Red Teaming the Plans - Continue
Continues from here.
The team that went to check the plans began working with the organization's decision makers and after a full 3 days of sitting, reading, analysing and reviewing, they began to attack the plan. Trying to view it from different angles, from different perspectives: competitors, customers, bad people, etc.
Within a week of having started the review, the team had a good idea on how to attack this. A draft report was prepared and I presented it to the customer.
Some of you might know the "PowerPoint Hell" from their time in the military or LE. This company's top management are all former military people, they all love PowerPoint...
In the meantime, the other team, in AFG, was learning how the operation was set up on the field. Passive surveillance and some social engineering provided the team with the initial information needed. They were now on stand-by to hear from us.
Performing this kind of assessment on an area like AFG is tricky, to put it mildy. People shoot at you first and then ask questions. The team there needed to be very careful.
Once we presented the results and provided a quick overview of the problems we found, and how we would both exploit and remediate each problem, we received the OK to test some of these findings. Most of them were alongside the perimeter security, emergency quick reaction and principal's protection in case of an attack. It wasn't goint to be easy to test.
Sure, we have a way of bypassing the security plans and insert ourselves in their perimeter and ultimately in their building, not easy but we knew we could do it. No, the real problem was to keep everyone safe, on both sides. This was a test after all.
It took us an extra week of teleconferencing, meetings with the customer and a lot of recon to come up with a plan that was crazy enough to work and safe for the team.