Read the first part here.
The human factor and simulated intrusion
Social engineering is an important aspect of red teaming, and involves manipulating people to gain access to information or physical access to a building or area. Social engineering is one of the most common techniques used by threat actors to gain initial access to an IT system and is usually faster and more difficult to detect than the direct forcing used in physical pentest methods. The tests are carried out using spearphishing, which can involve, for example, tailored emails or phone calls to key people in the organization.
How secure are door locks when the employee holds the door open?
Social engineering can also be used in combination with physical penetration testing, which is a testing method to evaluate the security of a site or building by simulating a physical intrusion. Shell protection is an important part of an overall security strategy for companies, authorities and other organizations that want to protect their assets, data and personnel, but unfortunately shell protection is not validated to the same extent as IT systems.
To make this visible, the testing team can try to abuse the trust and helpfulness that we humans have towards each other, for example, to try to sneak in behind when an authorized employee enters through an entrance door or behind restricted areas. This is known in the cybersecurity industry as ‘tailgaiting’. Another common method is to simply try to persuade the authorized staff that red teams should be allowed in by pretending to be authorized. Obviously, sensitivity is needed in order not to damage the staff’s trust in the employer or to make them feel deceived. The debriefing should therefore also include staff who have been in contact with the red team.
Helpful employees can become unsafe employees
Combining social engineering and physical tests is an effective attack vector, especially in countries or companies where there is a culture of helping each other with problems or where it is rude to question others, especially in certain professions or roles with authority. These include managers of course, but also service personnel who are on site to do a job and often have expertise in different areas, such as air conditioning installers, electronics or other technical knowledge. Another important role can be that of monitoring bodies that have or could have a mandate to carry out inspections of operations, both planned and aerial. These types of roles are excellent at pretending to be in such a test in order to gain access to restricted areas of buildings by, for example, tricking staff that an air quality inspection will be conducted in the server room.
When should the red team stop the intrusion?
To define when the test is over, one or two different goals are set. Access to the server room is sometimes used as an overall goal for the red team because it can be seen as the core of the business and the most worthy of protection in many organizations. Other targets may be the office of the CEO of the organization, or other areas where critical information may be located.
Often, external security to the internet has been secured, but the physical security of the devices is of course also a critical attack vector. These devices, such as an administrator’s unlocked computer in the office landscape, can therefore potentially be exploited to bypass security. In general, as few restrictions on the scope of authorized targets as possible are used, but there are often one or two servers that have a more business-critical function where availability must not be affected by the test under any circumstances.
Of course, other types of methods are also used to enter protected areas, with lock picking being a common technique for forcing locks on doors. There are also both professional tools and nowadays common consumer products (such as the Flipper Zero pictured above) that have functions to bypass digital locks, including RFID cloning, where the digital access cards are copied by authorized personnel. Sometimes even some doors may be unintentionally unlocked, either due to staff laziness or lack of procedures.
This type of physical intrusion can be carried out both during off-hours when staff are absent or during office hours, often with the support of social engineering as there are staff on site to observe the simulated attack. The test is conducted at the time of day that the red team determines during the collection phase to have the most potential to successfully penetrate the sensitive areas, and often the organization wants to test both of these scenarios during the same test to compare the results.
How the results of the breach are compiled
Once inside sensitive areas, infrastructure tests can then be carried out by, for example, connecting to physical devices, and the work of exfiltrating different types of information begins by, for example, photographing sensitive documents and copying data from computers and servers to their own storage media. All the information gathered is compiled together with the discovered vulnerabilities, and this is presented in a detailed report that is shared after the test is completed. Usually, any critical vulnerabilities are reported directly to protect the customer and it can be both technical vulnerabilities and vulnerabilities in the shell protection.
Why red team tests?
Red teaming is an important part of testing the organization’s security by simulating a threat actor’s attack methods, and is based on the organization’s threat landscape and threat perception. Physical penetration tests and social engineering are two important aspects of red teaming, but a comprehensive OSINT investigation is always necessary to build a more comprehensive picture of the organization’s security awareness.
By using and combining several different attack vectors, the organization can identify additional gaps in its security that are typically not picked up by traditional penetration tests. The combined tests have proven to be an effective way to show the exposure of the organization, and have therefore become very popular in the United States in particular, where governments and companies are at the forefront of security culture.
Which organizations can use a red team?
Red team tests are also becoming more common in Sweden as authorities and companies realize the resources, competencies and motivation of current threat actors, where state actors can collect information over several years and even conduct prolonged low-intensity operations in an attempt to penetrate the organization. Organizations with a very high threat level against them should therefore carry out this type of validation continuously through recurring tests. Red team test is suitable for all organizations in socially important activities such as authorities and municipalities, the energy industry, the banking system and companies in the production and transport of important goods such as food and pharmaceuticals.
The IT security landscape is constantly changing and to raise awareness of exposure and identify security gaps and raise the threshold for intrusion, continued efforts are required. We can of course help you with that!