Black Team War Stories Part 3 - Turning a bust around

Before We Start

Not every engagement is plain sailing. Black and Red Teaming come with the ever present dread of getting caught on day one and “failing/ruining” the engagement. An experienced team needs to appreciate the impact of getting caught but also how to salvage a job if and when it happens. This ensures the client still fully benefits from the assessment. This is the difference between the A team and the B team.

Secondly, it is very easy to look at a target site and assume that it will be either “easy” or “hard”. We all do it and instinct usually proves us right. However, this is never a given and sometimes we are completely wrong. The site in question is a perfect example.

The Target

The client approached NCC Group looking for an internal Black Team assessment. They wanted to provide us access to the building and then see if it was possible to take and extract imagery from inside their restricted areas. We recommended that they include the initial building breach as part of this assessment. This would ensure the client received a full assessment of their entire building security rather than segregated areas.

The target site was located in a city centre with two larger company sites they occupied nearby. There was a small amount of footfall entering the building throughout the day, a single entrance with a 24-hour staffed reception and anti-tailgate barriers. Not the simplest of scenarios but neither was it an uncommon challenge.

The client’s primary concern was a malicious employee with access to corporate and client data, stored in one of the restricted areas, taking this data off site. This could be in the form of imagery, removable storage or printed documents. NCC Group consultants knew this would not prove to be an excessively difficult task as this is usually a secondary objective when performing a Black Team assessment. Suggesting the client increased the assessment to include the entire building was to ensure they got as much benefit from the engagement as possible. The restricted areas prohibited all phones, camera and recording equipment and the removal of any data.

Objectives

• Breach the target building
• Acquire access to the restricted areas
• Bring a phone into a restricted area without detection
• Take imagery of computer screens from restricted areas
• Plug a network device in restricted areas
• Leave a bag in restricted areas and retrieve at a later time
• Perform a basic Wi-Fi assessment from inside the target building
• Leave restricted areas and building without detection

Recon

The primary targets for the OSINT phase of this job were to acquire:

• Pass Imagery
• Lanyard Imagery
• Perimeter access control imagery

Floor plans

There were very specific goals for this assessment. With a limited amount of time to perform the OSINT phase the team set OSINT “flags” that would specifically assist in achieving the overall Black Team goals. The flags above would directly assist in getting in and out with the specified contraband. All of these were acquired with the exception of the detailed staff pass imagery.

This is key to Black Team engagements. Unless a full OSINT assessment has been requested the team must utilise the limited time for the OSINT in a manner they best feel would benefit the engagement.

Onsite Recon

The OSINT had revealed the use of anti-tailgate barriers. This, combined with the fact they would likely use access controls on the restricted areas, meant that the best solution would be a cloned pass. The reasoning for this was that if the right pass were to be cloned, access would be acquired to the main building and the restricted areas in one hit.

The second key objective was to take detailed pass imagery to create our own copies. Fortunately we were able to acquire an out of date contractor pass. We also identified key points at the three sites where staff passes could be cloned. These included a bus stop and two smoking areas.

Breach Attempt One

So, progress is pretty much text book thus far. As expected, we are well on the way to a simple breach. We use the contractor pass to see if we can gain access outside office hours when there is minimal security. We try the pass at around 2100. It’s a bust. The door doesn’t open so we leave it for the day and decide to hit the bus stop and smoking areas to clone some passes tomorrow.

The following day the client wants to meet for a mid-job debrief. He informs us that an alert had been triggered the previous night as the result of an outdated pass being used. This information had been spread company wide. Not only was this a huge ‘spanner in the works’ for keeping the job covert but it was impressive how quickly this business distributed such information.

We tell the client we are confident we can still gain access to the target and the job continues. To prevent ourselves being burnt at the target site we go to the bus stop of another site. Here we clone around ten badges. We write these to cards and decide to try them out the following day at the target site.

Breach Attempt Two

Again, full of confidence we try these passes on the entrance door to the site. Unfortunately the passes do not work. Instead, one of the consultants tailgates into the building and tries a cloned pass on the anti-tailgate barriers just past the doors. Again the passes don’t work and the consultant is stopped by security and burnt. Something to do with the ethnicity of the staff photo that pops up when you use the pass being completely different to the consultants... He drops a quick text to the second consultant informing him of the situation and telling him that he too is being watched. It’s clear that passes from other sites are not going to work here so, in a last-ditch effort, the consultant outside the site quickly clones a pass of a contractor who enters the target site. An almost guaranteed access pass.

The Client’s Needs

The client’s needs were simple: To get data out of the restricted areas. So far, both consultants are burnt but have a golden ticket into the building that neither one can use. More impressively, the security guards have pictures of the consultants up on the walls of the site, warning staff to look out for them – impressive, considering the consultants had done just one sweep of the smoking area two days before.

For the time being the client requested that one consultant be permitted access past the initial access controls to see if they would be able to achieve the original requirements set out by the client. The consultant tailgates into the restricted area with ease. Imagery is then taken on our trusty camera pens. Unfortunately it’s RFID out and not push button exits. Instead of hanging about, the consultant goes to the kitchen where a single employee around the age of the consultant is making tea. The consultant begins to make tea as well, passing himself off as another employee.

Now, if you have ever been into a new office I’m sure you’ve seen these fancy taps without a sink. The ones that just have a grill underneath and a bunch of buttons, which might just as well be a passcode, for hot or cold. And you don’t know the code. So with a cup and teabag ready to go the consultant is committed. 

The consultant tries to add hot water and cannot get anything to come out. Rob a bank? No problem. Turn on a tap? Absolutely defeated. The employee notices, but trying to be polite, says nothing. After some fumbling finally water starts to come out of the tap. However it’s very clearly cold water. To top this, when the cup is full, does the tap stop pouring when you let go of the buttons? Of course not. So now the consultant is stood holding a cup of cold water with a pointless tea bag in it. And it’s overflowing. At last the employee takes pity on the helpless victim and turns the tap off and a conversation ensues. I mean, there’s no way this idiot could be a malicious attacker…

I won’t go into the details of the conversation, but the consultant was a lot smoother at talking than making tea. The tea which he is now forcing himself to swallow in an attempt to act ‘natural’. It was vile. The employee is convinced after about 5 minutes of talking to let the consultant out of the restricted area. Job done. Oh, with their colleagues pass...

Added Value

So, job done! The client’s requirements have been met. However, we know we were within inches of a full physical breach. Unfortunately both consultants are burnt, but thanks to the wealth of resources at disposal at NCC Group an experienced consultant was brought in at a moment’s notice to attempt a full breach the following week.

Breach

A pass is made up for the third consultant and the cloned RFID card is given to them. From here it’s a slaughter. The pass that had been cloned allowed access to all areas of the building. The consultant breaches twice and takes every floor, gaining access to all the restricted areas. The client is informed and requests that we perform some “noisier” objectives. These include plugging a device into the network, leaving a bag unattended, capturing imagery on a phone and performing a Wi-Fi assessment. This is the point at which the NCC Group Black Team consultants consider the equivalent of “Domain Admin” has been achieved - we are able to do almost anything confidently without significant effort or risk. This was the position we had now acquired. Staff even mistook the consultant for a new employee and gave them a dedicated desk and network connection.

Client Benefits

The client came to us with concerns that an employee could extract sensitive imagery from the restricted areas. This is where they believed they were vulnerable. NCC Group Consultants demonstrated this with and without a pass.

This would have been a happy client and a job done. However, NCC Group consultants recognised that the risk to the client went further than the insider threat. The Black Team demonstrated that not only could employees take imagery out of the restricted areas to which they were permitted access, but an outsider with zero permitted access could achieve exactly what the client was most concerned about.

NCC was also able to demonstrate where the client was strong. There were key factors in the security that made this job a lot more difficult than the consultants originally believed. The third party security firm did an exceptional job in preventing the Black Team from gaining access. It took additional time, resources and a new plan to counter the measures the security firm implemented, to eventually gain access.

Lessons Learnt

This engagement was a prime example of how a seemingly simple job can turn out to be a significantly more difficult task…

This job also demonstrated that things will not always go smoothly or the way you expect. Businesses and technology have become very proficient at keeping intruders out. The consultants were two of the top NCC Group Black Teamers with years‘ of experience yet it took a prolonged period of time to achieve the breach. When things go wrong salvaging the job and ensuring the client fully benefits from the assessment is a modern requirement of any experienced consultant, and had the assessment been limited to a few days with a less developed Black Team the test would have been over well before the full breach was achieved.