Exploring the vast landscape of Red Team training through a simple Google search reveals a plethora of courses and comprehensive documentation, encompassing various aspects of Red Team engagements. These resources typically delve into the intricacies of cybersecurity, penetration testing, and simulated attacks on digital infrastructures. However, amidst this wealth of information, one noticeable gap often exists—the scarcity of training materials that focus on the 'Physical' dimension of Red Teaming.

Addressing physical vulnerabilities is essential for organisations seeking a comprehensive understanding of their overall risk landscape. A successful Red Team must be capable of simulating not only cyber threats but also real-world, physical breaches that could compromise an organisation's security posture.

Nevertheless, recognising and addressing this gap is essential for producing well-rounded Red Team professionals who can assess and fortify an organisation's defenses comprehensively.

What is Physical Penetration Testing?

Physical penetration testing, also known as physical security testing or red teaming, is a type of security assessment that focuses on evaluating the effectiveness of an organisation's physical security measures. Unlike traditional penetration testing, which primarily examines digital systems and networks, physical penetration testing involves testing the physical security controls that protect a company's premises, assets, and personnel.

Considerations

Doing and physical testing requires a thorough pre-engagement phase often done as part of a larger Red Team pre-engagement. This phase in my opinon is the most important phase as you need to identify the needs and objectives of the organisation. Some aspects you need to cover in this phase are:

1. Scoping

2. Rules of engagement

3. Cost

4. Duration

5. Threat Profile/planning

6. Authorisation

Planning and executing a Red Team engagement involves several crucial considerations beyond the scope of the above list. It requires a meticulous approach, with an emphasis on identifying specific goals and objectives that align with the organisation's security concerns. Taking the time to define these goals is paramount, as it sets the foundation for a focused and effective Red Team exercise.

During this phase you will be able to understand the risks an organisation faces and discuss their cost/duration needs to determine the type of testing you will be able to undertake. Any 'Physical' testing will need to be discussed in depth and explicit authorisation given. A red team could last for a prolonged period of time and could include multiple testers, travel expenses, etc.

Threat Profiling

A threat profile in cybersecurity is a comprehensive analysis of potential risks and vulnerabilities that an organisation may face. It includes identifying and assessing various threats, such as malware, phishing, insider attacks, and other cyber threats, along with understanding the potential impact and likelihood of these threats.

Building a threat profile involves the systematic examination of these aspects related to potential threats, including:

• Adversaries: Identifying and understanding potential adversaries who might target the system, such as hackers, competitors, or even insider threats.

• Attack Vectors: Analyzing the different ways adversaries could potentially exploit vulnerabilities. This includes understanding common attack vectors like phishing, social engineering, malware, and more.

• Tactics, Techniques, and Procedures (TTPs): Examining the specific methods and strategies that adversaries may employ during an attack. This helps in creating realistic scenarios for testing the system's defenses.

By creating a threat profile, red teamers can simulate realistic scenarios based on the identified threats, allowing organisations to assess and improve their security measures effectively. The goal is to provide insights that can help the organisation enhance its overall security posture and resilience against potential cyber threats.

Emulating the threat

Once a threat profile has been established, it's the job of the Red team to emulate the threat against in-scope targets. Depending on the threat you are emulating, it will determine whether Physical Testing is to be carried out. Some potential threat scenarios that would enable Physical Testing could include tailgating, theft, malicious employees, vandalism, etc.

Tradecraft

Each threat identified in the Threat Profiling process comes with its own "Tradecraft", representing the Tactics, Techniques, and Procedures (TTPs) identified and to be simulated. Red Team members typically build and apply their unique tradecraft while also incorporating practices commonly used for covert operations, security services. Often, these practices are drawn from the Intelligence community. Refining these skills over time becomes crucial for determining the success or failure of an engagement. The team you employ to provide your Red Team enagement should be comfortable in knowing and applying this "Tradecraft".

What skills do I need to learn?

These are not in any particular order but I believe you need to be competent in these areas.

1. Social Engineering - I believe this area is significant. Social engineering for 'Physical Testing' involves the ability to confidently navigate conversations, persuade and influence individuals, or elicit information from them. You need to be comfortable looking people in the eye and using deception to obtain what you need or where you need to go. For some, this might prove difficult depending on your social skills.

2. OSINT - Using multiple different sources for information gathering, including online, surveillance (following employees to find their local pub), public records, or even dumpster diving (not had to do this yet!). Gathering as much intel as possible to aid in your breach. This could include floor plans, access badges, entry points, hours of operation, their IT company, their electric company, etc.

3. Tooling - This relates to multiple different areas but some would include, label makers for access cards, RFID Stealers, LockPicks, Dropboxes, USB, Covert Cameras, Comms, WIFI, Keyloggers, etc

4. Props - Disguises, Uniforms, Fake passes. As discussed in more detail below you need to be comfortable putting on steel toe cap boots, hard hats, and wearing clothes covered in building dust or a full business suit with a briefcase. The use of props can often get you around the most robust security. Just google 'Trying to get access anywhere just carrying a ladder' and you will find multiple videos of people doing just that.

5. A little bit of creativity - I put this in as sometimes you need to get creative. In that I mean have a good 'Pretext' or 'Cover Story' of who you are going to be, what you are there for, and what are you going to say. For example - It's summer, maybe you pretend to be there to check the AirCon. You would of course already know the company that they use (maybe there is an inspection sticker on the device), and you would be wearing work gear (service personnel do not usually wear polo and jeans) Hi-viz, boots, hard hat (not brand new just purchased from amazon) dirty these up if you have a friend in the trade ask for an old one, I use my sons as he is an electrician, have a pretext - what are you there to do, who is your boss, have a telephone number ready for them to call your boss (in this case another team member).

How do I learn Physical Penetration Testing?

Unless you are in law enforcement or the military, training for physical engagements can be very costly and often involves bespoke training packages put together by former law enforcement or military professionals.

Engaging in the environment of an active Red Team presents a unique and invaluable opportunity for skill development also, allowing individuals to refine their capabilities through real-world testing, often alongside seasoned and experienced members of the team. This hands-on experience goes beyond theoretical knowledge, offering a practical and immersive learning environment that is instrumental in gaining expertise in the field.

Participating in information security (infosec) conferences, such as the renowned Defcon, can prove to be a valuable asset for individuals seeking to broaden their skills in the field. These conferences go beyond traditional learning settings by offering a dynamic and immersive environment that includes specialised areas or villages dedicated to various aspects of cybersecurity, including Physical Testing and Lockpicking.

Some of the team learning new skills at Defcon

Infosec conferences serve as vibrant hubs for cybersecurity professionals, enthusiasts, and experts to converge, share knowledge, and explore cutting-edge developments in the field.

Social Engineering Village at Defcon

Closing Notes

I trust that this post has provided you with a clear understanding of the fundamental concepts behind Physical Penetration Testing.

Physical Testing may not be suitable for everyone. Some individuals find it challenging to interact with others or experience profuse sweating when tasked with walking into a building alone, assuming a different persona.

If you are new to Physical Testing, develop confidence by engaging in conversations with people in your vicinity. Initiate discussions with strangers and set small challenges for yourself to accomplish. This practice will contribute to building your confidence. Additionally, read books on the subject, including those on Human Hacking, Persuasion, and Influence.

Having previously ran many successful engagements I am always learning and looking for new techniques, while keeping my current skills fresh. I will be attending Defcon 32 with the OmniCyber Security Red Team again this year to hopefully pick up some new skills. I have also recently had the privilege of attending bespoke training with ex-military/law enforcement who specialise in overt and covert methods of entry. This bespoke Physical training included surveillance exercises, anti-surveillance, comms, dress & mannerisms, and cover stories.

As a disclaimer, I strongly advise against practicing any techniques mentioned in this post on any organisation or individual without the full authority to do so. Engaging in such activities could potentially lead to legal repercussions and trouble with the authorities.

If you would like more information on this type of testing or wish to explore how our team can assist you in achieving your objectives, please don't hesitate to contact one of our team members at OmniCyber Security.