The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#14 Social Engineering Unleashed: DEF CON Insights from Jacob Villarreal
Kyser Clark interviews Jacob Villarreal, a penetration tester, about his journey into the cybersecurity field, his experiences at DEFCON, and various topics related to cybersecurity. Jacob shares his background, including his education, certifications, and transition from IT roles to penetration testing. The discussion covers the importance of networking, volunteering at conferences, and key cybersecurity issues such as biometrics, automation, boot camps, and the role of certifications. Jacob also offers insights into social engineering and advice for those interested in pursuing a cybersecurity career.
Connect with Jacob Villarreal on LinkedIn: https://www.linkedin.com/in/jacob-villarreal-utsa/
Takeaways:
- Cybersecurity should be a top priority for companies, but financial considerations often take precedence.
- Networking is crucial in the cybersecurity field and can lead to valuable connections and opportunities.
- Social engineering is an important skill for red teamers, and building rapport and trust is essential in these engagements. Studying sales techniques can be helpful in this regard.
- Conferences like DEFCON offer valuable learning and networking opportunities, though the cost should be carefully considered.
- Engaging in conversations with people in public settings can improve social skills and lead to unexpected connections.
- Reaching out to professionals in the cybersecurity field through platforms like LinkedIn can provide valuable insights and advice.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
[Jacob Villarreal] (0:00 - 0:31)
To be on the path of being a really good red teamer, you will need social engineering skills. Having that skill set of social engineering whenever you go into red team engagements is a huge plus. That's what's worked for me to get internal access on my red team engagement.
It's always been through social engineering. So I went into a conference room, found the network port, plugged it into my laptop, and that's whenever the four other people were like, can I help you? What are you doing here?
So I was like, oh snap, like I'm busted. And he was like, I probably shouldn't be telling you all this stuff because you're like in social engineering club. My boss is going to get mad if I tell him that.
[Kyser Clark] (0:31 - 1:38)
Hi, I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Hello, hello. Welcome to The Hacker's Cache. My name is Kyser Clark.
I've been in the cyber security field for over six years now, and I currently work as a full-time penetration tester. Today I have Jacob Villareal who worked as a IT system analyst for a year and then pivoted into systems engineer for a year and a half and has been working as an attack and penetration consultant for two and a half years now. For education, he has a bachelor of science in cybersecurity.
Certifications include Certified Red Team Professional, CRTP, Office X Certified Professional, that's the OSCP, and Accomptia Security Plus. So Jacob, thank you so much for doing this podcast episode with me. Go ahead and walk through your background and introduce yourself to the audience.
[Jacob Villarreal] (1:39 - 3:24)
Yeah. Hey, everybody. So my name is Jacob.
Great to be here. First of all, thanks for inviting me over here. I think we're talking about some pretty cool stuff.
Kind of going into school, right before I went back and took a little bit of a break longer than expected, didn't know what I wanted to do. I saw some YouTube videos about DEF CON. Sounds like pretty cool stuff.
It's kind of how I got introduced to pen testing, offensive security. So I was like, all right, so how do I get into this thing? And online, a lot of the resources were like, well, you need a bachelor's, you need some IT experience, and then maybe land that role.
So it's kind of the path that I went. I moved back home with my mom, went to the college there, UT San Antonio, graduated my bachelor's in cybersecurity. I did the wrong thing, which is I didn't go into the cyber clubs.
I didn't get internships. It was just a whole thing. So from that, I didn't have a lot of opportunities presented to myself.
So that's whenever I went to the help desk route. And that's kind of when everything started to kick in. I was like, all right, I need to start kicking in my studies.
Got the security plus. From there, I moved way to the DC area for a job as a system engineer, which is pretty cool. Really great opportunity.
Learned a lot of great stuff. And that's kind of where my technical skills grew. While I was there, I was like, all right, what do I need to do next?
So I looked online. A lot of resources were like, get the OCP. I was a little bit familiar with it.
It was a scary thing to try to take on. But I was like, all right, I got to do it. So I spent about six months or so studying for it.
Failed twice, passed on the third time. And then that was pretty much how I was able to get my foot in the door and then finally get an opportunity at the place that I work now, which is a consulting firm doing pen testing work, which is what I really enjoy now. Been doing it for a while, two and a half years or so.
Not a crazy amount of time, but a good amount of time. And I'm really enjoying it. So it's a really fun field and I'm happy with it.
[Kyser Clark] (3:24 - 3:47)
It's definitely the best job I've ever had so far. So I'm enjoying pen testing as well. But yeah, interesting story.
And thanks for sharing that. All right, so let's go ahead and get a round of fire around. So for the new audience members, Jacob will have 30 seconds to answer five questions.
And if he answers all five questions in 30 seconds, he will get a bonus six question that's unrelated to cybersecurity. Jacob, are you ready for the rapid fire round?
[Jacob Villarreal] (3:47 - 3:48)
Born ready.
[Kyser Clark] (3:48 - 3:53)
All right, here we go. Your time will start as soon as I stop asking the first question. Do you think biometrics are secure?
[Jacob Villarreal] (3:54 - 3:55)
Yes.
[Kyser Clark] (3:56 - 3:59)
Do you think cybersecurity will ever be fully automated?
[Jacob Villarreal] (4:00 - 4:00)
No.
[Kyser Clark] (4:02 - 4:04)
Are cybersecurity boot camps worth it?
[Jacob Villarreal] (4:06 - 4:07)
No.
[Kyser Clark] (4:08 - 4:13)
On a scale from one to ten, how important is a certification to a cybersecurity career?
[Jacob Villarreal] (4:15 - 4:15)
Seven.
[Kyser Clark] (4:17 - 4:20)
Do you think cybersecurity should be the top priority for companies?
[Jacob Villarreal] (4:21 - 4:21)
Yes.
[Kyser Clark] (4:22 - 4:27)
All right, that is 29 seconds. So you beat the buzzer. So congratulations.
[Jacob Villarreal] (4:27 - 4:27)
Nice.
[Kyser Clark] (4:27 - 4:36)
Here's a bonus question. Totally unrelated to cybersecurity, but it is a hot topic in society that we all have to know. Is water wet?
[Jacob Villarreal] (4:37 - 4:57)
Oh man, that's like a big philosophical one. I don't even know how to approach that. I mean, I'd say yes, but I'm also dumb.
So I'm sure there's a logic to why it's not wet. But I'd say yes. I think it is wet.
I've touched water before and it feels wet to me. So that's the only logic that I have for that one.
[Kyser Clark] (4:58 - 5:14)
Yeah, I can see it going both ways. There's definitely a debate there. It's why it's always a fun debate to bring up.
I don't know. I'm kind of with you there. I mean, I go back and forth between the two, but I think, yeah, water is wet.
I mean, I think the haters are going to hate in the comments, I think, but we're going to go with water is wet here.
[Jacob Villarreal] (5:14 - 5:15)
I think we're both right.
[Kyser Clark] (5:15 - 6:33)
Okay. So I think your most interesting response out of the rap fire questions is, do you think cybersecurity should be a top priority for companies? And you said, yes.
And the reason why I'm picking this question is because I actually disagree with you. So I want to talk about that. Let me tell you why I think it's a no.
I think it's a no because companies, their primary goal is to make money typically, unless you're like a nonprofit or something. But typically their main goal is to make money and that's their top priority. And I think that will always be their top priority.
And I honestly think that cybersecurity is always going to be an afterthought. And I look at it this way, for me as an individual person, I have to have car insurance. It's a good idea to have car insurance, but it's not my top priority to get car insurance.
There's so many things that I have to do as a person to keep myself secure and safe. Car insurance is one of them, health insurance, but I don't put car insurance, health insurance and all that stuff at the top of my priority list. I mean, there's tons of other things that I'm worried about day to day.
So that's why I don't think cybersecurity shouldn't be a top priority. And I don't think it ever will be, but feel free to disagree and let me know why you think otherwise.
[Jacob Villarreal] (6:34 - 7:37)
Yeah, I think that is a really good point. And definitely about the car insurance thing. I live in Texas.
A lot of people have that same opinion where they don't have car insurance, just at all. So I could definitely see how people have that logic as well. I think for companies too, it's also kind of why I hesitated a bit because I was like, I know there's that profit thing.
They obviously can't have a company without profit. So that's going to be their top priority. So I came with a very, very biased answer where I'm like, I'm in security.
It has to be the most important thing. So for me, it is. So I know for companies, it's not.
So I definitely understand that. But for my take, it's always like you got to secure it or else if you don't secure it, and something happens, you start losing the trust from the customers. At one point, I used to work at Target as a cashier.
It was way back whenever that whole Target hack thing happened. And people would come in and be like, oh, well, I don't want to get my credit card because it got breached and everything. So even though it's not as important, there is some importance in there.
But yeah, I definitely do see how profit would be the number one thing. But for me, in my heart, security is number one.
[Kyser Clark] (7:38 - 8:50)
Yeah, I totally agree with you there. Cybersecurity is definitely my top priority. It's my job.
It's my passion. I'm making a whole show about it. So yeah, cybersecurity is definitely my top priority.
But I can understand if I tell a company, I'm like, hey, here's a list of vulnerabilities. And there's some things that are, I would say, lower on the priority list. If I give a company a bunch of low findings from a pen test, and if they don't patch them, I'm not going to be like, why didn't you patch these?
You know what I mean? Because in theory, they're very hard to exploit in practice. And they got bigger fish to fry.
But now if I give a pen test and there's a critical vulnerability, then I'm going to be like, all right, you guys need to fix this. You know what I mean? Yeah, my stance is, should it be its priority?
Yeah, it should be up there because like you said, it hurts your reputation. I think the average breach costs like $4 million. I don't know if that's how I had, but it's a couple million dollars, a few million dollars per company.
And it can cost you a lot. And if you don't secure your stuff, then it definitely could bite you in the butt. And it could definitely hurt your profit, actually, if you don't secure it enough.
[Jacob Villarreal] (8:50 - 9:05)
Yeah, I definitely agree with that, too. It should at least not be an afterthought and be in consideration of the budgeting because you know, you're in consulting, too. So you definitely know that like, it all comes together with the budget, you know, where's the company going to spend the money?
So yeah, I can see a middle ground here.
[Kyser Clark] (9:05 - 9:13)
You told me before the recording that you just got back from DEF CON. So you did two DEF CONs, your second one. So how is DEF CON different this year compared to last year?
[Jacob Villarreal] (9:13 - 11:52)
I think the biggest difference was kind of like me, like how I was approaching it. So last year was my first DEF CON. It's an amazing conference.
I highly recommend going to it. There is like a high cost, you know, travel and everything. So if you can't go to it, there's a lot of local conferences like B Sites has amazing ones in cities.
So I always recommend going to conferences. But for my first one, it was a bit overwhelming because it's huge, tens of thousands of people. Last year, it was at a different location.
So it was more spread out. So you have to go to different hotels and everything like that. I spent most of my time just being overwhelmed and kind of just like hiding out a bit, you know.
So this DEF CON was a lot better where I was able to be more familiar with it. I was more comfortable like talking with people, talking with strangers, which is the most, it's the biggest benefit from going to conferences is meeting people just because I was in a hotel that had a shuttle. So I'd ride the shuttle, just talk to people next to me that are also going there.
You meet some amazing people, really friendly people, really easy to talk to. Everyone's like in this field, everyone has the same passion. So it's really easy to talk to people.
So I did a lot of good networking there. So the last years I volunteered at the social engineering community. At DEF CON, there's a lot of little villages that are themed differently.
There's red team, there's blue team, there's like an AI village and everything. And there's one for social engineering. And also one of the things I recommend doing to anybody who wants to go and might be afraid of going alone is to try to join one of those as a volunteer.
A lot of the villages have Twitters and websites for signups and everything, just sign up, volunteer. And that's the best way to go if you are afraid of going alone, because you'll have people that you're going to be working with. And it's pretty easy.
It's just helping around with the merge tables, helping in blinds and stuff like that. So very easy stuff to do. And it's a great way to already be set up to meet people.
And then one of the other things I did at DEF CON this year was I competed at the bitching competition. So the social engineering, well, a lot of villages have capture the flag events. And for the social engineering community, they have the bitching competition, which is they have teams of about 13 or 14 teams.
They give them a company to target, go about two months of planning and OSINT. And then on DEF CON, we perform the bitching calls. We get 22 minutes to do the calls and everything.
So it's all competition. Really fun to go to, going to the conferences, just have a lot of activities like that and just a really great thing to do. So I always recommend it.
I had a great experience. I think anybody who goes will have a great experience as well. And again, there is a big travel expense.
So I recommend going to like local conferences as well, like besides or other local ones to it. And meet some people. It's a really great, really great networking event.
[Kyser Clark] (11:52 - 12:05)
Yeah. So that was one of the things I want to ask you. So DEF CON being, you know, it's pretty expensive.
Do you think it's worth it if your company doesn't pay for it? Like if you had to pay for out of pocket, like, do you think it's it's worth the money?
[Jacob Villarreal] (12:05 - 13:09)
I would say it depends. For example, I know some people might expect you go to DEF CON and you'll like end up with the job, you know, afterwards or something like that. So it's like, it's the expectation.
It's like, I, I know me, I probably wouldn't go to DEF CON if my company wasn't sponsoring it or I wasn't getting assistance and stuff like that, just because like it does get expensive. That's another reason maybe somebody might be able to go with somebody and share like an Airbnb or hotel room with double beds or drive over there together, something like that. But I would say for the cost, it might not be the best financial decision, which is where I highly recommend going to local conferences because tickets at a local conference like B-Sides is maybe like $50 or so, way more affordable, affordable.
And at the local ones, you will actually meet people who are local. So that would have a better chance of leading to job opportunities or easier networking opportunities where you'll meet people who you could like hang out with, you know, next week or next month. But yeah, DEF CON's expensive, very expensive.
[Kyser Clark] (13:09 - 13:47)
Unfortunately, I wasn't able to go this year. Hopefully I can go next year. I talked to my employer about it and hopefully I can go next year.
So we'll see what happens. Yeah. So like you mentioned the B-Sides, I actually haven't been to a B-Sides either.
I've only been to one conference. It was the AWS reinforced, which is mostly like cloud security, which is kind of out of my element, but my company sent me there and I was like, Hey, we got an extra ticket for AWS reinforced. I'm like, sign me up.
So I went to that, had a great time, even though it wasn't pentesting related, but I still got a lot of value out of that and had a lot of fun. And yeah, I definitely want to go to more B-Sides. And I guess I found out my local B-Sides, it's like a month away and it sold out.
I found out it just sold out.
[Jacob Villarreal] (13:48 - 13:48)
Oh man.
[Kyser Clark] (13:49 - 13:57)
Yeah. I was like, it's like a month away. I was sort of looking into it and then it sold out.
I'm like, Oh my gosh, I didn't realize it was going to sell out. So I didn't know there were so many nerds out there.
[Jacob Villarreal] (13:58 - 14:23)
Right. Apparently, right. People who missed out on DEF CON apparently.
But yeah, that's surprising it sold out. I know here because I live in Texas and the good thing is that like all the towns, all the cities have one. So I was, I was one in South Texas at a B-Sides RGV and then B-Sides San Antonio was in June.
And then there's one in Dallas and Austin at the end of the year. So I'm a bit spoiled where I have all the little ones over here that I could venture out to.
[Kyser Clark] (14:23 - 14:29)
So you've been to a lot of conferences. Do you think DEF CON is still the best hacking conference? Do you think it's number one still?
[Jacob Villarreal] (14:29 - 15:26)
Uh, it definitely is. Uh, the big reason is cause a lot of people go there. Like a lot of, you know, people really big in the industry go there.
There's a lot of resources there too. A lot of activities there. There's a lot of people that go, so it will be crowded, but this year it was at the convention center.
So everything was in one huge building. So it made things way easier to do, way easier to like go visit different villages. Cause they're all in that one building.
Whereas before you literally have to walk to other hotels. Yeah, there is that, but overall it's great. I think it's number one.
So it's kind of where I come with the, like, if you can afford it, then I would definitely recommend going. Um, it's definitely a good experience, really fun stuff to make the most out of it. Like they'll go the first time I went where I was a bit nervous and you know, I didn't venture out too much.
Um, so yeah, if anybody does go definitely make it worth it. Uh, talk to as many people as you can. Um, everyone's super friendly to talk about nerdy stuff.
Everyone's happy to talk about nerdy stuff there. So it's great.
[Kyser Clark] (15:26 - 15:42)
Yeah. I liked your tip about volunteering. If you, if you're afraid of going alone, volunteer.
And I wouldn't have thought of that. So that's a really good tip that you added in there. So you said you compete in the vision competition.
So what got you into visioning and social engineering, uh, in general, like what made you get into that?
[Jacob Villarreal] (15:43 - 17:09)
Uh, yeah. So social engineering has always just been interesting. You know, that's kind of one of the big introductions to pen testing, right.
It's like the social engineering stuff and the calling and all that sort of stuff. Everyone's pretty familiar with email phishing, right. Cause everyone gets spam emails and all that.
It's always just been something interesting to me, really easy to digest as well. As far as the competition itself, I think it's really cool to enter like capture the flags or challenges at Defcon. And I felt like, uh, it just aligned with kind of my experience for, as a consulting, I do social engineering engagements, uh, maybe about three or so a year dedicated to me, but also help out with other teams that, um, are doing engagements and they want somebody else to come and help out with calls and those sort of natures.
So I was pretty familiar with that. I had a good experience. Um, so I felt it just be best aligned with me and thankfully they accepted my application.
And it's honestly a lot harder than my real social engineering engagements. That's two months of prep. Oh, it's a lot of planning.
You don't have like days to do the calls. You have 22 minutes. So you really have to narrow down like who you're going to target because they need to answer.
Cause if nobody answers it, you get no points. So, um, I thought it was really interesting. I thought I had good experience that might help me with it.
And, uh, overall it was, it was a really fun experience.
[Kyser Clark] (17:09 - 17:31)
There was a couple of darknet diary episodes that had highlighted the competition. And it sounded like those episodes are some of the better episodes to be honest with you. It does sound fun.
And I'd love to see that in person. You mentioned your social engineering engagements for your work. So how often are you doing social engineering engagements as a consultant right now?
Do you do, so do you, I'm assuming you do like network testing and web app testing too, or?
[Jacob Villarreal] (17:32 - 18:40)
I started as a network pen tester. And then the past year I switched over to the red team. So whenever I was network pen testing, social engineering wasn't as common.
So I would maybe do about two a year maybe. And that'd be vision and emails. And that was it.
That was pretty much it. I believe it was a lot more limited on what I was able to do. Cause a lot of times in the network pen testing, the client would give us the information, the targets to target, like the people that we would have to call.
And now that I've switched over to the red team and stuff, it's, if I recall, it's pretty much paired with every engagement we do since the whole thing is getting into their network. So if I recall correctly, we do have social engineering on each red team. So I've maybe done about four or five in the past year for those.
And that's the whole thing. So that would be the text message, phishing, phone calls, phishing, and then the emails. And we also get more freedom.
So we get to pick the targets. We get to do more OSINT. That's pretty much the big thing.
We get to do more OSINT and red teaming and create more creative scenarios as well. So that's about how often I do it.
[Kyser Clark] (18:40 - 18:56)
If someone wanted to get into social engineering, so someone like me, like I'm a pen tester, but I've never been on a social engineering engagement, but it's interesting to me, where would I go to like learn how to do social engineering? Like what are some resources you can use to bolster your social engineering skills?
[Jacob Villarreal] (18:57 - 21:36)
Yeah, it is. That is a good question because, you know, there's not a certificate that you can like study for and that sort of stuff, or you can't really like practice it in a home lab. So it is harder in that way to practice it.
So I'd probably say as far as getting an idea of how it is, those darknet diaries would be a great resource. Hearing stories from people who have done it. I'm sure there's some talks on YouTube.
Jason Street, I know, has a lot of videos on YouTube that he's posted from talks describing how he's done it. So I think getting familiar, which is kind of the process from those stories is a good starting point. There's also the infrastructure part of it.
So setting up, you know, the fake websites that will capture stuff. The most common one right now is EvoGenX. There's also device code phishing, like Graphrunner that got released not too long ago.
I think by Blackheels is the team that released that. So there's that part to understand the infrastructure. That is something that people can practice by themselves is building that up, not sending that to people, phishing links, but like yourself going through the motions and, you know, seeing and trying to get it to work and all that.
And then there's the whole performing the social engineering part of it, which is a lot harder because, like I said, you know, the only way to practice it is to do it. And so the way to do it legally is through contracts and through having a job. A lot of the common skills that you need are just people skills.
So there is just becoming more familiar, talking with people that you haven't met, like networking at conferences, those small conversations that you have are small conversations that you have whenever you're social engineering. And everyone kind of has their own way of doing it. And for me, I found the best way is kind of build a quick report like the small talk sort of stuff and try to get their trust a little bit.
And that's just, you know, people skills. And then there's also another part of that, if you want to dig a little deeper, which is kind of how you word everything. And the closest thing that I could find to that is like studying those salespeople, you know, those like really salespeople videos where it's like, you know, you got to hook the customer this way.
But what you get from that is kind of like how you need to have a scenario to where the target needs your help with some urgency and to where they don't hang up. So kind of like engaging them in the call. So there's kind of a lot of different resources scattered around, not like a clear way, unfortunately, but hopefully something in there will help somebody else.
[Kyser Clark] (21:36 - 21:53)
Yeah, you mentioned, you know, there's no certifications for social engineering. I wonder if they'll, someone, so I feel like someone's going to come off one eventually. I mean, I feel like it can be done if they, someone really tried it.
Maybe, I don't know, maybe not, but it'd be interesting to see, you know, the world's first social engineering certification.
[Jacob Villarreal] (21:53 - 21:56)
Yeah, that would be interesting. Definitely. There's definitely a need for something like that.
[Kyser Clark] (21:56 - 22:09)
So is it essential for a network pen tester or a web app pen tester to eventually learn how to do social engineering? Do you think it's a must have skill or do you think learning social engineering would take away from their primary job too much?
[Jacob Villarreal] (22:10 - 23:04)
That is a good question. It would heavily rely on kind of where they're working at. I know for web app pen testing, it's not too common to do social engineering.
It's usually, at least from what I've seen paired with like network pen testing, I think for web app, if somebody is going to focus on that, they probably don't have to focus too much on social engineering. For network, since, you know, the big thing is getting access to their internal network and social engineering is, you know, the best way to do that. I would recommend to work on those skills as well.
And it's kind of just one of the things for, you know, being a pen tester, kind of have to poke at everything or be familiar with different stuff. But if that's not, you know, something some people are just uncomfortable doing social engineering, it does get nervous calling people. So you can definitely be a great network pen tester without doing social engineering.
Just, you know, one of the one of the parts to it that that people can study if they want to.
[Kyser Clark] (23:04 - 23:22)
And then to further that question. So if someone would want to go into red teaming, do you think every red teamer has to be at least somewhat familiar with social engineering? Or do you think like a good network pen tester can really just focus on like network red teaming and not worry about the social engineering aspect of it too much?
[Jacob Villarreal] (23:22 - 24:25)
I think based now how a lot of companies have really good network defenses, I think if you want to be a really good red teamer, I'm not a really good red teamer. I'm definitely not one of the best. So I'm not coming from, you know, great red team experience.
To be on the path of being a really good red teamer, you will need social engineering skills. And that's just to say, again, you know, the network, the networking side of companies is really strong right now. So it's going to be really hard to find network vulnerabilities where you could get a remote code execution or get into their internal network, maybe through password spraying, but still, you know, that's another layer.
So having that skill set of social engineering, whenever you go into red team engagements is a huge plus. At least that's what's worked for me to get internal access on my red team engagement. It's always been through social engineering.
So I highly recommend it. And again, if anything, at least learn the infrastructure side, maybe get away with smitching and email filters where you don't have to do the phone calls, but at least something that you'll need to be better.
[Kyser Clark] (24:26 - 24:46)
Yeah, that makes sense. I think it's pretty good advice, especially for people who want to get into red teaming, you know, maybe they're a pen tester and they're trying to level up to be a red teamer. So can you tell me like your most interesting social engineering story?
Like if you had to pick your the best moment you ever had in social engineering, can you tell me about that at all?
[Jacob Villarreal] (24:46 - 27:51)
Yeah, I could. I could tell about it. And there's a clear distinct one because I've only been on one physical social engineering engagement.
And that was definitely been the most memorable ones. The phone calls, they've all kind of been similar as far as like how they happen. So they all kind of like just blend in with my memory now.
But for the physical one, that one's definitely one that I remember. And that one was for a client that had a couple of office floors in a skyscraper. So we try to get access to their office area within those levels.
And the skyscraper, you know, they have multiple companies at different levels, different floors. So they told us the floors that they owned. I went with one of my coworkers.
He was a little bit more experienced. So he kind of took the lead on that. And so the first day or so we're in the lobby kind of just understanding how it all works, seeing which elevators go to certain floors, kind of seeing the traffic.
Obviously, the best times are going to be in the morning and then returning from lunch. It wasn't too crazy. Nothing like I didn't have any cool hacker tools or anything like that.
But it was pretty much just a good old tailgating. So one of the elevators opened is on the third day. So I finally got the nerves to do it.
I was on the third day. I went up to the elevator. I followed maybe about four or five people.
I followed them in and they went, they picked the floor. I saw the number of highlights. I was like, perfect.
That's the floor that I need to go to. I'll just, you know, ride it up there with them. It gets to the floor.
This is where I made the mistake. So I followed them. So I was in the front.
So once the door opened, I had to step out first. I had to have a badge that worked. So I kind of had to linger around a little bit.
And that's whenever the four other people were like, can I help you? What are you doing here? So I was like, oh, snap.
I'm busted. There's nothing I can do. So I was like, oh, yeah, sorry, I'm on the wrong floor.
And they're like, okay. And then they press the button. They call the elevator for me to go back down.
So I was like, oh, dang, I fell. So I went back in the elevator. I pressed the next floor.
I was like, maybe I'll get lucky. So I pressed the next floor that the company is in. I dropped down to the floor.
The elevator door opens. There's four elevators, two across from each other. So my elevator door opens across from me.
The other elevator door opens. And then somebody's there. So we make eye contact.
I give him a head nod. He was in a rush, apparently. So like he bolted out the elevator door.
He scans his bed, opens the door wide open. So I follow him in. There's like a receptionist and some other doors.
So I saw him go to another door, still urgently racing over there. And so I followed him in and he opened the door really wide open. So I just walked in.
And then I was in. I was like, wow, that was a lot easier than I thought. I've been nervous for the past few days.
I went into a conference room because conference rooms usually have network ports that are open. People just come in and plug in their computers. So I went into a conference room, found the network port, plugged it into my laptop.
I got an IP address to show that I was in the domain. Did a little NS lookup and it was clearly in the domain. So I got the objectives.
But it's definitely very nerve-wracking. My first and only physical pin test. So definitely a good memory.
[Kyser Clark] (27:52 - 28:06)
That sounds like a real thrill, you know. So lesson learned here, everybody. If you're tailgating an elevator, go in the back of the elevator and let everybody else leave the elevator first.
After you get served. No, I insist.
[Jacob Villarreal] (28:06 - 28:12)
Yeah, exactly. I know I'm right here, but just go in first. I'm being a gentleman.
Yeah, definitely that was a big mistake.
[Kyser Clark] (28:12 - 28:18)
Let's go and ask the final question here. So do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?
[Jacob Villarreal] (28:18 - 29:21)
Not too many hot takes. I think as far as wisdom, maybe I could kind of get away with some wisdom. I definitely recommend reaching out to people, creating a better network with people in the field.
Don't hesitate to ask somebody like on LinkedIn or if you go to a conference to just poke somebody's brain a little bit and just come in humbly, you know, just tell them kind of your background or whatever it is. Just have interest in the actual conversation and start building that network, because that's really where I've seen a difference in myself. That's whenever I started like going out and actually like meeting people, networking with people in the fields.
Again, that's something I didn't do in college, which were the whole, you know, I didn't have a lot of opportunities afterwards. So now I definitely preach that if you're in college, like go to the clubs that you can go to and sign up for. It's OK if you aren't an expert or, you know, an elite hacker already.
Everyone starts off from the beginning. But yeah, I definitely say networking with people is a really good thing. Being open to that and putting yourself out there is really helpful and really, really beneficial for people.
[Kyser Clark] (29:21 - 31:21)
Yeah, that's that's really good advice. And that's something that I've been getting better at, too. Matter of fact, like, you know, I had Jacob.
We didn't we never talked before this recording. And, you know, I just hit him up on LinkedIn. Hey, you want to be on my podcast?
And I was looking for pen testers. And, you know, that that's really all it takes. You just, you know, send someone a message on LinkedIn and have a conversation with them.
And you don't have to like for me, I'm recording a conversation. But, you know, for if you don't have a podcast or if you don't want to make content stuff like you could just, you know, hey, can you do a call and just, you know, talk to someone about things? Because what's nice about this field is I mentioned this in other episodes, but it's really important.
But most people are willing to share their information. And everybody here is like really, really excited to talk to you about what they do, because, you know, there's not a lot of people in cybersecurity. So when we find somebody in cybersecurity, like we have a, you know, the connection gets built pretty, pretty quickly.
And then another thing that for episode six, if you haven't listened to that one or watched that one with Mike Finkel, he, you know, he recommended just, you know, go out and talk to people in public randomly. And that just builds up your social skills. It doesn't have to be about anything like just like, you know, whatever's going on in the area or like, you know, just maybe something that happened, like, you know, something that's not the weather, I guess.
And you can, you can, for example, like I was at a bar in an airport and I saw a guy with a Green Bay Packer wallpaper on his phone. And I started talking about football with him. And, you know, I started talking to this guy and ended up getting acquainted with this other guy.
So definitely talk to people in public just randomly, because you just never know. Another time when I was on a flight, it was actually the same day that I met a Red Teamer at the bar because I got on my flight and I pulled, I was reading the Tribe of Hackers and I was reading the book and the person next to me was like, oh, Tribe of Hackers is a nice book. I was like, you're in cybersecurity?
They're like, yeah. And then we talked the whole flight there about cybersecurity. So, you know, if you see people on a field, just, you know, reach out to them because it's, we like to talk about hacking stuff and securing stuff.
[Jacob Villarreal] (31:21 - 31:42)
Yeah, yeah, exactly. You explained it pretty well. You know, we do a lot of stuff that we're passionate about.
So whenever somebody just has a little glimpse of interest, we just blabber away. So it's it's might be a little scary at first, but yeah, just everyone's happy to talk about stuff. Everyone's really friendly.
That's another thing I like about the community as well as the welcomeness and the openness to just share information and be friendly. It's a really great community.
[Kyser Clark] (31:43 - 32:01)
So when it comes to DEF CON, I actually forgot to ask you this, but I want to ask this before we end the recording. When you're at DEF CON, you talk about social engineering. Have you ever just like been talking to someone and like trying to figure out that person's trying to social engineer you?
Like did that ever come to your mind? Are you social engineering me right now? Like has that ever crossed your mind at all when you're at DEF CON?
[Jacob Villarreal] (32:02 - 32:34)
I've actually kind of been on the opposite end where I was like on the shuttle going to DEF CON from one of the hotels. So everyone's going to everyone's going to DEF CON that's on that shuttle. And I was talking to somebody there and I was like, oh, yeah, you know, I'm going to be in the social engineering one.
And we're having like casual conversation. He was like, I probably shouldn't be telling you all this stuff because I was like, oh, like, where are you from? You know, like, oh, like all this person, just normal conversations.
And he was like, oh, my boss is going to get mad if I tell him that I'm just telling all this stuff to somebody who just said that they're competing in social engineering. But yeah, I guess it's always kind of something in the back of our minds now.
[Kyser Clark] (32:35 - 33:02)
Where do you work? What's your mother's maiden name? What's your first pet name?
Oh, man. Well, this has been a great episode. Unfortunately, we're out of time, and this has been great.
So thanks for bringing all your insights with Winniken, DEF CON and social engineering. We definitely haven't touched these topics on this show before. So your insights and expertise is definitely extremely valued here.
So, Jacob, where can the audience get a hold of you if they want to connect with you?
[Jacob Villarreal] (33:03 - 33:37)
Yeah, so anybody, again, just feel free to message me if you want to talk about anything. If you have any specific questions, always glad to help out. I have a LinkedIn, which is just my name.
So well, my URL on my name is my last initial, but it's Jacob-Villareal2L2Rs-UTSA. You could probably search Jacob V. UTSA, you'll find it as well.
And then I also have a Twitter or X, which is Villaroot. So V-I-L-L-A Root. And again, feel free to message me.
I'm always willing to help out and give my advice, however worthy that is or not, but always ready.
[Kyser Clark] (33:38 - 33:40)
Villaroot, that's a great username, by the way. Thanks.
[Jacob Villarreal] (33:41 - 33:49)
See, I've had that for a while and I'm like, oh, that's horrible. Why did I come up with that? Why can't I come up with something cool?
You know, all these other people have such cool names.
[Kyser Clark] (33:49 - 34:02)
That's cool. I like that. I like that a lot.
And audience, I always put the guest LinkedIn URL in the show notes. So definitely get on there and click it and then it'll take you right to Jacob's profile if you're interested.
[Jacob Villarreal] (34:03 - 34:03)
Perfect.
[Kyser Clark] (34:03 - 34:25)
And audience, the best way to get a hold of me is also LinkedIn and my website, KyserClerk.com. Thanks for watching. Thanks for hanging out.
Thanks for listening. And if you haven't done so already, do me a favor, leave a five-star review. If you're on Spotify, I have a podcast that would support the show the most right now.
And until then, I will see you on the next episode. Thanks for watching. This is Kyser, signing off.