How many disguises would you pack to break into a data centre?

Andy and Jack were dispatched to a remote location, with a timeframe of a few days, and one clear mission objective: to demonstrate every possible way a cyber-attacker could break in.

Reconnaissance

To make the attack simulation as realistic as possible, our penetration testers were given scant information – only the address of the data centre. Equally, our penetration testers did not tell the client on which days they would be visiting the site, so that the client’s security could not be hypervigilant on those days.

The first challenge was finding the place. Open-source intelligence revealed nothing about possibly entry points to the client’s site or their office building and therefore Andy and Jack had to conduct reconnaissance on the ground. Despite having the address, they arrived to an industrial park with several large warehouses and office buildings. They circled the site, using a long-range telephoto lens to snap drive-by pictures from their car. Importantly, they observed the site at different times of day, to learn when it was busiest and when it was quiet, in order to plan the best time of day to attempt the break-in.

During reconnaissance, they identified a loading bay for deliveries, a fence panel where the bolts were on the outside rather than the inside, as well as several blind spots not covered by CCTV. One such blind spot was conveniently located by a timed automatic gate through which they might be able to tailgate. Construction work was being carried out on site, which would provide a useful excuse when they were able to enter.

Before attempting to enter the site our penetration testers first attempted to gain a foothold on the network via the company WiFi. If they were able to gain the name of the wireless network, they might be able to do a password spray attack overnight. If an attacker could gain a foothold on the company’s network and access customer data that way, they would not need to break in to data centre itself. Or they could simply use the information they gathered to better plan how they would break into the data centre.

Andy lay down in the backseat of the car with a wireless antenna that poked the ceiling. As construction workers walked past and eyed the two of them in the car, Jack pretended to make a phone call and discreetly watched their lines of sight in the rearview. Unfortunately, Andy could not get the name of the company’s Wi-Fi network. They would have to resort to a good old-fashioned break-in.

Formulating a plan

Based on the information gathered during reconnaissance, Andy and Jack formulated five plans:

• Tailgate through the cargo delivery entrance
• Walk in the door of the building which they thought would be left open
• Convince a security guard to let them in
• Unscrew the panel in the fence with the bolts were on the outside
• Try to scale the eight-foot fence

They ordered the plans based on how successful they thought would each would be, without raising suspicion. Plan E was worst of all, as Jack would have to climb the fence and try to enter the building alone.

Their plan also included disguises and plausible cover stories. During their open-source intelligence gathering, Andy and Jack selected a number of employees at the target company who they could use as part of their cover story. If caught, they would say they were visiting the site for a meeting with Joe Bloggs.

They decided to tailgate through the cargo delivery entrance.

Get in, blend in, and get your bearings

On the morning of the break-in, Andy and Jack arrived at the site wearing overcoats and carrying hardhats. They parked several feet away and waited by their car for someone to enter the site. They timed how long it would take the automatic gate to close and knew they had twenty-five seconds to slip through the closing gate if they followed a car. More importantly, they had to go behind a CCTV camera to remain in its blind spot. A car arrived. They waited for it to drive through the gate. Then they ran.

The automatic gate shut. They had squeezed behind the CCTV camera. High on adrenaline, they removed their overcoats, which concealed high-visibility construction vests. They donned their hardhats and were ready to explore the site, now disguised as construction workers.

They spent the first hour trying to orientate themselves while blending in as quickly as possible. ‘The aim is to legitimise your presence,’ Jack explained. ‘The longer you are on site, the easier it is to remain there unquestioned.’ This requires a combination of confidence and misdirection. (Fake phone calls and banal conversations are versatile distractions.) While exploring the site, Andy and Jack turned the corner of a building, finding themselves face to face with ten construction workers. They thought their cover was blown. They got a few suspicious glances from the group and quickly turned around. Their alibi – that they were making a site inspection – would only work if questioned by some people, such as security guards, but not other construction workers.

They found the main entrance to the office. Some employees were smoking outside so Andy and Jack waited for them to finish, then casually tailgated behind them to enter the building. Luckily, there were no security guards stationed by that entrance. As the employees went back to work, Andy and Jack had to decide what to do next. The opened the first unlocked door they could find, and entered a one-by-two-metre store cupboard.

The ceiling began to rattle. Footsteps were stomping overhead. Someone was coming to get them, they thought. The noise subsided, so Andy and Jack stayed in the store cupboard for thirty minutes. They checked boxes for any useful information about where the data centre was. They counted the footsteps overhead to estimate how many employees were in that building. They strategised what their next play would be. First they removed their high-visibility vests and hid their hardhats in their rucksacks. Underneath these, Andy and Jack had dressed in smart-casual clothes – the kind of thing an IT contractor might wear. They were on to their second disguise and their second alibi.

Smile, nod and play it cool

They decided to investigate upstairs, where they found a small canteen for employees. The canteen was now empty – whoever had gone in there before had finished their lunch and gone back to work. As Jack explained, ‘During physical security pentests, a key objective is to take and use anything that enables persistence or privilege escalation, meaning Wi-Fi passwords, key cards, company laptops, and documents containing personal information are essential tools.’

While the canteen did not contain any of these, they did find a page tacked to a notice board containing a shift rota of duty managers, and their contact details. This gave added credibility to their alibi: if they were stopped and questioned, they would say they were IT contractors visiting, and had more names to rely on.

As they continued to explore the building, the risks multiplied. They turned down a corridor containing a number of offices. They had no idea where they were going, but whenever they passed anyone who worked there, they used the trade secret of all con men – smiling politely. As Andy explained, “If you want to act like you belong and gain people’s confidence, smiling and simply saying ‘hello’ is the best possible tactic.” As they sought a room with an ethernet port to plug in their laptops, they tried a number of doors, and walked in on a startled site manager. ‘Sorry, wrong room,’ Andy said, with a winning smile. In such scenarios, confidence and friendliness trumps apologies or explanations.

When they eventually found an empty room and plugged their laptops into an ethernet port, they left the door open and gave a friendly wave and greeting to anyone who walked past. Unfortunately, they could not quickly gain a foothold on the company network. But in any case, this was not their objective. Their objective was to get into the data centres. They would have to continue exploring the site – clearly there were more security controls they had missed.

Smokers, security guards and locked doors

For the next stage, Andy and Jack donned fake company badges, which had been printed, laminated and mounted on lanyards. The badges looked convincing enough to fool the eye from afar, but if a security guard questioned them and inspected their badges, they would quickly spot the fake.

They sat outside on a bench outside not far from the main office entrance, trying to figure out how they would get in. Tailgating and looking inconspicuous had worked so far. Another stroke of luck came when two employees left the building entrance and disappeared around a corner. Andy and Jack could smell their cigarette smoke. They prepared themselves to tailgate into the building once more. Politeness and courtesy is a security risk to be exploited – few people want to deliberately shut the door if you’re just a few feet behind them.

They had hoped to get through multiple sets of doors this time, if possible. But once inside, they found themselves in a tight chamber, with two automatically locking doors at either end. It was a cosy space, two metres by one metre, with just enough room for all four people. The two employees who had held the door open were somewhat suspicious, as the four of them stood in that cramped space, but they used their key cards and courteously held the door open once again. Then, Andy and Jack found themselves in a waiting area, face-to-face with a big glass window, and several security guards watching them.

By the time they had assessed their surroundings, the employees they had followed inside had already left them to go further into building. There was a push-to-exit button on the door behind them. They were going to back out, thinking they had surely been caught, when one of the security guards came in to question Andy and Jack.

‘Who are you? Have you signed in?’  the guard asked.

‘Yes,’ Jack said. ‘We signed in when we entered.’

‘So you showed your government ID, your passports? Do you have copies of your passports? We may need to check them,’ the guard said.

‘We already showed our passports to your colleague who signed us in,’ Andy said. He explained that they worked for the company and they had just called Joe Bloggs – the name of a manager they had found on LinkedIn. Joe was coming to collect them. This satisfied the security guard, but they now had to sit in the waiting room for forty-five minutes, under the watchful gaze of the guards.

They sat down, shaking with adrenaline. Jack looked at Andy and raised his eyebrows, as if to say, ‘WTF? Did we just get away with that?’ It easier to convince security guards and other employees of the legitimacy of your story when there are two of you, rather than one – hence why Plan E would have been less successful, if Jack had been alone. But the security guard also asked leading questions, providing Andy and Jack with the information they needed for their answers.

They were close to the data centres now, but if they aroused the suspicions of a guard again, they could expect to be questioned thoroughly and escorted off the site, or worse. Thankfully the security staff did not want to make their day more difficult by hassling two people they had never met, who were supposedly coming to visit their colleagues. Andy and Jack sat in the waiting area for forty-five minutes, under the watchful eyes of the security guards who were supposed to keep them out. Eventually, someone came out and they slipped inside.

Once inside, it did not take them long to find the data centre. Cavernous rooms of unpainted concrete with exposed pipes and beautiful servers humming loudly, with ports to plug into and cables to pull out. But Andy and Jack did not do that; they emailed the client instead. They had reached their objective, and tomorrow, after a debrief meeting, they would try again, to see if any of their remaining plans worked.