Red Team Diaries: Physical
(To protect the identities of those involved, this article is a dramatization of events taken from a mixture of engagements.)
Somewhere in Europe, the clock strikes five. It’s raining hard, and an HR consultant has finished work for the day at his client’s office. He carefully tidies the desk he’s been using, then wishes the few other workers present a good weekend. He takes his client-loaned laptop to a small IT room adjacent to the main lobby, using a temporary key card to enter. He closes the door and, after dropping the key card into a mailbox in the lobby, is ready to leave.
Freezing rain hammers on the lobby windows. The contractor holds the glass door open with his foot, trying to open his umbrella without getting his suit wet.
"Let me get that for you," a voice says from the other side of the umbrella. It’s a man, dressed quite casually, who leans in to hold the door. "And have a nice weekend.”
The man pulls the door fully open, smiles, and brushes past into the lobby. The contractor smiles back automatically, barely registering the interaction, and walks towards his car, his mind already on dinner and the weekend ahead.
Not everyone trying to access a lobby is an attacker, but employees and security teams need to be aware that malicious individuals do exist. Holding the door open indiscriminately and allowing unfamiliar people to ‘tailgate’ should be discouraged.
The red teamer
It can happen to anyone. I’d been shadowing the contractor going in and out for weeks. I knew exactly when he would be leaving. I’d also phoned the reception desk to ask whether I could have a parcel delivered there. I’d asked who would be there to receive it and when I could come to pick it up. More important, when couldn’t I come to pick it up? When was the lobby unstaffed?
I had one goal: to break through the client’s physical security, acquire a laptop, and penetrate the restricted network to access high-value intellectual property.
Ensure that employees, especially public-facing employees like receptionists and security guards, understand what kinds of uncontrolled information can be useful to attackers so that they can exercise their own judgement when answering questions like those described here.
My name is Tom, and I’m a red teamer. I test clients’ readiness to prevent, detect, and respond to cyber attacks. A red teamer is like a boxer wearing pillows on their hands instead of gloves; red teamers simulate an attack without doing any damage, but with the same stakes. This helps clients to find and fix the gaps in their defenses so that they are ready when they are attacked for real.
This story is about my work with a financial entity, which owns custom-developed trading algorithms and workflows designed to predict trends in certain markets. In the hands of a financially-motivated adversary, this intellectual property could potentially make millions and competing organizations could save years in research and development.
So, that Friday afternoon I was sitting in my car, packing my laptop bag with the compact toolkits I needed for the physical break-in. The HR contractor left dead on time every Friday—sometimes, routine is the enemy. Around 16:55, I locked up and approached the building, walking slowly until I saw him through the glass doors. The moment he stopped to open his umbrella, I knew I was in.
With my laptop bag hanging from my shoulder, I walked directly to the key card mailbox. It was the kind available from any standard retailer, making replica keys easy to obtain. I hadn’t bothered to find one though: I could open those simple locks on my own.
I turned my back to the CCTV cameras, making sure my hands were out of view, and slipped a lock-picking tool, a jiggler key, into the lock. I moved it gently. The mailbox opened.
The mailbox was full of access cards that had not yet been deactivated for the day. I slid them into my inside jacket pocket and walked to the IT room that I had seen the HR contractor accessing. The first key card I took out of my pocket unlocked the door.
Temporary key cards should be deactivated automatically after a certain date or time. They should then be stored in a deposit box that is reinforced and can only be accessed from a room that is not a public area and is not directly accessible from the lobby. Some organizations will even automatically blank the card as soon as it is deposited into the safe box, but even deactivated cards can be of use for an attacker if sequential employee or card numbers are used on them.
The HR contractor had left his laptop on the closest table. I felt a pang of excitement. I already knew exactly what laptop models the organization used; I had seen them front and center in corporate videos and under the arms of the workers moving through the building’s lobby. Over the last few days I had researched the potential weaknesses those models have. It pays to be prepared.
Showing any internal information can help an attacker to plan their attack. This includes:
- What kind of phones and laptops are in use
- How access cards are used
- What the offices look like on the inside
- What physical keys look like (as they can often be reproduced from photos)
- Where the entrances and exits in the building are
- What information ID cards contain
- What computer applications are frequently used
- What appliances and wireless gear is in use
- Which external service the company uses, such as for building security or cleaning.
Organizations cannot hide all this information, but they should understand how attackers may use it to enable their actions.
The HR contractor's laptop went into my bag, along with a second, different model (just in case). I left the room, posted the stolen key cards back into the mailbox to avoid raising an alarm, and strolled from the building. Easy.
Read the next installment of this Red Team series ‘Episode 2 – Cyber’ here.