Stephanie Carruthers
Courtesy of IBM
Stephanie Carruthers is the Chief People Hacker at IBM Security’s X-Force Red team of 200 hackers worldwide.
She uses social engineering tactics to find a company’s weak points and train them on how to identify vulnerabilities.
Today, she’s finding new ways to identify threats at a time when the security landscape has become increasingly complex.
This article is part of “The New Creators” series, a collaboration between IBM and Insider Studios that celebrates the visionaries creatively applying technology to drive change in business.
For social engineer Stephanie Carruthers, breaking into a secure area or obtaining an executive’s password through a phishing campaign is a successful day at the office. The self-proclaimed con-artist dedicates her time to finding a company’s weak points and breaching security.
Carruthers is the Chief People Hacker at IBM Security’s X-Force Red team of 200 hackers worldwide. She and her team show companies their vulnerabilities so they can better protect themselves.
“It’s important for myself and my team to find these vulnerabilities because if we don’t, a bad guy is going to,” Carruthers said. “It’s better to have it done in a controlled manner by a team of ethical hackers than it is to find out the hard way when you’ve been breached by an attacker.”
Gaining access
Social engineers use open-source intelligence gathering to start their process. This could include searching social media for seemingly harmless photos, like that of a morning coffee or a selfie. But a closer look might reveal someone’s email information is visible in the background of the photo.
“If we find something, we’ll create a phishing campaign around all the information we found,” Carruthers said.
Some social engineers will even go as far as to observe what people are discussing online, so that they can craft a relevant message that resonates with their audience. It’s marketing 101.
For example, in one phishing campaign, Carruthers worked with a company whose most common complaint from employees was parking. Her team sent a fraudulent email explaining the company would be transitioning to assigned parking, and employees needed to view a map to see their space. Failure to park in their assigned space would result in their cars being towed.
Unsuspectingly, employees clicked the link believing they would see a map with their new assigned parking spot.
This type of simple ruse is often used by fraudsters. The email recipient just needs to click a link, and because they are in a rush, they don’t pay attention to the details to see what’s in that email or who it’s from, Carruthers said.
“One of the tactics attackers love to use is urgency,” she added. “They want to make you panic a little bit and act fast so you don’t stop to really evaluate what’s going on in the actual email itself.”
Carruthers and her team then use that data to educate companies and users on what they shouldn’t be posting — and why. They also educate company personnel about where their organization sits compared to other industries and highlight the importance of security from a business perspective, like discussing the high cost of a security breach. Finally, she and her team recommend specific steps people can take to brush up on their security hygiene.
Putting yourself into the shoes of the person you’re trying to hack is the most creative aspect of a social engineer’s job, Carruthers said.
“I have to know how they think,” she said. “And that, to me, is the most creative part — figuring out what they would fall for and trying to craft something specific to them.”
These ethical hacking efforts offer companies an opportunity to acquire the cybersecurity skills and knowledge they need to address a threat before it happens. Participating in “mock” breaches helps companies and their employees understand what a hacker is capable of — and ensure their systems are secure moving forward.
“One of the tactics attackers love to use is urgency. They want to make you panic a little bit and act fast so you don’t stop to really evaluate what’s going on in the actual email itself.”
Becoming an ethical hacker
The path to hacking was serendipitous for Carruthers. Before she got into social engineering, she was a special-effects makeup artist. Carruthers attended her first DEF CON hacking conference with her husband, who works in information security. She imagined she would spend those days in Las Vegas by a pool, relaxing.
Instead, she discovered she had a talent for hacking and social engineering. The experience prompted Carruthers to learn all she could about influence techniques. Soon, she began teaching herself social engineering.
Now, she often thinks about how she would break in or out of a building — even when she’s not working.
“It’s constantly on my mind, but I hope that never goes away because I feel like that helps me be creative,” Carruthers said. “At the end of the day, I want to know these things. I want to find them. I want to use them against clients so I can help them secure themselves.”
Learn more about Stephanie Carruthers and IBM’s other inspiring new creators here.
This post was created by Insider Studios with IBM.