A few years back we performed a routine follow-up after a full Red Team assessment. The assessment was stuck after 3 days. Our customer really took our report and suggestions to make their security tighter to the letter.
We were unable to find a way in via their public facing networks. On the physical side, the recon showed us that their guards and general security posture were also upgraded. During the 3 days phyical recon, we observed they put in place not only our suggestions but also hired an expert to make sure their security was tight. It was good to see this.
However, now we had a challenge and since we don't like to give an empty report to the customer...
Sometimes you spent weeks trying to figure out the best way to infiltrate your target, whether digitally or physically.
Sometimes all it takes is a trip to the back of the building.
A few months ago we were performing an initial recon on a new customer. He wanted us to check whether his security team did a good job in setting the perimeter. The finaly target was one of the server rooms inside the building, where their data center was located.
We arrived after hours and after laying low for a few hours, observing and collecting atmospherics, we decided to go around the perimeter to map it. In the past we've found vulnerable points of entries that were no visible from a single OP (observation post).
As we were coming to the back of the building, we noticed that the trash collecting trucks were leaving the building. The gates were open and there was no guards there, only a camera. We layed there observing for 40 minutes and nothing happened. After a brief exchange we went for it.