Ep 53  The Dark Side of Influence: When Winning Feels Like Losing 

[Alethe Denis]

There is some dark side to what we're doing, but ultimately at the end of the day, my goal is if this person who I am attempting to influence not to follow the company's procedure and the policy, if I have to trigger them into a state of panic or fear that say they're going to lose their job or not get paid or I have to push them to a point where they think that they're going get a large bonus or an incentive or like I essentially have to bribe them to do something, I feel like that's cheating and it's it's a cheap tactic and I'm better than that.

[Kyser Clark]

Welcome to The Hacker's Cache, the show that decrypts the secrets of cybersecurity one bite at a time. My name is Kyser Clark and today my guest is one of the most respected social engineers in the field and someone whose journey is just as jaw-dropping as her resume. Alethe Denis is a senior security consultant on the Red Team at Bishop Fox where she pioneered the use of deepfakes in offensive engagements and built Red Team tabletop services from the ground up.

She's a DEF CON Black Badge Hall of Famer, keynote speaker, published author, and an InfoGrad member actively contributing to national infrastructure protection. Her path into hacking was anything but traditional, marked by resilience, reinvention, and relentless curiosity. Today she blends technical expertise with deep psychological insights to help organizations face uncomfortable truths about human security.

So Elite, thank you so much for being on the show. Go ahead and unpack some of your experience and introduce yourself to the audience.

[Alethe Denis]

Yeah, absolutely. Thank you so much for having me. It's an absolute pleasure.

I would say I'm probably most well known for an episode of the Darknet Diaries, but the events that were in that episode happened about six years ago and I would say it's probably the book end on the bookshelf that started this crazy journey and not a lot has been said about what's happened since then. So I'm excited to talk about that stuff and kind of how things have evolved and changed in my career since then.

[Kyser Clark]

Yeah, so I mean that makes perfect sense. So what has happened since that episode? Because that's where it introduced me to you as a fan of the Darknet Diaries episodes.

That's when I first learned about you. So yeah, what has happened since that episode?

[Alethe Denis]

Yeah. Well, a lot of people have asked how to get into social engineering as a job and what I found out very soon after winning the contest and being awarded the black badge is that social engineering isn't really a job, it's a skill that you can use in a variety of different jobs. So whereas I thought I'd be able to make the leap into information security and a role doing social engineering in a job pretty easily after that, it really took about four years before I found my way into a role doing predominantly social engineering work in the context of red team engagements.

And now I'm a member of the red team at Bishop Fox and I focus predominantly on social engineering activities in the context of red team assessments where my job is to help further the red team's objectives within the engagement. So doing red team activities and furthering our agenda, using social engineering skills, depending on what vectors are in scope for that engagement. So whether that's email phishing, phone calls, text messages, or sometimes, luckily enough, in-person or physical social engineering, which is probably my favorite and the one that people most often want to hear about is the physical engagements.

[Kyser Clark]

Yeah, that makes sense. The physical engagements, you know, like I said, I'm a fan of the Dark Dead Diaries episode and when you hear like them sneaking around the buildings, it just sounds so fun, you know? I'm like, man, this is like an episode of James Bond or 007, you know?

So those are some pretty... And he does a really good job of telling a good story on that. So as a podcaster myself, I'm like, dude, how does he even tell this story?

It's a great show and it makes it sound like a movie, honestly. I was like, you know, you see the side screen headlines and it's like a data breach and it's like so boring to like read it, but then like he takes that and unpacks it so much and makes it a movie. It's such a great show, but yeah, I can understand why a lot of people like the physical stuff because, I mean, from someone who doesn't do a lot of social engineering, that is a little more exciting.

One thing that you said that caught my attention was you said social engineering isn't a job, it's a skill, and it took you a while to find a position that was predominantly social engineering. So why is it so hard to find a position that's predominantly social engineering? What do you think that is the case?

[Alethe Denis]

Well, a lot of the feedback that I received early on was that most organizations that were focused on offensive security testing were looking for people that were both very highly technically skilled in offensive security testing, so full-scale pen testers who had social engineering skills as well. And especially back then, I didn't have a ton of experience or much in the way of pen testing skills. And so a lot of people were pretty confused.

They're like, how on earth did you win a black badge if you don't actually do this for a living? Like, are you the right person? Were a lot of the DMs I was getting on LinkedIn, like, are you the actual right elite dentist who won the black badge?

Because I'm looking at where you work and what you do, and that doesn't make sense right now, was what I was getting from, you know, German CEOs in my inbox after the Der Spiegel article came out about the contest and winning the black badge and all that good stuff. But I think social engineering, it's a skill that goes beyond just what we think of technical skills-wise. Like, can you send a phishing email is different from how to craft the most effective phishing email from a psychological and human behavior standpoint.

So I like to think about social engineering more in the vein of behavioral engineering, rather than simply, you know, the crafting of a text message and sending it to try to influence somebody to take an action. Like, how do we craft a text message that will compel someone to actually take the action? And a lot of those skills, I actually learned doing marketing and sales.

And it's how to influence people to follow a call to action, how to influence people to essentially be triggered to make an emotional decision. And when you're dealing with highly technical skills, sometimes the development of those skills doesn't leave a lot of room for the development of interpersonal skills. And people who develop really great social skills, sometimes don't have the opportunities to develop highly technical skills.

And that's not a blanket statement or a stereotype. It's just something that I've seen with a lot of the people that I've met in the industry. A lot of the people who are very highly skilled on the social side may not have as many skills on the technical side and vice versa.

So, I was one of those people that didn't have as many of the technical skills. And I don't know that you're going to find somebody that can do it all. But I definitely could not.

And so, it was a struggle for me to find the first role, moving from a completely different industry into information security. But I found a consulting firm that was kind enough to let me transition my consulting experience in a different industry into information security. And I was doing essentially security risk and gap assessments with them for a couple of years before I was able to transition into the role with Bishop Fox that I'm in now.

And over the last three years, I've grown pretty dramatically with my experience and the projects and assessments that I've been exposed to. And then just the team that I'm working with, they say you should never be the smartest person in the room. I feel like I've been precisely the dumbest person in the room for three years.

And it's been fantastic. And I mean that with humor, but also completely with humility, because I am surrounded by incredibly talented people. And they absolutely push me to raise my own game pretty much every day.

So, it's been an incredibly humbling experience at times, but it's also pushed me to make myself better, which is exactly the kind of challenge that I need.

[Kyser Clark]

Yeah, I like how you said the smartest person in the room, dumbest person in the room. It's okay to be the dumbest person in the room, because that's the most room to grow, because you can definitely grow. That's the fastest way to grow.

And one of the signs of being stagnant in your career is when you become the smartest person in the room for a certain amount of time, then that's a sign that you're not growing. So, it's okay to not be the smartest person in the room. Yeah, I don't think I've ever been either.

And when I did my last role in the military, I felt like I knew it all. And at that point, I was like, yeah, I'm going to get out of the military, pursuing some other things. And that's a good sign of when to move on.

[Alethe Denis]

When I started at Bishop Fox, I'd never had any employee that I had targeted with the social engineering campaign over the phone tell me no. They'd always complied. And I was typically doing whitelisted, whole organization style phishing campaigns for the types of email phishing campaigns that we were doing at my previous organization.

So, it kind of felt like I was clubbing baby seals. It just didn't feel natural or fair. And it didn't feel like it was really helping beyond reinforcing security awareness training.

So, it was a really huge learning curve for me when I started trying to approach projects as a social engineer, but in the style of a red team engagement where stealth is of the utmost importance. And there's a lot to consider as far as operational security is concerned. And the approach is completely different.

[Kyser Clark]

Yeah. And yeah, I totally understand that. And that's one of the questions I'm going to ask you after we get past this.

Well, it used to be Colorado Fire questions, guys. The fans of the show, you already know the Ratfire questions, but we are now officially in season two. So, we're going to call them security Mad Libs now.

So, after security Mad Libs, we're going to unpack a little bit of that. We don't want to get too far into the show before we do security Mad Libs. So, Aletha, are you ready for security Mad Libs?

You're the first one to do security Mad Libs.

[Alethe Denis]

Yep. As ready as I'll ever be. Let's do it.

[Kyser Clark]

Okay. So, like I said, long-term listeners, it's very similar to the Ratfire questions, but instead of a question, it's just a fill-in-a-blank question. It used to be 30 seconds.

It is now 40 seconds to answer fill-in-a-blank on five questions. If Aletha answers all five questions in 40 seconds, she'll get a bonus security Mad Lib that's unrelated to cybersecurity. So, Aletha, like I said, it's going to be just a fill-in-a-blank.

So, first thing comes to your mind. Go as fast as you can. There's no wrong answers.

And I will give you the opportunity to unpack your most interesting response after we get past this. So, here we go. Dangerous.

Aletha, if you could erase one cybersecurity term forever, it would be blank. Military grade. I knew I picked the right career when...

[Alethe Denis]

I got to lie and get away with it.

[Kyser Clark]

AC says worst nightmare is... I'm sorry. Could you repeat it?

AC says worst nightmare is... A breach. When I hear someone say AI will replace hackers, I...

Cringe. If I could red team any company on earth, it would be...

[Alethe Denis]

Oh, gosh. AT&T.

[Kyser Clark]

Perfect. That's 34 seconds. So, that is a good time.

That's under 40. So, congratulations. You have unlocked the bonus one.

And the bonus Mad Lib, once we're done, you can explain it as much or as low as you want to. So, are you ready for the bonus security? So, here it is.

If my pet could talk, it would probably say...

[Alethe Denis]

That he does not get to run around as often as he wants to. He's a very large dog.

[Kyser Clark]

Nice. Yeah. Dogs, they like to run around.

That's like their favorite thing to do. You see all the TikToks that are like, when people just say the word walk, like they're like dogs, like they know the words, you know. Is that your only pet, the dog?

[Alethe Denis]

No, I have a German Shepherd, but I also have about 60-ish now chickens.

[Kyser Clark]

Oh, nice. You survived the eggflation.

[Alethe Denis]

Yes, I did. They're the most like... Make no mistakes, those eggs are not free, but they're definitely there, which is great, because I guess they were a little scarce there for a bit.

[Kyser Clark]

Yeah. So, I have two cats, and they are big orange cats.

[Alethe Denis]

Oh, nice.

[Kyser Clark]

If they could talk, the one would say, Dad, I want a treat. That's what he'd say. He always wants a treat.

Always. The other one would be like, Dad, I need you to pet me right now. Right now.

Immediately. And that's kind of their personalities. Twin brothers, completely different personalities, which is crazy.

They've been together their whole lives, but yet they act completely different.

[Alethe Denis]

Completely different, yeah. I miss my cat. I haven't had cats for a very long time, but we're like out in a rural area, and there are many wild things out in the darkness.

So, I just felt like it wasn't a good idea to have another cat.

[Kyser Clark]

All right. So, your most interesting response. I'm trying to figure out which one I like more.

So, what'd you say for the race, the cyber security term, if you could erase one cyber security term?

[Alethe Denis]

Oh, military grade.

[Kyser Clark]

Yeah. Why military grade? Why would you erase that?

[Alethe Denis]

Um, because I don't feel like any company that says that their product is military grade can really honestly say that, or that it actually means anything, because military grade isn't actually even military grade.

[Kyser Clark]

Yeah. So, I am a military veteran. I'm a United States Air Force veteran.

And when I, and other veterans here, military grade, we just cringe. We cringe because the military really doesn't have the best stuff. You know, it's not like the movies, man.

[Alethe Denis]

There's not really much investment.

[Kyser Clark]

It's literally the cheapest of the cheap. Yep. You get the lowest bidder when it comes to tools and stuff.

Now, don't get me wrong. There has been a lot of innovation that's came out of the military. But, you know, I would say for everyday tasks, you know, you're typically dealing with the bottom of the barrel.

So, when we hear military grade, we think of broken, and not very good, and cheap, and... Outdated. And, uh, yeah.

So, I think that term needs to be erased everywhere, not just cyber security, because everyone's like, oh, military grade steel on my, I don't know, my, my Hubcat on my car. I don't know. It feels like any kind of company uses it these days.

You know, like, that's not what you think it means. Like, you're not impressing anybody, I don't think. Or maybe some people who just don't, you know, maybe they watch the movie and they're like, no, they're great.

So, yeah, I agree with you there. A hundred percent. Okay.

So, like I said, we're going to dive in a little bit deeper into your social engineering. And, uh, so you, you said that the guilt from successful social engineering calls still keeps you up at night. How has that emotional residue shaped the way you scope engagements today?

And do you think about, and do you think guilt is necessary, uh, trait in ethical hacking?

[Alethe Denis]

Yes. So, I would say scoping of engagements that has absolutely evolved since I first started doing this. Um, for example, with the competition at DEF CON, there was a, like a sense of, like, relishing the opportunity to do bad things and get away with it.

Um, even, and especially with an audience, there's just this, like, sense of drama that comes with being able to, like, perpetrate a crime and be rewarded and recognized for it. And I think that actually draws, um, a lot of people into participating in those types of competitions. And I didn't realize how much the guilt would impact me, but after competing twice in a row, it was like, oh, this is actually something I'm going to, like, carry with me for a long time, because there's no way for me to, like, release myself of the guilt.

I can't apologize to these people. I can't explain myself or, like, ask for forgiveness because they're never going to know why this happened or allow me to explain to them what happened here or even tell them that, like, nothing bad's going to happen and, like, assure them that everything's okay. If they do get a weird feeling later.

And so, I can still see all their faces. I still remember all their stories. And it's still kind of messed up if you think about it.

Um, so, when I started doing, like, social engineering assessments, I was always pretty careful to make sure that, you know, I wasn't naming names in reports. And if somebody was the person who compromised the organization, they weren't, you know, pointed out as the culprit and there weren't any, like, negative repercussions for them or anything like that. But as time went on, I started trying to shape the engagements to where we weren't targeting specific people.

We were more targeting a department, a function in the business, or trying to get a more high level impact type outcome versus a, you know, security awareness training measure of competency or skill of employees to defend against social engineering attacks. And it's still something that I kind of struggle with, especially because we have clients who are bound by their own ethics and you know, very strict corporate ethical policies for internal employee conduct. So, they can't target specific groups within their own employee population.

So, they actually come to companies outside of their own and they bring in consultants to do red teams because they believe that we can operate in that gray and do the more realistic attack emulation. And so, we have to explain things like, you know, we can't call your employees' personal cell phones despite the fact that they use their phones for work. You know, if they own that number, we can't call it.

If you own that number and it's a company issued device, then sure, you can give us permission to call it. But otherwise, no. And they're like, can't you just be real bad actors?

Like, can't you just do this? And we're just like, no, actually. Like, that's kind of outside of the scope of this thing.

Like, ethically, not good. And I think some folks don't want to accept that or they find it frustrating that we can't because it doesn't simulate what they feel is like an authentic attack. So, there are some frustrations on both sides.

Like, there's part of me that's like, that's not realistic. Like, this should be a fully no knowledge test where we come in and we like actually do what a bad actor would do in this circumstance. But at the same time, like, I don't think that it's fair for a test.

And on the other hand, I feel like if we're fighting with both hands tied behind our backs, isn't it even more impressive if we're able to compromise the organization without using, you know, fear based or extortion type tactics or leveraging things that are ethically or even sort of in the gray area? So, that's kind of how I look at it, I guess. Yes, it does keep me up at night.

Now, I'm very careful to scope things and be very transparent and upfront on the kickoff calls with clients about what we can and cannot do. And I think that helps to relieve some of the pressure and set the appropriate expectations with clients.

[Kyser Clark]

Yeah, that's really good. You mentioned that. And yeah, I imagine that's pretty hard.

You know, I don't do a lot of social engineering engagement. I've only actually done one. But, you know, as a pen tester, when I'm doing scoping for like network tests or web app tests, and like telling a client, like, yeah, that, you know, that we can't do that.

And then like, disappointing them a little bit is never a good feeling. But you know, it's like the right call to make, you know. I guess my question for you is, so like with the employee cell phone, right?

Like you said, it's ethically wrong to call an employee's personal cell phone. Is there legal issue there? Or is it just ethical?

[Alethe Denis]

So it depends on the vector. For say a text message, it is illegal to text a number and send them an unsolicited message. And that would be true if I were a car salesperson who was trying to, you know, advertise a car that I was selling on my lot.

Like I couldn't send a text message to a customer, even if they were in my CRM, customer relationship management software, as a customer. I couldn't send them a text message unless they had opted in to receive that message. So that, yes, absolutely illegal.

As far as the phone calls, it wouldn't necessarily be illegal for me to call their number. But if I were spoofing caller ID, that is illegal. So there's a new law that essentially makes it illegal to spoof caller ID.

So I have essentially a very highly customized cloud-based PBX system that I developed over the last five or six years, seven years. And that allows me to spoof caller ID in a way that is the most legal, put it that way. And then I have agreements with my vendors for and in place with the clients and Bishop Fox to make sure that everything is above board.

But I don't feel comfortable assuming that consent from the client's employees for their personal numbers. So if I have consent from my upstream phone providers, like upstream carriers, and I have consent from Bishop Fox as my employer, and I have consent from the clients, then I think I'm good on all fronts. But because the employees aren't aware of the test, I feel like it would be ethically not okay for me to spoof a number and make those calls.

And in most cases, I am spoofing a number. So that's kind of why I just rule the personal numbers out of scope, because from a legal perspective, it would be illegal. Just making a phone call to a personal number of a client's employees, that would be ethically out of scope, regardless, because that person can't consent to that call without knowing about it.

And they own that phone number. That is their number. So just like we wouldn't email an employee's personal email account or email address during a phishing test, I don't think that we should target any of their other, you know, personal social media, phone numbers, email addresses, any of that kind of stuff.

[Kyser Clark]

Yeah, that's great. And that's good that you draw the line there because I agree with you. And yeah, thanks for unpacking that.

And yeah, I can, there's a lot of gray area there, but it's good to see that you have...

[Alethe Denis]

I'm just erring on the side of caution. I mean, I'm sure that there's some arguments that can be made. I know that there are companies that do.

I also know that there are companies that will record the phone calls with the consent of the client, but not necessarily the consent of the person that's being called, obviously, because they don't know that they're being called. So it just kind of depends on the amount of risk that the testing company is prepared to assume on that side of things. But my personal feeling is that it's not worth taking the risk.

And luckily for me, Bishop Fox and our legal team agree. So I don't get put in any difficult situations.

[Kyser Clark]

That's good. That's good that your company agrees because that would be a problem if they're like, your company's like, no, go ahead and do it. That's a good point that you make there.

So in your keynote, you emphasize how easy it is to mislead people's perception, especially when deepfakes are involved. What ethical red lines have you drawn for yourself when using emotional manipulation and engagement? So I know you talk about like, fear and coercion, coercion, I can't say the word, coercion.

Coercion.

[Alethe Denis]

Yes.

[Kyser Clark]

But what are some other red lines? Or yeah, some other lines that you've been drawn that you just Yeah.

[Alethe Denis]

So I would say, typically, the way that I look at it is, if I have to press somebody into that frame of mind, where they are triggered into an emotionally heightened state, then I'm doing a bad job. And I'm not acting in a way that is ethically okay. And if I have to push them to that point, then I'm not a good behavioral engineer.

That's, it's a cheap parlor trick, in my opinion, like, we talk about social engineering, we talk about manipulation, we talk about, you know, bribery, coercion, fear based pretexts. Those are all things that I see on kind of like the dark side of social engineering. And then on more of like the light side, if you'll go with me on that, like there's behavioral engineering and really like influence and building rapport and building trust and creating genuine relationships with people.

And the type of work that we do is somewhere in the of that. And there is some gray area, there is some, you know, dark side to what we're doing. But ultimately, at the end of the day, my goal is, if this person who I am attempting to influence, not to follow the company procedure, and the policy, if I have to trigger them into a state of panic, or fear that say they're going to lose their job, or not get paid, or I have to push them to a point where, you know, they think that they're going to get a large bonus or an incentive, or, like, I essentially have to bribe them to do something. I feel like that's cheating. And it's, it's a cheap tactic.

And I'm better than that. So I try to take a route that is more like benign and neutral, where I'm still testing whether or not they're following the procedure. But I'm so subtle in my behavioral engineering tactics, that I don't even trigger that emotional response.

So my goal is for them to feel like everything is okay, and this is fine. Everything is normal. And it's just another day.

And the goal is for them to not enforce the policy because they just like me so darn much. Really, that's it. And so that tests whether or not they're willing to enforce the policy, it satisfies the goal of the test.

And we don't put anyone in a situation where they're going to feel terrible after the fact and make an enemy out of the security team and be completely unreceptive to the correction that will come following that error. Because we want them to learn from this. We don't want them to immediately put a wall up and become defensive and feel like they've been tricked and be embarrassed and want to die, you know.

And I mean, there are people who will go to extremes if they feel embarrassed or targeted or humiliated. And so that is absolutely not my goal. The goal is not for me just to win.

The goal is for me to test the organization, to get a solid understanding of whether or not they have good security controls in place, their people are aware and able to follow procedure and enforce those policies and procedures, and to do all of that without using the cheap, easy, manipulative tactics to do so.

[Kyser Clark]

Yeah, that reminds me of, I feel like it was a couple years ago at this point, and you probably know the company, but there was some company that sent out a phishing email to all the companies with a holiday bonus. You probably know what I'm talking about. And everyone was in an uproar.

I'm like, oh my gosh.

[Alethe Denis]

It was a very huge misstep, in my opinion.

[Kyser Clark]

When I first heard that, I was like, I don't really see what the big deal is. A real threat actor would do something like that. But then after hearing you talk and hearing the uproar about it, I'm like, okay, I can understand why that is an area that you do not want to go into.

But yeah, that's really good that you mentioned that for people who are listening and watching that want to get into this. Because yeah, it's definitely a fine line that you have to walk. I feel like it can be hard because there's a lot of gray area.

[Alethe Denis]

Yeah, it's a tough balance. But at the end of the day, I think as you mature in this role, you start to see that the goal isn't necessarily winning, which sounds insane when you're like, but that's the job is to win, right? Sometimes it isn't necessarily that.

It just kind of depends on the goals of the client. And every project is a little bit different. I recently had a tabletop where the whole goal of a tabletop is to validate the incident response plan, and they didn't have one.

So they probably shouldn't have even purchased a tabletop, if we're being honest. But I took the approach of, we're going to build the airplane while we're flying it. And by the end of the tabletop, they were like, we should probably have a solid plan with like policies and procedures in place here.

And I swear, I do more social engineering during a tabletop than actually like social engineering engagements, because I had to lead this group through five or six hours of a tabletop to come to this conclusion on their own, take ownership of that decision, and then commit to doing the thing, without being that jerk that just comes in and says, like, here's all the mistakes you're making. And this is what you should do. Like, that's not how you approach this.

So I think if you want to be a fantastic social engineer, the things that you really need to focus on are learning excellent leadership skills, and building trust and rapport, and fantastic communication skills. And like the rest just kind of comes naturally.

[Kyser Clark]

Yeah, thanks for unpacking that. Unfortunately, we're running out of time. So here's the last question.

Aleth, do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?

[Alethe Denis]

I would say the number one question I get is, how do I get a job in cybersecurity? And that is almost impossible for me to answer for everybody, because there are infinite possibilities in information security for jobs. So my best advice is, if you find a role that you think sounds interesting, the best thing to do is to go look through job descriptions for that role, look at the responsibilities and the requirements for that role, and then figure out what the gaps are in your experience and your certifications and your education, and then start targeting closing those gaps.

But the most important point that I can share with you is to network with humans, start going to conferences, start meeting people in your communities, start meeting people in the industry, because those relationships will open the doors to job opportunities in the future, and you never know what will happen in the next six months, a year, five years. I've gotten every single job that I have landed in the last, you know, decade through relationships with people, not just submitting a resume call. So that's probably my best advice I can share.

[Kyser Clark]

Thank you for sharing that. And yeah, I totally agree with you there. Alithe, thank you so much for being on the show.

Where can the audience connect with you if they want to get a hold of you?

[Alethe Denis]

Best place to find me and connect with me is on LinkedIn. That's probably the place that I check the most. I'm still on X, formerly known as Twitter, and Instagram.

I just shared pictures of my chickens. But if you're into that, by all means reach out.

[Kyser Clark]

And audience, the best place to reach me is just drop a YouTube comment. I reply to all my YouTube comments. My LinkedIn inbox is getting filled, and I check my YouTube comments more than my LinkedIn inbox.

So the best way to get a hold of me is actually my YouTube comments. So drop a comment. Let me know what you thought of the show.

Alithe, thank you so much for being here.

[Alethe Denis]

Thanks for having me. It was a pleasure.

[Kyser Clark]

Audience, thanks for watching. Thanks for listening. Hopefully, I'll see you on the next episode.

Until then, this is Kaiser, signing off.