“Psssst! Red Team Penetration Testing. Pass it on.” In the classic game of telephone, a participant picks a word or phrase and whispers it to the person next to them, who in turn whispers what they believe they heard to the next person, and so on. Inevitably, the initial phrase morphs from its original form and meaning. Telephone’s hilarity relies on this miscommunication, but the game also illustrates the more serious consequences of how security procedures and safeguards can differ markedly day to day.
Physical penetration testing – also known as Red Team testing – can reveal how personnel employ policies in actuality. It can effectively showcase best practices, personnel or technology that are not properly compliant with policy or gaps in policy that should be remedied. It’s like a game of telephone, if a third-party arrived to analyze and assess why and how “I hate Mondays” turned into “irate monkeys.”
The Perils of Policy and the Need for Physical Penetration Testing
Executive security leaders can establish conditions for access control or patron screening in policy, but frontline security personnel may apply policy inconsistently for a variety of reasons. For example, personnel may diverge from policy if real-world conditions evolve in a manner that nullifies or complicates policy, revealing gaps in the procedures that leaders had not envisioned. Human application or error is not the only culprit – physical and technical security systems can go rogue in their own ways.
It is this gap – this difference between policy as instructed and policy as practiced — that calls for strategically and consistently testing the integrity of security safeguards and protocols to ensure their presence and conformity with both policy and expectations.
The Definition of a Red Team
One of the most successful and straightforward methods of identifying and addressing the gaps or vulnerabilities between security expectations and actual practice is Red Team penetration testing. Red Team penetration testing:
- Is a covert exercise conducted over time based on real-life scenarios
- Identifies and evaluates points of human, technical and physical security exposure and vulnerability
- Tests security system assumptions relative to prevention, mitigation and response
- Identifies potential attack strategies and sources
- Confirms or reveal limitations and risks
- Facilitates recommendations for address and improvement
The Critical Components for Physical Penetration Testing
While physical penetration testing may vary in application, every test should feature the following seven common and critical components. This information is valuable for any client who is attempting to find the best Red Team testing candidate and determining what to expect from a best-in-class physical penetration test — and could be helpful if you are a Red Team practitioner yourself.
The assessment focuses on acquiring detailed knowledge about the client, business or facility as well as alignment of the dedicated red team resources. A review of any recent threat and risk assessments, corporate security policies and facility design, history and environment serves as the foundation of a Red Team penetration test strategy.
If time and conditions allow, the Red Team should observe firsthand the site and its operations before test implementation. Leaders should determine the Red Team’s members by considering the facility’s policy, history and environment.
Red Team leaders or the organization itself should provide each team member with a tailored checklist, report template, penetration scenarios, props or tools, exit strategies and the client profile well in advance of deployment. The Red Team and client must also determine the parameters of the test such as timing, locations, pre- and post-briefings, points of contact, exit conditions and others.
At the heart of the Red Team penetration test is the team’s ability to effectively simulate a compromise, breach, attack or attacker in as many ways and as accurately as possible. Scenarios and their contingencies can be linked to the threat and risk assessment as a means of providing a reality check of existing or planned prevention or mitigation measures. However, as true attackers often capitalize upon unrecognized and unexpected vulnerabilities, creative scenarios grounded in the Red Team provider’s subject-matter expertise can prove to be most illuminating.
Though Red Team penetration test activities and plans must entail clear communication with the client, in order to provide an independent evaluation of the effectiveness of existing security practices and procedures, the Red Team provider must also be granted a degree of autonomy in the scope, tools and techniques deployed.
A qualified third-party should be capable of observing a wide range of challenges and breach attempts under various pretexts and covert and overt behavioral approaches. This latitude would address but not necessarily be limited to scenario content, potential use of simulated weapons or contraband and even the methods of documenting the test such as photographs or surreptitious/undercover cameras.
Red Team penetration testing is not a game of “gotcha” based on finding holes in a client’s security program or enumerating as many vulnerabilities as possible. The goal is to test the client’s detection, prevention and response capabilities and, as an end result, contribute to the improvement of the client’s security program and mindset. A Red Team penetration test provider undercuts their own value if they excel at discovering gaps and vulnerabilities but fail to effectively share their findings with the client in a way that supports continuous improvement.
The objectivity and balance of a physical penetration test involves recognizing elements of the client’s security program – whether staff, systems or physical protective measures – that perform as expected or beyond. Highlighting successes can support the theories behind system design, the hours devoted to staff training and the capital expended for physical protective measures and, by extension, further applying these resources to those areas that need improvement. The exercise should be a critique rather than a condemnation.
Ideally, physical penetration testing is conducted over a specific period of time and involves multiple tests. A single test cannot substantiate or refute whether findings are aberrations or patterns. The greater the number of data points, the clearer the picture detailing preparedness, mitigation and response. Multiple tests over time yield comparative data necessary to identify patterns, lessons learned and chronic challenges.
Malicious actors often predicate their assaults on observations conducted over time designed to spot weaknesses. The longitudinal application of penetration testing takes advantage of this same strategy to benefit the client.
A Red Team penetration test has several reporting points.
- Critical Vulnerability: Rare and offered only if during the course of the testing, a major (ex. life threatening) vulnerability requiring the client’s immediate address is discovered. Leadership must document this occurrence and immediately bring it to the client’s attention, even if it exposes the test or the testing operatives.
- Pre-Exercise Brief: More standard is the pre-brief designed to alert the designated client point of contact to the Red Team’s arrival and receipt of any necessary updates. Red Team leadership should offer a debrief report that incorporates key findings to the client at the close of each test installment.
- Formal Report: A formal written report should follow within a few days of each completed test. The formal report should succinctly capture and quantify the results, provide documentation (e.g., photos, video and other evidence), link findings to conditions identified in the assessment phase, identify the client’s strengths and areas for improvement and, after a series of tests have been conducted, address trends and patterns.
As security departments come under more pressure to ensure proactive physical and technical security controls, practices and protocols, it is critical that they know, not assume, that their policies are implemented as intended and how their organizations fare against those who may wish to do harm. If vulnerabilities are going to be found isn’t it better they be found by an ally and trusted advisor than an opponent?