[elasticventures]

..

PenTesters for the state/government cybersecurity require a special designation #red_team that allows for incursion and flag dropping; 'tracepoints' -- public disclosure. There are a lot of steps and often it involves writing out a clear mission scope/goals to avoid this type of circumstance.

This includes progress reports to their organizational handler announcing the intentions/progress .. progressive research. Introductions by state employees, informing the law enforcement.

OFTEN ..

I find myself informing the officials & administrators during normal business hours, etc. "people who may be affected" that could be conducting an exercise that involves your building in [timeframe] you have until then to prepare; readiness drills etc. bring it.

Afaik getting caught is part of the fun (how far can I get before you catch me?) but there's always a point of no return where it's not fair; never typing the rm -Rf or "encrypt *" commands but you never actually do if you're a good person; I know I had a lot of interesting "oops" moments in my early career where I accidentally embarrassed somebody and made an enemy.

IT Departments are run by normal people who have limited budgets and time; and I like to point out that a failure usually means a better budget justification to fix it; and assurance that anything we break we'll fix; but how confident are they in their backups and how easily I can get to them.

So fuck that cowboy pen testing bullshit, a great hacker will only use that as a last resort and then EVERYBODY should know it's happening so there is less risk. This is why "this is a test" is played during military exercises; because it's about the readiness drill. I will take your system down; with or without you -- do you want to watch?

I've had new guys on teams suggest cutting primary wires; to trigger failures i.e. "video camera feeds" etc to demonstrate coverage lapses in physical security. if they did any property damage; they are liable for that.

If the building administrators decline the #red_team audit; then we submit that back into the report and put them on our "naughty list"; which means well try 2x harder to embarrass that particular person; shame on them.... it needs to be clear that a failure does not necessarily reflect badly on them in our report; unless they were blocking the audit; that is bad. that's all you can do; they don't want to engage -- forward it to the foreign upper bureaus who don't need to follow the same disclosure rules as a good place to train recruits.

As a hacker; pen-tester #red_team I make it clear that's exactly what I'm going to do if they don't personally cooperate; usually they'd rather be helpful than risk pissing me off and being the subject of my wrath - we work together to fix it. It's a bit heavy handed; .. 2020 election security is going to suck donkey balls btw.

/ #red_team

[saagarjha]

> If the building administrators decline the #red_team audit; then we submit that back into the report and put them on our "naughty list"; which means well try 2x harder to embarrass that particular person

You sound quite unprofessional :/

[elasticventures]

is there a better technique? please share. independent cyber-merc "white hat; with blood stains"

my best approach -- marking people "declined to participate" and naughty list; or for shaming them for not participating in the drill?

?? as i see it; i'm a good guy by paying them a courtesy by informing them of the intentions; working with them; they are the unprofessional ones. perhaps this is my low EQ; and it's why I have assistants.

I have no patience for bureaucrats (i.e. election officials) telling me their system is secure while I know damn well they aren't .. usually I suspect corruption/secrets they would rather not be public ... and the funny thing is ... most of the time I'm right and they turn out to be real pieces of shit that I just happened to get caught on my boot.

Too many of our systems relying on closed source software vendors hiding behind the law pretending (i'm looking at you Oracle) .. ignoring that 90% of North Koreas income comes from hacking; cyber-terrorism cyber-ransom funding radical terrorism scares me.

the small terrorists cells usually don't have a hypermind *(180+ IQ); but nation state [even small ones] probably have at least one or two on the payroll.

iran is a good example of this; we've been talking about these types of attacks "in theory" for years; literally 10 years -- more importantly; due to the success how long before this type of guerilla warfare expands to schools in the USA.

[michaelt]

  is there a better technique? please share.

Get hired by someone who has the authority to instruct building services to cooperate.

If the person hiring you doesn't have the authority to do that, they certainly don't have the authority to get your guys out of jail.