A few days ago a reader asked me if I could write a post about common uses of the Red Team Mindset. Think everyday activities, work, school and such. Think non-tecnical everyday Red Teaming.
Red Teams can solve problems through an indirect and creative approach, using reasoning that is not immediately obvious and involving ideas that may not be obtainable by using only traditional step-by-step logic.
Using “Ridiculous Thinking” a Red Teamer plays with the different sides of the problem, looking at it as if it was a hollow cube: you have the 6 external sides to check, however you can't forget the 6 internal sides. The idea here is to go beyond the visible, the obvious, and check also that extra thing that no one bothered to look at before.
We needed to access the server room of a security company. The target was one specific server that was not accessible via the internet or their internal network. It was well protected by an air-gap and really tight access controls.
We decided to go at it by hand: break our way into the building, find the server room and mannually disable the server as a way of saying "we were here".
Entering the building was complicated but after several days of recon we managed to come up with a plan that worked.
Once we were inside the building we began looking for the server room. We didn't have much time, people could challenge what we were doing at any moment and while we had a cover story, it would not hold for long, especially since we didn't have time to fake the ID cards or the visitor badges.
At the end, it was a cleaning person that pointed us to the server room. Once we arrived there, we noticed two things: there was a camera on top of the entrance (and we knew that all cameras were being monitored) and the serve room had a commond lock on the door, no ID card reader or keypad.
Yes... These people invested in top of the line security but they had a simple lock on the server room.
A few months ago we had a very interesting physical assesment of the offices of a new customer. The security director wanted to know the current state of their physical security and how aware were their employees of threats.
This is a small startup company, but doing very interesting work in the security field themselves.
The director told us: *you can do whatever you want and exploit any and all vulnerabilities you find. Just let me know immediately.*
The time frame was set to 2 days. So we set to work.
The first day was used for a quick onsite recon. I went into the building where the customer's offices were located, while JD scouted the perimeter.
The main entrace was guarded only by a keycard reader and a locked door. So, I waited *on the phone* for a few minutes until a person working in the building came in and opened the door. I walk right after him, still *on the phone*. He never challenged me or asked me not to tailgate.
In the meantime, JD found that the back entrance was guarded only by a very shiny but easy to pick padlock. It had a nice sign saying
"Restricted Area. No Unauthorized Personnel Beyond This Point".