Combining Fronts

Some projects are difficult due to their complexity, some projects are easy, mostly because of lack of security at the target. Some other projects are boring, for many reasons. And, of course, some projects are fun. The latter usually include combining two or three of the three Red Teaming fronts: digital, physical and social.

In one case, a friend asked us to help with review the security in his company, we managed to walk right by the door, get to the server room and come out with a bunch of hard disks.

After several days of digital recon, we found that they security protocols in the building dictated that in case of a fire or power failure, all doors needed to be unlocked for safety reasons. Which is a good plan if you were to have it red teamed first... Well, this is where the physical recon came into play.
With all the security measures around the main entrance, inside the building and around the server rooms, we found that the main building diconnect was... well, very accessible by the general public.

So, we walked right to the switch, pull it down and after some alarms sounded, the backdoor of the building opened. We waited a few moments and walked right in. Inside there was the usual mix of people really not knowing what to do, with alarms sounding, some dark corners and some illumination by emergency lights. in other words, a bit of a chaos. We took the stairs, found the server room, the door unlocked, running UPS electricity, walked in and extracted 3 of the hard drives from the servers. Then we walked right out. Only then the fire department was arriving with some police.

We worked with our friend to solve this issue and now he has a really good plan (and a plan B as well) to deal with these kinds of issues.

When in doubt, Red Team it.

Quote of the day

Understanding the Positive Outcomes of Red Teaming | RSA Blog