All in Red Teams
Disclaimer: Yes, in spite of Rule 5 sometimes we get caught. However, I am proud that in the many years we've been doing this, we've only gotten caught 4 times (including this one).
After a successful digital Red Team assessment for a customer, we were tasked by them to also try their physical security. They had a new factory with a lot of information stored both in servers and as hard copy inside the building. They wanted us to try to get to that information and on the way test their security planning and contingencies.
We knew they have spent a lot of money on their perimeter security and that they employed local security guards. That means, they didn't contract a security company to provide them with the guards. A little digging and some good social engineering showed us that these guards were mostly former MPs (military police) and other LE members. Great... They were actually trained people.
Sometimes all the hard work and no play gives you some rewards. This was the case on one project. This was a simple "hole in the wall" assessment. Basically, go in and test whether you could connect to their network either via an ethernet plug or using any wireless network. The idea is to help their security department find the weak points in their security, and well, alloing someone to just plug a computer an get an IP and presto! Be part of the network is a big problem.
The infil into their offices was relatively easy. The company rests half a floor on a building where other companies are located. The security guards at the ground floor are used to seeing different people, and they didn't bother us as we walked in with our suits, air of confidence and on our phones. They just looked at us and we continued walking... We hit the stairs (remember Rule 80: Never take the elevator) and climbed to the 8th floor. There, we simply walked into the company's area by tailgating an employee after he came back from the restroom. Simple.