It happened once. It happened again.
While we were visiting several customers in Europe, we went to visit one of our customers that always requests for deeper and better assessments on their networks and plans. A large multinational corporation, last year we managed to get their marketing plans after blending in with their marketing staff.
This year, the security director asked us to try to penetrate the Board of Director's meeting. Like last year, blending in proved to be a good tactic.
This was a black box assessment, meaning that we didn't have any information beyond our target. So, the three of us began collecting information about the Board of Directors: members, past meetings minutes (transcripts), length of the meetings, etc. Some of it was available online but most of the information required that we use some tricky social engineering to get it. We used a combination of phone calls and emails to get the key piece of information: when was the next meeting.
We called the Office of the CEO and worked on one of the assistants. We explained we represented one of the new board members (this is a public company so the board members are easy to track) and we needed to get all the information about the schedule for our boss and make sure he had the right presentations for the meeting. The assistant was really helpful and we exchanged emails after the call. One of those emails also contained a weaponized PDF that ultimately gave us access to the assistant's computer.
So, we had the date and schedule for the meeting, and we also had access to the CEO's emails, address book and calendar. We needed now to figure how to get in.
After a few weeks of recon, planning and preparations (we made badges, prepared documents with the company's logo, etc) we opted to try a direct approach, pretty much like last time: just walk with the people entering the building and blend in. Using the backdoor, we added our names to the list of people that needed to arrive to the meeting.
Again we dressed properly and put our best senior executive faces. We drove to the corporate HQ and waited until the early morning people arrived. We walked with them and tried go thru the security gate. When the security guard asked us in his language for the badges. when I told him in English that we didn't understand him, he asked in very broken English again and showed us his badge. I smiled and we showed him the badges we made. They were fake, but they look legit. The guard asked us again in broken english what we were doing here. I told him that we were here with one of the board members for the meeting (to be held 2 hours later) and that we came from one of the branches in the USA. I thought we were made, but he just looked at us. I thought he didn't understand us, so I said this again. He looked confused. Then I just mentioned the name of the senior board member we were supposedly helping. He looked in a list, look at our badges and let us in with a wave of his hand.
And we were inside. Language barriers, the time of the day when a lot of people entered the building and some luck, helped us.
We had information about the people that were coming via the backdoor on the assistant computer and we knew that the CEO and some of the senior VPs were in an ealier meeting now. We knew the conference room, so we walked and searched for it. After a while we found it. We took a few covert pictures of the room door and of the meeting inside (part of the walls were glass).
Then we headed to the main conference room and waited with some coffee.
About 20 minutes later people began arriving. Some of the execs sitting by the main table and their senior execs, like us, sitting on the sides. No one even questioned us, we looked the part. Dressed properly, with laptops and paper pads.
Then, as per the schedule we had, the meeting started with a few words by the CEO. We recorded everything in our laptop. Video and sound. Then, the VP of marketing and the CFO presented their numbers and plans.
Just for good measure we also recorded the each member's face as they asked questions.
This time, however, we didn't tell them that we were the Red Team. We just remained there until the meeting was over and we walked with the rest of the people to the cafe in the building. After about 40 minutes we quietly exited the building using a side door.
The next day we contacted the security director. He just smiled.