I love the fact that my job requires me to thing through different attacks like this. It can be quite fun seeing what I can think of vs what is actually out there.
Part of the issue is also people don’t know how much information they are actually giving out when talking to you, and if they aren’t careful when giving a presentation.
For instance. A presentation was made to a group of people. While queuing it up, I was able to see several things.
1) Servername of Calg_serv with a red X through it. Stoon_serv with a red X through it. I now know that this company has their main server in Calgary, and likely has a VPN connection through their Saskatoon office. And perhaps on each laptop.
2) The type of antivirus they had. Now I know what I’m dealing with for AV if I want to load something onto that computer.
From conversation with the person afterwards I confirmed that the Saskatoon company had some specialized people who worked with the Calgary office. That they had given at least some access externally (Increases likelyhood of VPN on computers. And that access was properly limited to the people who needed it.
So I now have several likely attack points. Since I know their AV software, and that the laptop likely will have the access I need, this is going to be my likely attack point. But I also have enough information to go after the Saskatoon office through their connection in. Perhaps they have an unsecure wifi, a rogue access point, or a boardroom where I can legitimately plug in my laptop.