Let me help you with that...

Red Teams
Fieldcraft, Digital, Physical, Red Teams

The current catch-all phrase in the Team is: It's a Red Teaming thing, you wouldn't understand.

This became very evident during a project a few weeks ago. In that project we were tasked with a simple threat assessment of the high-level executives of this company. The CIO wanted to know what kind of image the executives were giving to the outside world and, more importantly, what possible threats they were exposed to, either digital or physical (during their travels, talks, etc).
It was a fun project that demanded a lot of data gathering and understanding not only of our customer, but their potential adversaries.

We spent the next few weeks learning, gathering and making mind dump maps: connecting the dots. All pure OSINT. We learned about each an every high-level exec, their backgrounds, past jobs, things they liked, forums they frequented. Everything that was out there to grab. We then focused on their image as the company's top brass and what the customers (and competition) saw in them, were they a threat to the competition? Were they trustworthy for the customers.

We continued.

Mid way throught the recon we also prepared a little physhing attempt to gather more information and possibly to also compromised their computers and mobile devices if we needed to.
In the process of doing this, we discovered that the CFO's secretary was using her laptop to connect to a certain forum that we knew had a nasty vulnerability. Essentially we could send a little piece of code to her browser when she connected next time and that code would, in turn, download and execute a backdoor for us.
Of course, being that we take any chance we are presented with, we managed to get control of her laptop.

A little script-foo and we now had a private meeting with the CFO scheduled on his calendar.

The following week we went in and during the meeting (supposedly set to discuss cloud services with the CFO and how the company could benefit from it), we bullshitted out way into talking about the CFO's passion: old Indian motorcycles.
JS is a pro on this, he just had the CFO talking about this and in no time they were best friends. The CFO began bragging about his Indian, parked right there! At the company's parking lot. JS said: No... You had to be kidding, those are hard to find!
And the CFO: well, let me show you.

At this point I said that I would stay and finish my notes. The CFO was so into the bike that he didn't even care that I just stayed there in his office. Alone. I took pictures of his documents, took screenshots of his computer and copied some of his files to a secure USB drive.

I also made a copy of his office key.

A few weeks later we began the PSYOPS on him and the company.

We began sending random pieces of the documents I copied, sanitized but with enough information that they could see they were real. We also set our backdoor on the secretary's computer to randomly (and automatically) add and modify schedules to the CFO's calendar, making him call places like Joe's Pizza (supposedly a conference meeting with one of his top advisors). We also sent the screenshots of the CFO's computer to the director of informaiton security, right along some more information about the CFO.
This went on for several days. It was fun, especially when the director of information security called us to ask us for help.

Finally, we decided to finish this and show them all the vulnerabilities at once. We created meeting with the CFO for a late hour on a certain day. After arriving, I managed to find a place to hide while Z went and met with him.
After waiting for several hours, everyone was gone by now, it was a little over 10pm, I entered his office, locked the door bind me and sat there all night.

The next morning, at 8am sharp, the CFO unlocked his door, entered his office carrying a coffee and a news paper. He found me sitting in his desk.

I said: Here, let me help you with that...

The hidden fault

Quote of the day