Chapter 6Criminal Intelligence

A few years ago I was called upon to perform an internal APT-modeling scenario for a police service in the UK. It was an interesting assignment for a number of reasons, not all of them purely technical. At a police HQ they don't, generally speaking, want you wandering around by yourself, so every morning my colleague and myself would dutifully arrive at the front desk to meet our point of contact whose job was also to escort us around the building as necessary. On day three we asked for the gentleman again only to be taken aside by a couple of police officers who wanted to know what our business was with him. I explained we were security consultants, here to fight the good fight against the ever-present forces of darkness (we pen testers are a colorful bunch) only to be told that our point of contact was actually a fugitive from justice and had been arrested the previous evening. I never did find out exactly what that was all about, but it takes a certain amount of chutzpah to apply for a job with the police knowing you're a wanted man.

I mention this anecdote not only because of its obvious comical nature but because there is a practical lesson to learn—regardless of a lack of escort, we still had a job to do and given that this was a busy place with uniformed officers and civilians walking in and out of the building all the time without any real access control (beyond what was essentially voluntary), we decided to just go ahead and complete our ...

Get Advanced Penetration Testing now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.