All in Rules
We needed to access the server room of a security company. The target was one specific server that was not accessible via the internet or their internal network. It was well protected by an air-gap and really tight access controls.
We decided to go at it by hand: break our way into the building, find the server room and mannually disable the server as a way of saying "we were here".
Entering the building was complicated but after several days of recon we managed to come up with a plan that worked.
Once we were inside the building we began looking for the server room. We didn't have much time, people could challenge what we were doing at any moment and while we had a cover story, it would not hold for long, especially since we didn't have time to fake the ID cards or the visitor badges.
At the end, it was a cleaning person that pointed us to the server room. Once we arrived there, we noticed two things: there was a camera on top of the entrance (and we knew that all cameras were being monitored) and the serve room had a commond lock on the door, no ID card reader or keypad.
What?
Yes... These people invested in top of the line security but they had a simple lock on the server room.
Most of you are familiar with the Rules. Like you know I had originally 12 rules. It all started with a joke: when in doubt, red team it.
Several readers asked me about the idea behind them and how I chose those specific rules, so here it is: the original 12 explained.
The Moscow Rules
My rules set in motion a huge number of messages and emails asking about the reasons for them, the theory behind them and others questions.
I compiled the Original 12 Rules as a way to list the most common things I needed to remember during my work, my time in the military and while doing things I like, alpine climbing for example.
The main idea was taken from the Moscow Rules. The *Moscow Rules* is the name for rules said to have been developed by the CIA during the Cold War to be used by spies, mainly in Europe. Apparently there were 40, however they were never written down, at least not officially.