Hacker Q&A with Rachel Tobac: Hacking Companies Through Their People

CEO and Co-founder of SocialProof Security, Rachel Tobac hacks people. Using a phone, email, and an approachable persona, Rachel discovers vital information that can be used to craft successful exploits.

Tell us a bit about yourself.

I’m a social engineer and the CEO / Co-founder of SocialProof Security. We hack companies via their people, and then train those companies on social engineering so they can limit their risk. 

In my spare time, I am the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) which works to advance women in those fields. 

Before I was a hacker, I studied Neuroscience and Behaviorism in college, was a special needs educator for years, a UX Researcher, and now I hack and train people, too. People sometimes think that Neuroscience, Behaviorism, or my other careers aren’t linked to hacking but that couldn’t be farther from the truth. The skills I used doing Applied Behavioral Analysis are the same skills I use to infiltrate companies. 

How did you first get interested in hacking?

I have always been interested in puzzles, and I actually won a worldwide scavenger hunt where the prize was an adventure to Uganda in 2011 (that’s a story for another time, though). I actually feel like this was my start in hacking because I needed entry level CTF-like skills using ciphers to solve some of the stages. 

Then, years later, my husband Evan went to DEFCON and I didn’t attend because I thought it wasn’t for me - I was non-technical after all. He ended up calling me on Friday night of DEFCON and told me I needed to buy a ticket to the conference that night. He had watched a few Social Engineering Capture the Flag (SECTF) calls that day and thought I would love it. He was right. I watched 2 calls the next day on Saturday with a borrowed DEFCON badge and ended up applying for the SECTF for the following year. Chris Hadnagy took a huge chance on me as a noob and accepted my application for one of the 14 contestant slots out of hundreds of applications.

The next year I did my first ever vishing call in the glass booth in front of 400 people and ended up being a winner of the SECTF! The year after I was a winner of the SECTF again and decided I needed to get more involved in the community - so we started SocialProof Security and now help companies all over the world!

What does a social engineer do and what skills does it take to be one?

Hadnagy defines social engineering as any act that convinces someone to take an action that may or may not be in their best interest. This means social engineers build trust with their targets quickly to gain access to their data, money, and systems. Social engineering isn’t necessarily malicious though - we social engineer children to eat vegetables, too. 

Social engineers hack people and companies in person, over the phone, and over email and the main attributes required for success are persistence, persuasion, and interpersonal skill sets. I would recommend reading up on Cialdini’s 6 Principles of Persuasion to get started practicing persuasion techniques. Additionally, you have to be quite persistent as a social engineer because you will need to do OSINT (open source intelligence) gathering which can take over 100 hours, pick your targets, craft your pretexts (whose identity you will assume), and create scripts for your interactions.

My background in performing improv has also helped me be a stronger social engineer because I am able to think on the fly and build rapport quickly and extemporaneously. People have asked me before if they need to be an extrovert to be a strong social engineer and I would say definitely not. Some of the best social engineers I know are introverts.


What lessons can all hackers learn from social engineering?

We know that most cyber attacks now start with a social engineering element, and even though social engineering is out of scope for many bug bounties now, it is a strong attack vector used in the wild. Incorporating social engineering as a part of their hacking skill set will likely make them an even more successful hacker (and they may be able to hack their targets in a shorter period of time).
 

What motivates you to do this type of work?

Hacking people is a unique puzzle that changes with each target and pretext. It also feels a bit like a performance art, especially in the glass booth at DEFCON. Combining improv, hacking, puzzle solving, and behaviorism is a perfect fit for me.

Also, because I used to be a teacher I find training employees to spot social engineering attacks exciting. It’s exhilarating to walk into a company, train their employees in one hour, give them a target, teach them to social engineer and then see the change in their understanding of social engineering threats. When people get a chance to try it themselves, it truly clicks. Seeing that light bulb go off and hearing those employees say “wait… I need to scrub my Instagram, I think I leaked data!” is one of the best parts of my job. 
 

What is the most creative attack you have been able to successfully execute? Any cool stories or lessons learned you can share? 

The highest point value flag in the SECTF is getting your target to go to a fake malicious URL over the phone. In the glass booth last year I called a target who was a NOC agent, assumed the identity of a fellow employee who was traveling from the HQ of that company to a satellite office (I found her travel plans from her Twitter), and got the NOC agent to type in the URL to “make sure my presentation would work when I got on their network.” I ended up getting the NOC agent to go to the fake malicious URL within a couple minutes and they only started to get suspicious after I asked about their work schedule (another flag for the SECTF) - funny how that’s what ended up raising eyebrows, not the fake malicious URL!

On a SocialProof Security assignment I called specific hotels to gain access to information about software they used. On those calls I assumed the identity of a colleague at a sister hotel to build rapport -- mentioned that my software wasn’t working and that I needed help troubleshooting. From Twitter, I knew the target I called had a friendship with my pretext’s (who I was pretending to be) supervisor, so she was more than willing to help me to make her friend’s life easier. I intentionally gave inaccurate pieces of information about “my machine” and got them to correct me to gain information and access to the software they actually use. 

What are the top 2 pieces of advice you’d give companies on how to train their employees against social engineering attacks? 

Be politely paranoid. Social engineers will use publicly available pieces of information to build rapport with targets and gain their trust. Don’t let someone authenticate with you using pieces of information that can be found online like your hobbies, coworkers names, travel destinations, etc.

Use real world 2FA. For example, if someone reaches out to you out of the blue over email or over the phone, use multiple methods to verify their identity and need to know that information. If they email you but it looks off, call the phone number you already have for them and verify it’s a real request. If someone calls you and says your coworker gave them your info, tries to name drop, or sound like an insider, text your coworker and confirm.
 

If companies could do one thing to make your life more difficult, what would it be?

Train your employees and give me hoops to jump through when I make requests for information or access. I am persistent, but if someone repeatedly asks “I’m sorry, who are you again” over the phone, I will hang up and try someone else. There are many targets out there and I’m usually going to take the path of least resistance, but if all your employees are trained on phone, email, and in person threats, it’s going to make my job real tough.
 

Which hackers do you follow closely and admire?

I look up to Chris Hadnagy (@humanhacker) a lot. He taught me everything I know about social engineering (in person, through SECTF, and through the books he’s written). 

Another social engineer I really love following is Jek (@HydeNS33k) - her stories about physical social engineering attacks are fascinating and well documented, I highly recommend them. 

Snow (@_sn0ww) helped me when I was brand new to social engineering and I am so thankful that she encouraged me in the very beginning. Mentors like her are instrumental to a noob’s success.

Chris Silvers (@cgsilvers) is another one of my favorite social engineers - his ability to persuade over the phone is awe inspiring, and he coached me through writing pretexts and scripts when I was first learning the art of vishing. 
 

What advice would you give to others looking to get into hacking?

I feel like hacking is the type of thing that you have to go out and do. There is only so much you can learn by reading tutorials, stories or how-tos. I highly encourage joining a group, signing up for a competition, or attending a workshop to try the skills out (you’ll learn even more as you go).


What are the best social engineering educational resources out there? 

I read and took notes on the Social Engineering Framework by SEORG (https://www.social-engineer.org/framework/general-discussion/) when I first got started and that helped immensely.

Another resource that helped me with pretexting is: The Social Engineer's Playbook: A Practical Guide to Pretexting by Jeremiah Talamantes (https://www.amazon.com/Social-Engineers-Playbook-Practical-Pretexting-ebook/dp/B00OS42RWI).

Social Engineering: The Art of Human Hacking by Chris Hadnagy was very helpful for me, too. (https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1526006407&sr=8-1&keywords=the+art+of+human+hacking).


How can people connect with you?

@racheltobac on Twitter - dog gifs are a great way to SE me into being your friend

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.