You Can't Signature a Taco Truck
An Outdoor Cyber Adventure!
This is a story about how a taco truck became the most effective intelligence gathering platform I ever operated. It is also a story about the gap between what security training tells people to do and what people actually do. That gap is where red teams live.
The Setup
We got called out to the field for a long-term persistent red team operation. Physical. Boots on ground. The kind of work where your tools are your face, your voice, and whatever you can find in the environment. These were the BEST operations, because if you did everything right out in the field, you had sessions waiting for you when you got back, or enough intel to clear the perimeter, or steal a face, or find the next crack that you could go sniff around for opportunities. If you didnt do it right, game over, end of campaign, adversary detected. Thats a win that is celebrated while you are led away, because you got pinched in the field, meaning that you are detained and waiting for some station commander to call the number on the letter they pulled out of your pocket before they put you in a cell.
The first time you do something like that, no matter how prepared you think you are, its all fear and adrenaline and barely constrained execution. This is the big leagues. Armed guards, surrender protocols, de-escalation techniques, how to not get fragged by a sentry that is charged with protecting all personnel and property in their view. This story isnt about my first field op (disaster lol), thats for another day when we want to talk about how to keep moving when you are scared s!@#less.
This mission was straightforward on paper: get onto an installation, get into buildings, and collect as much reconnaissance data as possible. Social engineering heavy. The kind of job where your success depends entirely on how well you can get people to trust you, dismiss you, or just not care that you exist.
I was tagged for the close contact work. Fine by me. I had experience and I was pretty good at it. But this one was going to be rough.
They gave us an assumed identity to work with, and that identity had a name that clearly would not be associated with the personnel around the assessment area. Every kind of mismatch you can imagine. It felt rigged. Like the moment someone challenged it, I was done.
And that was the point.
The customer had engineered failure into our operations. They wanted to see if it would catch us up, if their people would detect and contain us faster because the cover story had holes you could drive a truck through.
Im not kidding, I F#$%^& <3 Tacos.
The Dismissal Principle
Here is something I learned over a career of walking into places I was not supposed to be: do not try to blend in. Be dismissible.
Most social engineering training teaches you to dress the part. Look like you belong. Badge up, tuck your shirt in, carry a clipboard. That works sometimes. But there is a better play.
If you look at me on any given day, you do not see a threat. You see someone that is maybe a drag on society. Someone not worth your time. Someone you would cross the street to avoid talking to. That is not an accident. That is the cover.
I have found exactly two personas that let you exist in almost any environment without being challenged:
The Skateboarder. After a lifetime of skateboarding I can tell you that nobody cares what skateboarders are doing. I can hang out in any parking lot, outside any building, outside any event. At worst, I am a minor irritation. At best, I am dismissed entirely as someone doing their own thing in the area. For some reason, skateboarders get the pass.
This was so cool to see on site. Most ops are over in seconds once you are on and controls just cascade into nothing. Hack the planet, then a little shred or die, and there was a taco joint up the road. Best. Op. Ever.
This was just a little curb of opportunity on some glassy concrete :)
The Walkman Guy. Put on earbuds and pretend like you are not paying attention. You can drift through a lot of very well monitored security controls because you just get dismissed. You are clearly in your own world. You are not a concern. You are just some person that is on their own trip.
My social engineering strategy was allowing people to dismiss the book because I do not put on a very fancy cover. If you look at me and see someone that you just kinda want to get away from, then I am doing my job. You should see someone that is not worth talking to. That strategy has worked very, very well for me. My Plumber get ups, amazing for this lol.
This was favorable to blending in. When you blend in, you have to know stuff that makes it plausible that you belong in an environment. Posing as utility labor, it can be really beneficial if you can convince the right players to open that gate. I found being a lost idiot gives you way more options if you can improvise effectively and you dont let that pit in your stomach cloud your strategic thinking. It takes practice.
So when I got this rigged identity with every possible mismatch baked in, I did not fight it. I leaned into it. I got dressed in some weirdo clothes that would have made me look suspect in the area and I thought, well, if they want to catch us, let us see how vigilant they actually are.
Spoiler: not very.
We talk about vigilance in security training. We talk about keeping your eyes open, your head on a swivel. But at the end of the day, from my experience, people are just trying to get through. If you have a 9 to 5 and it feels like a 9 to 5, you are not paying attention. It takes a lot of energy just to get through the day. Challenging some weird looking dude in the parking lot is not high on the priority list.
The Taco Truck
This is the part where most people expect me to talk about tailgating through a badge reader or cloning an access card. The tool that gave me all the keys I needed was a taco truck.
It was Southern California. Hot day. I was out canvassing the area, trying to learn the environment and gather open source intelligence, an maybe catch some signal with my back pack RF rig, and this taco truck was driving around the entire area I needed to cover. It went to all the sites. It stopped where people gathered. And I am someone who likes to acknowledge great coincidence when it appears in front of me.
My initial motivator was honestly practical: I did not want to hoof it between sites in the heat or wait for rides. The truck covered the whole AO. But then I started thinking about it differently.
This is a gathering place. It serves food. It moves through the entire operational area. That passed all the targeting checks in my mind. This was a viable collection strategy. It could produce opportunities. And it was going to yield information because of where it operated.
So I needed to get on that truck.
I did not have my skateboard but I had my earbuds. And I know how to do a mean pop lock. I can really get a robot going. So that is what I did. I made my way over to the taco truck and just started bopping and shimming and acting like a dude that was happy to be outside in the weather. I mean its SoCal, who wouldn't be?
Team in the bushes burning my spot
Quick pop lock nice to meet ya
and Im in.
That is when I met the woman who operated the taco truck. We are going to call her Abby.
It was about five seconds before I was talking to Abby. She was a cool lady with Southern California vibes that was just trying to get through her day. I talked to her about her truck. I talked about everything she was selling. We talked about our kids, surfing, the crazy times that SoCal was going through. I had grown up in the area, so I could go more than a couple layers deep. I could talk about fruit and where she got it from. I could talk about the types of burritos she was serving and tell her which ones were my favorites after a day at county line.
This is all rapport building. You take little pieces of information and develop commonalities and establish trust. If you are a social engineer, that trust is the currency you need to move. And it is very perishable, so you have to be smart and careful with what you are doing. I had to make a call, continue the deception...or just see if Abby wanted to get deputized on the team and work behind the curtain for a little bit with us. This is a method, it works well with people if you understand how to develop the opportunity properly. It worked here, turns out that when someone with something that breaks the day to day baseline comes along, people might be down for some adventure. Also, the faster I can get off the Bu$%sh$% train the better, its the weakest part of my game cause I hate doing that to people...but thats the rules. Do they know the true scope of whats going on, not a chance. Did something fun and exciting...and a little mysterious happen to them today? absolutely 100% and the more real I can make that feel, the more access to information I can gain.
I went over my alias cover with Abby and told her I was part of a team doing something in the area for security, she told me a program she was aware of and I told her we were with that, done and done. I asked if I could just roll around with her and the taco truck. Told her I knew how to use her register and was familiar with that kind of software, I told her that I was hungry and I wanted to surf later so I would take payment in tacos and she could leave me at a location at the end of her loop that I was familiar with and near my exfil route.
This is the kind of thing that gave me an edge: I was never afraid to roll the dice in situations like that. Because more often than not, I found that people want to be in on it. Once they realize there is a little danger and thrill and it is not connected to anything bad, they want to be part of it.
So I hopped in that truck.
The Line
It turned out to be one of the most effective intelligence gathering operations I ever executed on that team.
People talk in line. They talk about things they should not talk about. Standing behind the glass of a taco truck, you hear everything. I am invisible back there, that walkman just music...couldn't be a sophisticated recording device thats getting everything you are saying.
Locations. Movements. Timelines. Competition plans. Personnel counts. Communications plans...there was a lot that needed discussion over lunch apparently.
We were able to determine the entire schedule that the different assessment targets were going to follow for the entire operation. All of it. From a lunch line.
This was not a small stakes situation. We were about to start disrupting a major cyber training event that involved a lot of different capabilities and teams outside of cyber. This was a huge payday for us. The taco truck intel allowed us to get ahead of literally every single operation.
People will talk about plans, numbers, resources, assets, challenges, difficulties. Because it is not readily apparent that the person behind the glass is listening and figuring out how to develop a campaign strategy that will ultimately get onto your organization's information security technologies.
This is something I do not think most human beings are actually prepared to defend against. It leans into the things that are the best nature of us: help, cooperation, friendliness. That is what you are up against with a skilled social engineer. Someone who can take advantage of those mechanisms and control those levers does not have a very difficult time getting everywhere they want.
The Weight
It was incredibly challenging to develop that skill set and it is very taxing to use it. Deceiving people to achieve objectives is not something I was ever comfortable with. I cannot wait until it no longer has to be done, but I rarely have to do it anymore. It is part of the job, and if you want to find real weaknesses, you have to be good at it. If you look into my eyes as I am walking through the door to your Datacenter with some boxes, or into your secure facility because I know that you are the one that was going to hold the door for my poor disheveled ass....I am trying to get you to see it.
That is the part nobody talks about in red team war stories. The work is the work. You can make fun out of it. But at the core of the issue, you are exploiting the best qualities of the people around you. Their willingness to help. Their openness. Their trust.
That is not fun work.
But that is how you replicate, simulate, and protect people against real bad guys. Real threat actors that are out there. The only way to find the gaps is to walk through them. The only way to show an organization where it bleeds is to make the cut yourself. And then you spend the rest of the engagement trying to help them close the wound.
The hardest value for me to figure out how to extract without questioning the way I do it. But if someone like me does not do it, someone with worse intentions will. And they will not write a report afterward telling you how to fix it.
The Aftermath
We had such an impact on that exercise that it made The news!
Business Insider: UK Royal Marines dominated US Marines in a desert-battle simulation, prompting them to surrender less than halfway through, report says
There was a reply from the losers as well, but it just sounded like some sore sport stuff. It definitely was not fun to go home and hear it from the other teams lol. You gotta watch your cybers friends, because otherwise all your base belong to me!
I would be remiss if I forget to mention how much I enjoy working with the Commandos. Great bunch of gents that you want having your six in a pinch.
Three fish tacos. $12. All your operational intel.
Some days the most dangerous weapon on the battlefield is a lunch menu.
Love this spot <3
Its the first thing you see when you put that job location in the rearview mirror.
Pete McKernan is a disabled Marine veteran, red teamer, and founder of the USMC Crochet Club (unofficial). He spent 20 years walking into places he was not supposed to be, mainly because he was lost, and writing reports about what he found and the neat people he met while doing it. He still loves tacos.
This is part of the War Stories series on itsbroken.ai, where we tell the real stories behind the assessments. Names and details have been changed to protect the people who let a dancing stranger onto their taco truck.
