So, what happens when I walk into a company, act like I belong and find myself on a marketing sensitive meeting? Read on.
A big international company located somewhere in Europe has, as part of their security and ISO certification, a big annual full-on penetration test that includes a red team exercise.
My team was part of a larger team of security experts, and was tasked with a full on attack on the company's internal servers and, if possible, obtaining highly confidential documents.
The whole project was deemed a black box, no information is provided, just the target. How we get the information is fair game.
It is important to note that no one outside the CISO, CTO and CIO knew that we were going to test the security.
We divided into two teams, one would handle the digital aspects of the project (team Alpha) and the other the physical (Team Bravo). I prefer the physical exercises so I went to Team Bravo.
We started working first on our OSINT recon. We needed to know addresses, companies doing their security, any information about the building they were using, names of employees, email addresses, phone numbers, products info and other information we can use on a social engineering approach. This recon served both Alpha and Bravo since the guys at Alpha needed to know this too for their part of the attack.
After several days of information hunting we set our physical recon and observed for several nights and days what was happening around the building. Some of us also walked into the building to try to catch cameras, guards, etc.
The most important bit of information we found during that recon was the trucks that were coming and going. A little research and a good 100 Euros tip to a truck driver showed us that the company was getting ready for an annual celebration (due to OPSEC and privacy I will not disclose the nature of the celebration). It was apparently a big event that was bringing employees from all over the world for several hours. I liked this. This would mean a lot of people, security guards seeing unfamiliar faces and an overall state of movement. Nice, we can work with that.
The plan was simple, walk in with the masses of people and see whether we could find a server room or a computer we could use to copy internal information.
We tried to make fake ID cards based on those we saw on the pictures we took during the recon but it was going nowhere. We noticed thought that the back of the ID has text in two colors, so we sort of matched that. The idea was that if a guard were to look at us looking for a badge he would see the badge with that same pattern as a the real one, and with us acting the part (properly dressed and looking confident, even smiling at the guard) then he would let us alone.
The day of the event the 3 of us dressed sharp, and waited until enough people walked in. We blended with them and walked right into the building.
All the people were being directed towards the main presentation room on the 2nd floor, a huge room that could probably sit 500 people. We were pretty anonymous there. Several guards looked in our direction but no one said anything.
The celebration started and for the most part it was boring. I walked different halls back and forth randomly on an "important call" on my cellphone. I was trying to see if I could find any computer or server room. Nothing on the 2nd floor. I texted the guys and negative on their part too.
After the celebration was done people started exiting the place. I saw a bunch of people that looked like they could be high level execs. The way they moved, the air of confidence and the way people looked at them gave me that feeling. I decided to tag along. It was the best move I've made in a long time.
The execs were all going to a meeting. I entered the conference room after them and sat on a far corner of the room. With all the people that were going to present. No one even asked me who I was. I just acted like I should be there. I was part of the team.
I updated the guys over with a text message: Possible angle. Standby for confirmation.
The meeting started with (I later learned) the Senior VP of Marketing welcoming everyone to the annual marketing strategy meeting. I had to suppress my smile. I was: Daaaaammmmmmnnnnn. I started my voice recorder.
Mr Senior VP spoke about the current year and what he thought was the best strategy for the next 2, 5 and 10 years. He was very detailed. He passed along to everyone a copy of his powerpoint. At the top right corner it read: "Confidential - For internal corporate use only - DO NOT DISTRIBUTE".
I texted the guys and I had a bunch of swearing words in return. Thank you guys!
The rest of the people took turn explaining their plans. I had several Gb of storage on my voice recorder and I used them all. I recorded everything.
A lot of people didn't know each other, or they did just over the phone. This was a large company.
Now for the fun part.
At some point they all looked at me. I was sitting where all the presenters were sited, so they thought I was there to present. Oh well.
I stood up, walked to the front of the room and introduced myself.
"Hi my name is Mr. Hacker. If I were a bad, evil competitor you would be in trouble now. I have in my hands a copy of your marketing plans for the immediate future. However, I am not a spy. I am working with the CISO, Mr. CISO, and we are testing the state of the security of this company. Thank you for your attention, I will be leaving now…"
The look on their faces was priceless. I wish I could show you the picture I took.
I will not bore you with the details of what happened after that, suffice it to say that they are now much more secure after this. They learned a lot and we worked with their security department to upgrade their policies and training.
Oh man, it was a fun project.
Parting note: Not all projects are like this, some you work long and hard and come up empty handed, some others you see opportunities like this and get caught. In this case it worked superbly well. We were lucky. Moral of the story? Keep your ears and eyes open.