ago, know, that's when Smith had seven fingers and that, you know, weird hot dog videos or spaghetti videos.

Alethe Denis | Bishop Fox (40:16.601)
but yeah. Yes, please get me a note. Yes. Yes. You can totally deep fake somebody else. We just need all the details. Deep fake me. Come on the podcast. Tell us everything.

Francis Gorman (40:17.6)
So if you're listening guys who stole all of the millions, can you get in touch? We'd love to have you on the podcast.

Francis Gorman (40:37.398)
Alid, it's fascinating. I feel like we could talk about this all day, but I'm also conscious of your time. If there's people listening here and they want to get into social engineering or want to experience what it's like to kind of get that sensation that you have a hunter and you have your prey and you want to track them down, but you can't use weapons. It's all verbal. It's all intuition. How would you suggest?

Alethe Denis | Bishop Fox (40:59.017)
Hahaha

Francis Gorman (41:04.84)
someone goes about it, because you got the book, Bogan, and you read the books, et cetera. Is there a natural pathway? Because I feel people kind of navigate toward certification, and it's not probably the best place to go.

Alethe Denis | Bishop Fox (41:13.204)
Mm-hmm.

Agreed. I would say the best way to start in social engineering is to find somebody that you trust to mentor you. And then there's a handful of books that I recommend people start with. The first one is Influence by Robert Cialdini. That book is great for understanding sort of the levers that you can pull in people's brains.

It is framed around compliance professionals or salespeople. And those stories do help sort of frame, manipulation, which is truly what it's about and how to use those tactics. Then I would follow that book up with the book, the code of trust by Robin Drake, which helps to then shift your perspective from, you know, kind of negative manipulation into positive influence and rapport building.

and sort of a more positive frame for how to use those tactics. And once you've gotten through those two books, then you can come talk to me. And if you seem to have the right frame of mind and you approach this from the right perspective, both ethically and positively, then we can talk.

Francis Gorman (42:34.218)
That's great. Give Robin a shout out. He's a friend of the show. He was one of our one of our guests earlier this year.

Alethe Denis | Bishop Fox (42:37.327)
he's absolutely fantastic. Yeah. Robin is amazing. He's one of my most favorite mentors and he has a new edition of his 10 quick ways to build report coming out next March too.

Francis Gorman (42:50.792)
Excellent. I'll have to touch base with him. I also know he's doing the D2 Spy Leadership course for executives, which is interesting thing with Matthew Dunn, who was also recently on the show. So we're doing the circles in the FBI and MI6 rings as well as everywhere else. Look, Alid, it was an absolute pleasure to have you on. I thoroughly enjoyed the conversation. think you really brought together

Alethe Denis | Bishop Fox (42:55.486)
Mm-hmm.

Alethe Denis | Bishop Fox (43:05.479)
Yeah, nice.

Francis Gorman (43:15.572)
these scenarios, how they can evolve in real life and what it means and kind of painted a picture of the impact that can come from just, you know, getting someone on the hook and pulling under their heartstrings. And we confirmed, you know, you're not all bad behind it all. You do have a conscience, is great. Which is great.

Alethe Denis | Bishop Fox (43:29.045)
I do try. Thanks so much for having me on. It was an absolute pleasure.

Francis Gorman (43:36.332)
I loved it. Thank you. Thank you.

Francis Gorman

Host

Alethe Denis

Guest