Don’t try to master it all – just try to understand how to NOT be the low hanging fruit - Interview with Christopher Hadnagy, CEO of Social-Engineer, LLC.

Dear Readers,

today we would like to introduce to you Christopher Hadnagy, Chief Human Hacker and CEO of Social-Engineer, LLC. We have spoken about Social Engineering, predictions for year 2017 in cyber security world and how to get the most out of 5-day training. Enjoy!

[eForensics Magazine]: Hello Christopher, how have you been doing? Can you introduce yourself to our readers?

[Christopher Hadnagy]: Hi there, my name is Chris Hadnagy. I am the Chief Human Hacker and CEO of Social-Engineer, LLC. I am a professional social engineer and expert at reading body language and facial expressions.

[eFM]: Can you tell us something about your company, Social‐Engineer, LLC.?

[CH]: We are a unique company that isn’t just the best at social engineering, but we understand the very things that cause humans to make decisions. Because of that we can not only influence others but we can understand how to educate them to defend.

[eFM]: Why have you decided to focus on social engineering?

[CH]: When I started this, I saw that SE was going to be the biggest vector around. I knew it was going to be a huge vector so I decided to start focusing on it. I began using it as the lead SE in pentests and that lead to my framework, podcast, book and eventually my own company.

[eFM]: I noticed that you also offer Phishing as a Service. Lately, phishing has become a very ‘popular’ threat, mostly because of lack of awareness. Why did you decide to offer such an option?

[CH]: Traditional security awareness training focuses on CBT (Computer Based Training), which is basically useless and doesn’t effectively alter a company’s susceptibility to phishing attacks. We felt, like learning how to box or drive, you actually need to DO IT to learn how to do it. Learning to combat phishing takes learning how pick out phish and report them properly, which can only be done if you learn what it is like to get phished.

[eFM]: Tell us something about your training. Your slogan says: “Become a certified SE pentest professional with our 5-day course”...

[CH]: When I launched my company I wanted to write a course that would help people learn how to be a professional social engineer. To do that, I knew I had to build a practical course that lets people TRY all the things I thought. Four years later and hundreds of students, I can see that it is working and we are really changing people’s lives and how they communicate. Over the five days, you will not just hear but you will see and then DO so you leave with hands on experience.

[eFM]: What’s the most challenging part in your 5-day course?

[CH]: To get out of your comfort zone and try the things for the evening assignments that we ask you.

[eFM]: Your activity is impressive! Tell us something about your books and podcast.

[CH]: We decided when I started the podcast to keep it 1) clean and 2) about the science and psychology of SE. We have done that now for 89 episodes. My books are representations of my experience. My favorite book is Unmasking the Social Engineer, where I had the privilege of having Dr. Paul Ekman as my co-author.

[eFM]: What do you find most challenging to talk about or discuss regarding SE? Is it different when you talk to people from outside the field than when you talk to professionals?

[CH]: Political correctness. If you are tall or skinny or short or fat, white, black, male, female, tattooed or not – all of it alters what is expected of you. It is NOT right but it is reality. Since it is reality that makes it hard to discuss as it is uncomfortable. When I break into a place with Michele, who is a small Japanese woman, I usually have to play the “boss” or the manager. Why? Not because I am better or smarter, but because I am male and she is female. It is a sad part of reality and we have to discuss it as SE at times.

[eFM]: Who is your day to day customer? Except of Pentagon ;)

[CH]: My average customer is in healthcare, financial or manufacturing. They have employees that need help understanding the threats of phishing, vishing, SMShing and Impersonation and we get the chance to perform those attacks and then educate them on how to defend.

[eFM]: Which of those areas needs social engineering the most? Is there any?

[CH]: All of them need equally for different reasons.

[eFM]: Is there a philosophy behind your company? Or do you have a mission?

[CH]: Our mantra is “Leave them feeling better for having met you.” I feel that as a professional my job is to be able to think like the bad guys but remember I am a good guy. That means, to truly help you, I need to not violate you, humiliate you or make you feel worse for having met me. I can accomplish all my goals and educate you but all the while making you feel good – now I am a pro!

[eFM]: We have the beginning of a new year. What are your predictions regarding cyber attacks? Who or what will be the main target?

[CH]: We will see vishing being used even more this year. Phishing will increase in its ability to attack and compromise companies. Social engineering will be used A LOT more than before.

[eFM]: You specialize in “understanding how malicious attackers exploit human communication and trust to obtain access to information and resources through manipulation and deceit”. Sounds super interesting!

[CH]: yep… question?\

[eFM]: What’s the thing that gets overlooked the most when analyzing that type of activity?

[CH]: The value of small bits of info the person possesses. They may feel it is not important to tell someone the name of their garbage removal company, but that very piece of knowledge gave me access to the whole company and caused a breach.

[eFM]: I’ve noticed that your COO, Michelle, is interested in behavioral subjects, so definitely more human parts of cyber security. Is it because social engineering, as the name suggested, is strongly connected to human behavior or do you generally have interest in sociology, psychology and communication?

[CH]: She is not just interested, Michele is a Behavioral Scientist. She is a field trained therapist and understands how people work. I feel it is vital to have someone like her on staff that can help us understand the way humans think and operate so we can truly impact them. (P.S. Michele is spelled with 1 “L”)

[eFM]: What are the biggest challenges your company is facing at the moment?

[CH]: Doing all the work we have. ☺

[eFM]: Any plans for the future?

[CH]: Growth as a company and helping more people stay safe

[eFM]: Do you have a piece of advice for our readers?

[CH]: Don’t try to master it all – just try to understand how to NOT be the low hanging fruit. You don’t have to be faster than the bear running after you, just faster than the next guy running away. Sad but true.

About Chris:

Christopher Hadnagy, is the founder and CEO of Social-Engineer, LLC. Chris possesses over 16 years experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today.

Chris established the world’s first social engineering penetration testing framework at www.social- engineer.org, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.

A sought-after writer and speaker, Chris has spoken and trained at events such as RSA, Black Hat, and various presentations for corporate and government clients. Chris is also the best-selling author of three books; Social Engineering: The Art of Human Hacking, Unmasking the Social Engineer: The Human Element of Security and Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.

Chris has been invited to the Pentagon to debrief 30+ general officers and government officials on social engineering and its effect on the United States.

Chris specializes in understanding how malicious attackers exploit human communication and trust to obtain access to information and resources through manipulation and deceit. His goal is to secure companies by educating them on the methods used by attackers, identifying vulnerabilities, and mitigating issues through appropriate levels of awareness and security.

Chris is a certified Expert Level graduate of Dr. Paul Ekman’s Micro Expressions courses, having made the study of non-verbal behaviors one of his specialties. In addition, he holds certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).

Twitter: @humanhacker or @SocEngineerInc

Facebook: socengineerinc

January 17, 2017