Published: 2025
Let's be honest, trying to break into buildings without getting caught is a lot of fun!
Hmm. That's all I really wanted to say... but I guess that doesn't make a worthy blog post does it?
sigh Well, I guess I can break down the "value" of covert entry assessments, or "Hacker LARPing", as Shawn affectionately refers to them...
But before I get into that, it would be irresponsible of me not to point out that - objectively - we're going to find more vulnerabilities when we have as much information as possible. The more information we have, the better our threat model is, and the more effectively we can target weaknesses. And if we don't have to worry about being detected, we don't have to throttle our attempts, we can ask questions, and we can use our time more efficiently. Because of these things, we're going to find more holes. And obviously, you want to plug as many holes as you can. This is the approach we recommend for the vast majority of our engagements.
Okay, now back to the fun stuff.
You have a really mature security program. You already do regular pentests and plug the important holes. Or at least, they'll be plugged soon. Sure, you have some that will never get fixed but they're not really that important. Not to mention all those fancy locks and alarms you have. And the security guards! I love it!
I can't tell you how exciting it is each time I get through a locked door ;)
But on top of the techncial weaknesses, the cool thing about testing done with all the bells and whistles turned on is that we can also identify detection and response weaknesses.
< Me > Did you know that the alarm system was disabled?
< PoC > LOL. Oh, yeah.
I love a good complex target with lots of layered attack surface. This is the stuff that drives me.
And besides being valuable to our clients, these engagements give us a chance to put our lab-grown skills to work in "real world" environments. In Neal Stephenson's book REAMDE, he refers to Vancouver's Chinatown as "Spy Disneyland". In the story, he suggestes that a person of Chinese descent could go there and pretend to be native Chinese to test out whether they would be discovered; with very little consequence for failing. Honestly, it seemed like a great analogy to covert-entry testing.
I've been an outdoorsman my whole life, and some ways, this is not unlike hiking, camping, or hunting: You can know all of the theory and try to prepare, but until you actually go out and try it, you won't know where your weaknesses are. During these engements, we get to put our best efforts to the test without (as much) risk of being shot at or going to prison! And our clients get to see what an adversary might do without risk to their business.
For instance, I once built a clever little Raspberry Pi remote access device that backhauled over Wi-Fi to a cell phone I could drop within range. It was brilliantly small and could run off of 5v power. It worked awesomely in all my lab tests. Well, when the time came, I was reminded just how finicky Raspberry Pis can be. Especially when they are unceremoniously unplugged and the SD card gets corrupted, or when they try to draw too much power. Lessons learned. Now I travel with micro-form-factor computers with solid state drives and built-in LTE :P
Or the first badge cloner I built where I had to pop the SD card out to get the numbers, and forgot to put the card back IN. NO MORE SD CARDS! We live and we learn :)
Also, did I mention that it's fun? :)
< Me > Y'all have a nice view up here! *photo*
< PoC > Haha, nice. Enjoy :)
Anyway, see y'all out there!