Speaker: Chris Kirsch, Product Marketer & DEF CON 25 Social Engineering CTF Black Badge Winner
Background: 22 years in InfoSec product marketing (PGP, Rapid7/Metasploit, Veracode), SE CTF competitor
Key Focus: Applying psychic cold reading techniques to social engineering for better target assessment and pretext development
The Transformation: From Zero Points to Black Badge
Chris Kirsch's journey in social engineering began with a humbling DEF CON 24 SE CTF performance, scoring zero points. Determined to improve, he returned at DEF CON 25 with refined techniques that earned him a prestigious black badge.
Red Team Mindset: "He came back and DEFCON 25 and owned it to the point of a black badge... to go from like zero points to black badge worthy competition that's really impressive."
The Learning Process:
- Analyzed failure points from initial competition
- Studied and implemented cold reading techniques
- Applied methods in corporate hackathon setting for practice
- Developed systematic approach to target assessment
- Created transferable framework for social engineering operations
"At that black badge he used a number of tactics that I stole from him and still used to this day in our company."
Understanding Cold Reading: The Foundation
Cold Reading Definition
Conning people into believing you have psychic powers through observation, probability, and psychological techniques. Used by fortune tellers, tarot readers, palm readers, and spiritual mediums.
Different from Mentalism
Mentalism is performance art where practitioners don't claim actual psychic powers. Cold reading practitioners genuinely convince targets of their supernatural abilities.
Warm Reading
Using OSINT (Open Source Intelligence) to gather information about targets beforehand to make readings more accurate and convincing.
Practical Application: "I did psychic readings at work... offered people free psychic readings talking about their career health ambition relationship money past present and future... I did about eight readings in two days - it's a lot more exhausting than I thought."
The Cold Reading Setup: Creating Credibility
The Pretext Framework:
Astrological Chart Ruse
Used printed astrological chart with instructions: write date of birth, close eyes and draw lines, trace left hand, put initials of important person. Creates false sense of legitimate methodology.
Authority Establishment
"When I see things I can't quite steer what I see in the reading... what I see is not always entirely clear to me so I need your help interpreting it." Sets expectation of collaboration and ambiguity.
Target Classification
Categorize targets as skeptics, maybes, or believers. Maybes are easiest to convince, believers fall into two categories: complete acceptance or experienced skepticism.
Social Engineering Lesson #1: "No matter how bad your pretext, sell it right and sell it with conviction... channel the people that ran the fire festival because while they didn't run a very good festival, they did sell it with conviction."
Rainbow Ruses: The Art of Self-Selection
Rainbow Ruse Definition
Presenting two opposite options and letting the target self-select which applies to them. Works even without knowing the outcome in advance.
Corporate Communications Example
Target in black hoodie with tattoos working in corporate communications: "There are some people who need rules in their lives to function and others that are more of a free spirit. I get the sense that you are more of a free thinker but didn't stick to the rules in your job when you have to write."
Sales Professional Example
"You're comfortable assessing and accepting risk in your life... however when you think about other people in your family and social circles, you are more comfortable with risk than most others."
Software Engineer Example
"Some people prefer to hash things out in conversations but I get the sense that you find these tedious and unproductive. While you will get input from others, you'd much rather read up on a topic and find some peace and quiet and figure things out for yourself."
Social Cues for Assessment:
- Clothing and haircut: Expensive brands, sports clothing, message t-shirts
- Watches and jewelry: Status symbols (Rolex), charity bracelets
- Body language: Open/closed posture, confidence indicators
- Facial features: Laugh lines vs frown lines, fitness level
Social Engineering Application: "Phrase it as a statement rather than a question to show more authority and more knowledge... Instead of saying 'are you having any connectivity issues' you would say 'we are having connectivity issues at your site that are likely affecting you.'"
Probability Manipulation: Playing the Odds
Name Probability Technique:
Common Name Database
Researched most common first names by gender from 1960s-2000s. Uses target's gender and approximate age to make educated guesses about important people in their life.
Implementation Example
"I get a strong sense of someone significant in your life... I see a name starting with J... someone you know well haven't been in touch with for a while... I see a Jess or Jessica or maybe a Jen or Jennifer."
Fallback Strategy
If completely wrong: "I'm getting the sense that this person is really impactful to your life so if they haven't come along yet then just make sure you watch out for them." Always have multiple outs.
Barnum Statements: The Unexpectedly Common
Childhood Water Accidents
"I see something probably in your childhood an accident involving water." Could be bathtub, pool, lake, ocean, slipping on ice, skiing accident. Had 50% hit rate, often traumatic enough to be memorable.
House Number with Digit 2
"I'm seeing a house... I see the digit 2." Most streets have numbers in the 20s, and people have lived in multiple houses with friends and family. High probability of hitting relevant location.
Cloud Hosting Costs
Social engineering application: "Our cloud hosting bills are much higher than expected." Common issue when companies move to AWS/Azure/Google Cloud that people don't perceive as common.
"Use probabilities to shape your pretext... if you are doing research on a company you can't quite figure out what CRM they're using... go to Gartner Magic Quadrant or market share data and you'll find Salesforce.com is the market leader... make a bet on that being true."
Effectiveness Metrics & Validation
Net Promoter Score
62% gave ratings of 7-10 (promoters) for psychic reading quality at corporate hackathon
Accuracy Perception
Only one person reported less than 50% accuracy, others reported 60-100% of statements on target
Name Probability Success
Approximately 50% hit rate for name-based probability statements
Water Accident Success
Approximately 50% hit rate for childhood water accident statements
Memory Manipulation: "In the end of the reading I would summarize all the things that were hits but left out all the things that I got wrong... you want to change their memory and kind of implant what you got right so that it's more impressive when you summarize it in one go."
Practical Red Team Applications
Social Engineering Integration:
Target Assessment Framework
Use rainbow ruses and social cues to quickly assess target personality, technical level, and vulnerability to different approaches during initial engagement.
Pretext Authority Enhancement
Make statements rather than asking questions to establish authority. "We are having connectivity issues at your site" vs "Are you having connectivity issues?"
Making Targets Do the Work
"One of your colleagues asked me to fix the projector cables... he's about this height, short brown hair..." Let target fill in details and convince themselves.
Industry Common Knowledge
Use commonly known but not commonly perceived facts (like cloud cost overruns) to establish insider credibility quickly.
Button-Pushing Scenario Examples:
- Earthy, empathetic target: "I feel that we should press that button... that's what the others would want us to do as well. I want to make sure that we do what they need from us."
- Authoritative, ex-military target: "Standard operating procedure is that we press this button to ensure that the business keeps on running. Can I count on you to press that button?"
Technical Assessment Technique: "Hey I'd love to help you and walk you through but just so I know kind of how to interact with you, would you say that you're a regular Microsoft Office user or do you sometimes go into the advanced settings or even drop down to the command line to do stuff?"
Ethical Guidelines & Professional Boundaries
Cold Reading Ethics:
- Don't channel the dead - Avoid pretending to contact deceased relatives
- Don't discuss health issues - Medical predictions can cause real harm
- Don't blame the victims - People seeking psychics often do so from genuine emotional need
- Always debrief participants - Explain techniques used to educate rather than deceive
- Use for education, not exploitation - Focus on awareness rather than personal gain
Empathetic Approach: "I met several people that are going to psychics and they are doing it because they lost a spouse and they're trying to connect and heal... in those situations be empathetic and try to educate them... make sure they don't get financially exploited."
Recommended Training Resources:
- Ian Rowland's "The Full Facts Book of Cold Reading" - Comprehensive cold reading techniques
- Paul Ekman Microexpression Training - $99 bundle for recognizing subtle facial cues
- Emotions Connection iPhone App - $5 microexpression recognition practice
- Social Engineering Podcast Episode 109 - Interview with cold reading expert
- SE Village Orlando Conference - Ian Rowland cold reading training in February
"Please use cold reading for good... educate your friends and family about cold reading and those techniques and how they work and use it for ethical purposes and not for personal gain."
Key Takeaways for Red Teams
Essential Cold Reading Techniques:
- Sell your pretext with conviction - Confidence often matters more than content
- Use rainbow ruses for quick assessment - Let targets self-identify their characteristics
- Leverage probability and common knowledge - Use statistical likelihoods to appear insightful
- Make statements, not questions - Establish authority through declarative language
- Always have multiple outs - Prepare fallback explanations for incorrect assumptions
- Summarize hits, omit misses - Shape target memory to emphasize successful insights
- Read social cues systematically - Clothing, body language, accessories reveal personality
- Make targets do the work - Provide vague prompts that encourage target elaboration
Professional Application: "Use common facts to come off as an insider... things that people think are not that obvious but are actually fairly obvious... create credibility with shared understanding of industry challenges."
Defensive Awareness Points:
- Be aware of rainbow ruse techniques in social engineering attempts
- Question authority figures who make broad statements without evidence
- Recognize when you're being prompted to fill in details
- Understand that high-probability guesses can appear insightful
- Maintain skepticism about "insider knowledge" that relies on common industry issues
"The competition was born at the biggest hacker convention with the most volatile network on planet Earth, but with a goal to show how social engineering was dangerous and still a very viable vector, but if we can change it, it can change your life for the better if you allow it."