Real-Life Encounters of Physical Pen Testers Produce Valuable Outcomes
RedTeam Security physical pen testers know that even with the most solid operational plans, every physical security engagement presents a level of unpredictability. Hear the harrowing experiences of our assumed villains, played by Jon and Brian of RedTeam Security, as chronicled by Darknet Diaries'own Jack Rhysider. Listen as their operations unfold into a series of carefully crafted attacks and become the epic cat and mouse game. Jon and Brian undertake wildly ambitious and incredibly complex activities intended to reveal opportunities for a potential real-life showdown between good and evil - a heavily defended company against a would-be attacker.
Listen now to hear Episode 95 and find out if Jon and Brian are detected and eventually caught or if they can outmaneuver their adversary and achieve their assigned objectives. The example events discussed in this episode not only reveal the unexpected challenges of such simulated physical attacks, but provide a better understanding of why organizations engage professionals like RedTeam to perform such an undertaking. Without giving the ending away, here are just a few important discoveries from this podcast that will help any company when considering or planning for their next physical pen testing engagement:
Reconnaissance and OSINT are critical - even if "caught", the security analyst and the client will learn things.
Information on company websites, Google maps, social media, other publicly available sources, social media may create vulnerabilities.
Sometimes things change from recon to execution - plan for the unexpected.
Planning is key - to make sure all the tools and equipment are available for the potential methods being employed. There may still be additional things needed (i.e., new rental car, locally branded clothes, tools).
Make sure that each security consultant has a physical copy of a signed letter of authorization with contact information for the authorized contact at the company, it might be needed.
For physical breaches in remote buildings or during non-business hours, have client notify law enforcement. In cases where another company abuts the property and that company has their own security/police departments (i.e., colleges or other high security companies), have the client notify these organizations also.
Keeping the number of people that know about the engagement allows for evaluation of real life-like reactions to the engagement activities.
After recon/OSINT, the red team will put together a plan that the client will review and approve. Of course, it may change, but it will include the anticipated methods, actions, timing and pretexts.
Regular communication with the client contact during recon and execution helps ensure the safety of everyone involved.
Clients that actively monitor both recon and "live action" and may learn more than what is in the final report, for example:
What can be seen on camera, there may be areas that should be on camera and are not.
How staff reacts to alarms, monitors, seeing "suspicious" activity, social engineering attempts.
Areas of additional training may become evident after a physical security engagement.
There will be security strengths identified that team(s) are doing well.
Security camera blind spots - without active monitoring, the analyst/client will not know if they were not visible on the camera, or if the security staff just missed it.
No matter how well defended one aspect of security might be, companies are still vulnerable to an attack without a layered and diversified security plan covering all facets of risk.
Having doors and gates installed correctly is critical.
Keys to secure locations should be kept in secure locations. If they are kept in a less secure location, what they unlock is less secure.
For areas where critical equipment and security systems are located, make sure that doors are fitted properly and that cameras are pointing at the main vulnerable locations (i.e., if there is an alarm on the door, but security cannot see that it was opened on the cameras, the alarm may be ignored).
Locking/barrier solutions from well-known vendors usually have methods or keys to bypass the solution.
Security systems, camera and alarms that are not engaged or activated, may as well not be there.
Protect your physical assets against social engineering threats