All in Physical
Sometimes you don't know what you agree to until it's too late. In this particular project we were testing physical security around the customer's building. The customer asked us to try to bypass their physical security measures and if possible reach a certain room and leave a note there.
It sounded like a fun project.
The next 3 weeks were spent researching the target, recon during the day and night, trying to get the right names for some social engineering attack if needed and gear, techniques and planning.
At the end we discovered a vulnerability and we thought we could exploit to get us in. The only problem was that in order to get that potential point of entry we needed to get to the roof.
You have two types of prospect customers in the world of Red Teams: Those that believe they need help and are willing to invest in proper security and testing, and those that believe their security is the best but since it's required by their oversight they will hire a security consultant to try to find security vulnerabilities.
The former are easy to work with and easy to convince when it comes to the need to perform different tests, including a physical penetration tests, social engineering and other less traditional tests. The latter... Well, those take some convincing to do.
I can present hard data on why their security is lacking but they are too confident that their security is so good that they won't listen. In these cases I have to show them first hand. I usually would ask for permission to try to penetrate their building/network but sometimes...
This particular customer I had to convince authorized me to, and I quote: "try to bypass my security guards, I dare you...".
Once in a while you have a project that you know will be a lot of fun. One of the biggest telecom providers dropped a project exactly like that a couple of years ago.
They wanted a full red team assessment, including external and internal digital assessments as well as a physical one. The scope: the entire company. This included the corporate HQ and its employees, the service stores across different cities, local offices, mall stores and the factory. This was a HUGE project. They time allotted? 6 months. Perfect.
Casing a site
I had this post set to appear in a few weeks as a response to the different readers sending their questions after a few posts about recon and site casing, but after the fun post by Jason at GORUCK about this subject, I thought I'd post it now.
Like I mentioned before, recon is crucial to a successful operation, be it physical or digital. A key part of this is the site casing: observing a location and learning its vulnerable points, its atmospherics, its rhythm. Knowing the locations of entrances and exits, potential choke points, security cameras and other devices can influence what you do or don't do. It also help planning the escape routes. Yes: Rule 1 - Always have an escape plan.