A couple of years back, we performed an assessment on a startup company that was writing security software. At that stage, they were still in stealth mode. They wanted to know, before opening their product to the public, if their networks, systems and products were secure.
Initially they hired us as simple pentesters, but during the initial meeting, it was ovbious that they wanted a full Red Team assessment. So we changed the focus of the engament to all the 3 domains: digital, physical and social.
The company described to us how their development network was segregated from the rest, how they controlled access and how data was flowing in and out of that area. The source code of their product was their main concern, so they put a lot of effort into making this environment secure. The rest of the network had the usual perimeter security. They invested good money in their detection capabilities too. Overall, they have done a good job in covering their basics. But, as we know, the basics don't work anymore.
After reviewing (OSINT) their employees activities online, we targetted one of the sales representatives. We wrote an email supposedly from a very important company that heard about the product from a friend and wanted to reach out for a demo. After a few emails and several phone calls, we managed to get the rep to open a weaponized PDF and we had a backdoor into their internal network.
We focused then on searching a development computer. Since they were segregated from the network we were in, we opted for searching a computer of a developer. These were connected to this network for the purposes of email, etc. When we found one, we copied a digital drone there and we programmed it to start mapping the network when a new network was discovered (i.e. if the programmer connected the laptop to the segregated network).
The next day he did. We received a ping from the drone later in the day, when, apparently, the programmer moved the laptop back to the main network and the drone had once again internet access. The send the download command to the drone, which in turn uploaded to our server the contents of its network mapping.
After some review, we saw their main source code repository and a bunch of other developer computers. So, we sent a new set of commands to the drone: copy yourself, if possible, to the source code repository and copy any file that was accessed or modified in the last 72 hours.
Two days later we were reading several source code files.
We called up for a meeting and presented the initial findings. They were, surprisingly, very receptive and wanted us to begin working with their network guys to help fix this and make it more secure.
The rest of the engament, we focused on their social media and training also the sales people: making them more secure-minded. We also worked with their programmers in how to properly connect to a clean and dirty network in a secure way to avoid this attack.
Anyway, moral of the story: don't assume that because you have a solid perimeter protection and a segregation of environments, you are secure. Today the focus shoulb be inside, in the data you want to protect, in the internal systems. Start by knowing you have been penetrated. You have a bad guy inisde. period. That's the reality of today. your focus should be on how to make it harder for that attacker to move inside, to find what he is looking for and to detect his/her movements.
As always, act, don't react. Run assessments, pentests, red teaming. Ask your people what's not really working. Listen to them.
When in doubt, Red Team it.