DEF CON 27 Social Engineering Village Notes

The Origin Story: DEF CON 17 Catalyst

Chris Hadnagy shares the humble beginnings of the Social Engineering Village, born from a problematic social engineering competition at DEF CON 17 that didn't align with ethical principles.

Founding Moment: "They were calling random college girls and getting their credit card numbers and not muting those numbers while they were being read. I was horrified. I get paid to do this by really big companies and this is not a great thing to have on video."

The Initial Challenge:

Jeff Moss challenged Chris to "professionalize" social engineering competitions
EFP provided pro bono legal guidance for months to ensure compliance
Major companies (Apple, Microsoft, Oracle) complained about potential live hacking
FBI involvement led to Virginia presentation of SEC CTF concept
First competition launched with one main rule: "No one gets victimized"

"I just got social engineered by Jeff Moss. I was just telling you what you should do, I wasn't saying I wanted to do it. He's like great, we'll see you next year with your competition."

DEF CON Evolution: Year by Year Growth

DEF CON 18

First SEC CTF: "How Strong is Your Schmooze?" - 175 sq ft room, court stenographer for transcripts, first black badge awarded

DEF CON 19

"The Smooth Strikes Back" - Room expanded, continued success, began considering additional structured activities

DEF CON 20

"Battle of the Sexes" - First kids competition, NSA Director General Alexander visit and director's coin award

DEF CON 21

"Who's the Deadliest Social Engineer?" - Women's participation dramatically increased, infamous "nerf gun kids competition"

DEF CON 22-23

Tag team competitions, Mission Impossible challenges, speaking tracks added, room expansion campaigns

DEF CON 24-27

Industry-specific themes, team expansion, professional framework development, SC Village conference launch

NSA Recognition: "The director of the NSA is here he'd like to see you... He awarded me a director's coin and said 'son what you're doing is great for our country, keep doing it.' After that, no more newspaper articles about us being scary hackers."

Red Team Insights: Practical Social Engineering Lessons

OSINT Correlation = Success

Winning competitors spend 60+ hours on reconnaissance and produce 50+ page reports. Deep knowledge of target companies (acronyms, internal language, employee names) directly correlates with competition success.

Internal Pretexts Work Best

Survey pretexts generally fail except when tied to recent actual surveys. Internal employee personas consistently outperform external pretexts in vishing attacks.

Tag Team Innovation

DEF CON 22 introduced tag team competitions where partners had to hand off calls seamlessly. Successful pretext: "I'm training a new recruit on Adobe Connect" to explain multiple voices.

Industry-Specific Targeting

Themes evolved to focus on specific industries: telecommunications, information security, gaming, transportation, alcohol/tobacco/firearms manufacturing. Avoid government, banks, and healthcare due to legal risks.

Professionalism Over Aggression

Only one disqualification in 10 years (for threatening termination). Proves effective social engineering doesn't require fear, anger, or threats - just strategic communication.

Real-Time Adaptation

Successful competitors demonstrate ability to pivot when encountering trained defenders. Companies showing improvement by asking legitimate verification questions.

Industry Impact & Career Development Statistics

Career Transformation

Before competing: 39% in InfoSec, 61% not in InfoSec. After competing: 72% entered InfoSec, 28% not in InfoSec

Time Investment

Winning reports average 60+ hours of OSINT work and 50+ pages of detailed analysis

Industry Growth

Google search trends for "social engineering" show massive increase from 2009 to 2019

Market Penetration

Only 15% of US companies actively conduct phishing training - massive growth potential

Training Ground Success: "72% of people decided to get into InfoSec after competition. This is a training ground - a beginning training ground where people can take that leap and say 'wow that was actually more fun and easier than I thought it would be.'"

Professional Ethics & Industry Standards

The Social Engineer Code of Ethics:

Leave Them Better

Core mantra maintained throughout all activities. Only one disqualification in decade for threatening someone's job

Education Focus

All activities designed to educate rather than simply exploit. Framework adopted by European country for national pen testing standards

Professional Boundaries

Avoid government, banking, and healthcare targets due to legal and ethical concerns. No reason to approach these lines

Industry Professionalism Challenges:

Live Tweeting Pen Tests

Industry leaders unanimously condemn live tweeting client engagements as "breach of contract," "wrong and stupid," and "unprofessional" - damages client trust and confidence

"100% Success" Myth

Moving beyond ego-driven approaches to focus on improving client security rather than proving attacker superiority

Collaboration Over Competition

With only 15% market penetration, there's enough work for everyone without bad-mouthing competitors

"You can be a professional social engineer but you don't have to be a bad person. You don't have to use fear, you don't have to use anger, you don't have to use extreme emotions to get the job done, and yet you could still leave room for education."

Practical Red Team Techniques & Examples

Successful Pretext Examples from SEC CTF:

Training Manager Pretext

"I'm working on training a new recruit. We're on Adobe Connect, that's why the number doesn't look real. I want to listen to him while he does the call and grade him after."

Survey Follow-up

"Your survey data didn't get sent properly. I need to redo it verbally to make sure we capture your responses correctly."

Security Concern

"There's this big hacker convention going on called DEFCON. I think we're a target and want to make sure your machines are secure. What OS are you on?"

Defensive Improvements Observed:

Companies asking "Who's your manager?" and expecting specific names
Requesting callback numbers and verification procedures
Demonstrating critical thinking about unusual requests
Some organizations showing significant security awareness improvement

Real-World Impact: "We had a few people that answered the phone today and asked legitimate questions, forced the caller into giving them details, showing that they had some training and real critical thought. That's amazing and wonderful to see."

Key Takeaways & Future Directions

Decade-Long Lessons:

Social engineering remains a critical attack vector that requires professional attention
Ethical approaches are not only possible but more effective long-term
Deep OSINT preparation directly translates to social engineering success
The industry serves as a valuable training ground for new professionals
Collaboration and professionalism elevate the entire security community
Client education and improvement should be the ultimate goal

Community Vision: "The bad guys band together, they share secrets on their forums. There's no reason for us not to do the same exact thing. We can really leave each other better for having met each other and still grow in this industry."

Future Initiatives:

SC Village Orlando conference for professional social engineering development
Continued framework and resource development on Social-Engineer.org
Expansion of educational materials and training programs
Ongoing industry professionalization and standards development

"The competition was born at the biggest hacker convention with the most volatile network on planet Earth, but with a goal to show how social engineering was dangerous and still a very viable vector, but if we can change it, it can change your life for the better if you allow it."