Our Swarm of cyber security specialists operate in elite squads – or ‘Hives’ – to find and expose vulnerabilities in our clients’ assets. But our work isn’t just about sitting behind a screen. We also go on location to attack from every angle – whether it’s monitoring staff traffic, scoping entry and exit points, or identifying (and replicating) staff lanyards.
Doug is one of our Hive Leaders, with over 15 years’ experience in information and cyber security. He’s been part of CovertSwarm since the start. Today, he’s sharing his story about the time he was almost arrested in Luxembourg while performing an onsite physical security and social engineering assessment.
Doug was working with a large global financial organisation who needed to assess the physical controls and local processes of their European remote offices. We deployed him to the company’s Luxembourg site for a physical and social engineering engagement – something we’ve done many times – to gain access into a network through ethical hacking. But on this occasion, things didn’t go so smoothly.
The story begins with Doug flying into Luxembourg and making his way to the target office. “I identified an underground car park with a slow-moving roller door, which seemed like a great entry point. As I approached, it started to move – so I ducked under and made my way to the lifts.” Doug was now inside the building, ready to begin his attack. But a solid main door meant he couldn’t get a feel for the office layout or staff movements. He needed a new plan. “Using my phone as cover, I stood outside the main door and pretended I was on a call, mimicking using a security access pass to get in. Luckily, a delivery driver appeared. As he was buzzed into reception, I tailgated him to enter the office.” Nobody saw Doug come in. He quickly found an empty room in a quiet part of the building and set up his laptop. “I plugged in my laptop power cable and deployed a ‘dropbox’, which was pre-configured to attack the company’s domain in order to gain admin privileges. I was able to sit at my post for almost three hours – entirely undisturbed – as the scripts ran. Then I decided to explore the office while I waited for it to finish, making sure my phone was set up to receive remote updates.”
Doug found the office break room and helped himself to coffee while chatting with the staff. Nobody suspected Doug wasn’t who he said he was – until the Managing Director arrived.
“The MD had been in a meeting off-site. When he got back, he spotted me walking around and couldn’t identify who I was. As I’d snuck into the office, I hadn’t signed in at reception and they hadn’t had any visitors, which roused his suspicion even more. He followed me into a meeting room to question me.”
Still wanting to continue the ruse – and with his ‘dropbox’ still running in the other room – Doug played along, hoping to remain undetected for the whole day. But the Managing Director had other ideas.
"After some pretty intense questioning, the MD excused himself and asked me to wait in the meeting room. I decided this was the time to disappear – but found he’d locked the door. When he came back, he told me he’d called the police.” Doug wasn’t sure whether this was all part of the test, and he was being socially engineered. So, he stuck to his guns.
“I thought it was an attempt to catch me out, so I carried on with my backstory. But then I saw a police car pull up with two officers inside.’’ To prevent the situation from escalating, Doug produced his letter of authorisation, signed by the company’s Chief Technology Officer. “I knew if the MD called the CTO, it would all be resolved. But they couldn’t get hold of him – he was at the dentist’s with a numb mouth! Eventually, he managed to verify that I’d been authorised to be on-site and that everything was above-board. The police were satisfied, and left.”
The Managing Director was pleased to have identified Doug as an attacker, thinking he had managed to stop him before doing anything malicious. That is until Doug flashed his phone – which was still connected to the dropbox – and now displayed the message “Domain Admin Obtained”.
Doug managed to identify several weaknesses within the physical security posture and processes of the business, as well as finding a number of vulnerabilities on their network. These could have put the company at risk – not only through enabling Doug to access sensitive information, but by giving him permissions that could see him take over their network and potentially access other areas of the business. With CovertSwarm’s insights, the organisation has now taken steps to prevent this happening in a real-life scenario.
But it wasn’t just the company who learned something that day. “I knew something wasn’t right when the MD caught me, but I thought he was bluffing. When I got locked in the office, I realised I was prioritising the outcome of the test over my own safety. Next time I’ll know when to call time and ‘fess up.”
Doug knows how important that letter of authorisation is, too.
‘’It’s like your ‘get-out-of-jail-free card’, with all the contact information you need to validate what you’re doing. Now, I always make sure my contact is available moments before I attempt to gain physical access to an office – just in case they’re at the dentist.”
Send in the Swarm
Our Swarm works round-the-clock to find and exploit your vulnerabilities. We start by mapping out your attack surface – from digital assets to physical ones – and use any angle we can to gain entry, detect weaknesses and attack systems.
Because of this multi-dimensional approach, we go further, deeper and wider than anyone else – and will break out from behind our desks to carry out undercover missions at your organisation’s address. But just like a bad actor, we’re always learning new things, having to adapt to new situations and overcome obstacles, and3 most importantly, thinking on our feet. Because a real hacker won’t just stop at a phishing or DDoS attack. They’ll use any means necessary to find a way in.
To find out more about our Swarm, what we do and how we can help your business, get in touch today.