Those who personally partake in the autumn theater, or have bosses who are in the game, know this is the time of the year when bigger decisions are made.
Since everybody is exposed to big ticket items and larger numbers, throwing in the annual training cost is best done close to those discussions. A pro player separates the travel costs from the event cost, as these come from a different category anyways. Depending on your organization, there may or may not be leeway, so act accordingly.
Why go through all this trouble, our junior readers ask? Well, the discussion of attending t2’20 (and your other favorite cons) is a lot more easier for you and your boss, when everything has been agreed already beforehand and there is the money available for it. If you have a boss who appreciates employees making their life a tiny bit easier, giving the right support at the right time can go a long way.
At the end of the day, your boss is the one who needs to figure out the right course of action after the Good Idea Fairy visited C-level executive(s) and they decided to go three levels deep into the budgeting spreadsheet to make cuts without any discussion on its impact or guidance on a new direction. Or maybe your boss was naive enough to provide accurate numbers from the get-go, when everyone else was inflating their numbers in anticipation of the first round of cuts.
The worst kind of budgeting wizard just runs out of money in Q4, and the rest of the organization takes the hit. For those, you reserve your sneakiest DDE payload, figure out a chain of actions resulting in the file on their workstation, get the code running (everyone clicks OK at some point), establish persistence and wipe the payload from the original file. Whatever happens after this is left as an exercise for the reader.
Talking of planning, the big game hunter is saving up their Office 0days for this time of the year. Depending on the organization structure and budgeting process, it might be trivial to land your carefully crafted version of the budgeting numbers on at least one C-level workstation. Be sure to take note well in advance if someone is deviating from corporate policy with their device choice – this is most likely one of the easiest targets from exploitation perspective, as you can bet it lacks some or all hardening. IT isn’t too keen on debugging mysterious crashes happening to a unique snowflake, in case your toolkit isn’t that stable. Bonus points given for pretexting service desk with a false track record of unstable behaviour on a similar device, if you just can’t be bothered to get your budget items stable enough.
Not that any of these kinds of hypothetical things ever happen in real life. It would be ridiculous to potentially burn valuable exploits when you can just enjoy the adrenaline rush of quick rubber ducky action on the top floor, or casually misplace USB-cables in the right meeting rooms (Outlook Scheduling Assistant is your friend here).
So, get those events locked down on the budget level. Getting the commitment for your attendance well in advance never hurts.
After all, bug bounty and exploit money is typically reserved for bottle service, fast cars, exotic vacations and expensive handbags. And yeah, while Helsinki definitely can tick those boxes, we hope that the main reason for attending is our curated and hand picked program – finally available in its complete version.