Disclaimer: Yes, in spite of Rule 5 sometimes we get caught. However, I am proud that in the many years we've been doing this, we've only gotten caught 4 times (including this one).
After a successful digital Red Team assessment for a customer, we were tasked by them to also try their physical security. They had a new factory with a lot of information stored both in servers and as hard copy inside the building. They wanted us to try to get to that information and on the way test their security planning and contingencies.
We knew they have spent a lot of money on their perimeter security and that they employed local security guards. That means, they didn't contract a security company to provide them with the guards. A little digging and some good social engineering showed us that these guards were mostly former MPs (military police) and other LE members. Great... They were actually trained people.
Armed with this knowledge we set our recon. We performed surveillance both at night and during the day. Rush hour and calmer times. We try to gather atmospherics and learn the patterns of the building: people coming in and out, cars driving and parking, guard changes on the main entrance, etc. We documented security features such as cameras and doors that needed a badge to enter. We observed windows left open during the day or night. In short, we learned about our target, externally. After 10 days we had a good idea of the flow and cadence of the building.
While JD focused on getting the information about the location of the server rooms and the storage for the paper documents, Z and I focused on finding a covert way in and also an overt one. Sometimes just walking in to a "meeting" is the best way. Essentially call the IT department and pretend to be a software vendor or other essential party and arrange a meeting with them to check licenses, demos, etc. That will give you a way in.
However, since you always have a backup plan, we also wanted to have a sneaky way in.
At the end we had a combination of both.
Without going into too many details (OPSEC for us and them), we arranged a meeting with a director of one of the assembly lines to show them an "update to the robot's controller software" for the following week. That would give us access to the building. While one of us was BS'ing the director, the others would try to get to the roof and enter the top floor, where the servers were located, via a roof skylight. Well, that was the plan since the server room (after some intel gathering) was guarded by a badge reader and password and we have none. So, rappelling down sounded easier.
The day came and after getting into the building, all legal and proper, we separated into two groups (this was one vulnerability we pointed at them: no controls after we passed the main gate). Z went to talk to the director and JD and I went to the staircase and into the roof.
Surprisingly the door to the roof had a simple lock, so after picking it we were out in the roof. Trying to remain low, this was the middle of the day, we reached the big skylight, a dome-like window that opened by sliding half of it. After cutting the padlock, we waited for a few minutes to see if anyone was around (we had a good view of the floor, except for the far north corner. But we were willing to take the risk.
We slid the window open and using the trick of coiling the rope inside a GR1, we began our rappel down to the floor, it was about 20 feet (about 6 meters).
Half way on the rappel, we hard someone laughing. We looked around and we saw 2 people, a security guard and the directory of security (the guy that hired us) just standing there pointing at us.
Well, it turns out that the director played dirty. He tasked some of his guy to be on the lookup for us. They spotted us during the recon and pulled counter-surveillace on us.. Damn, and they were good. We never saw them. I mean, Z is the master of tailing people and surveillace and he is a paranoid wreck, still he did not notice them. They knew when we entered the building and they monitored us on the stairs going up to the roof. And then they just waited, hiding in that blind corner. Good for them, bad for us.
Still, it was a successful project in that we pointed several security vulnerabilities and the fact that the roof needed more security.
Still... We will test them again soon and then...
We learned this time.
I am making a rule for this, keep an eye on the Rules page.