Your Guide to Red Team Physical Security Assessments

Author: Matt Hulse

In the world of cybersecurity, red team physical security assessments are often overlooked in favor of more cyber-focused exercises. However, the two are more interconnected than you might think.

At Millennium Corporation, our philosophy is anchored around the concept of full-spectrum operations. This means our red team assessments normally contain a physical security aspect in the hopes of maximizing the potential for impactful cyber effects. For example, during an assessment, our operators may attempt to physically infiltrate a server room in order to compromise the target organization’s network. This tactic is especially useful for “air-gapped” systems or networks

We have embraced this approach because we have seen first-hand through hundreds of assessments that physical security enables cybersecurity and vice versa. And the industry agrees. Over one-third (36%) of IT and security professionals planned to invest in cybersecurity-related tools to improve physical security in 2023.

But what exactly is a red team physical security assessment and how do you go about setting one up? Keep reading to find out.

What Goes into a Red Team Physical Security Assessment?

A good red team physical security test should be tailored to meet the specific objectives and requirements of its target environment. And while no two facilities are alike, there are several steps and considerations that can make the assessment much more productive and worthwhile for the customer.

First, it’s important to identify your objectives. Physical security is more than a compliance box to be checked off. Instead, you should view the physical security assessment as a part of a larger cyber assessment that is designed to meet your specific goals and expectations. For example, maybe you’re looking to validate the security of your current credentials system by seeing if the red team operators can bypass the need for a physical ID or biometrics to gain access to critical infrastructure or key facilities.

Once the objectives of the assessment are defined, the red team should conduct reconnaissance exercises to better understand their target. This is similar to the steps required for a cyber assessment. The more you know, the more effective your assessment will be. This includes examining the company’s “patterns of life” and third-party vendors to understand their roles at the company as well as the tools and processes they use as part of their everyday responsibilities. All of this reconnaissance feeds directly into the planning phase.

During this phase, the red team should begin planning out their attack and identifying the different engagement points through which they want to evaluate their target. This also includes the different strategies they plan to use during the assessment, such as social engineering (showing up in person or calling over the phone), leveraging cyber tactics to surreptitiously add their operators to an access list, and so on. It’s crucial to coordinate your plan with the appropriate stakeholders as well as legal authorities. This not only ensures that the operation can continue if the red team is stopped or apprehended, but more importantly, it helps to ensure the safety of the team itself.

Next comes the execution phase, also known as the actual red team physical security assessment. During this phase, the red team will actually attempt to breach the target facility using previously agreed upon methods. This is a critical aspect of the execution phase, as the red team will need to abide by standard safety practices, rules of engagement regarding behavior, and other physical security precautions. This is also the stage at which operators will collect evidence on what they did during the assessment. This evidence is then used during the final reporting stage to help provide future-looking mitigation recommendations and recognize where the target security team performed well.

Red Team Physical Security Best Practices

While each red team physical security assessment is unique, there are a few best practices that we like to recommend.

Limit Excessive Read Ins: While it’s important to notify the appropriate authorities and select stakeholders ahead of a red team physical security assessment, we suggest limiting that circle as much as possible. Red teaming is most effective when it mimics real-life adversarial techniques, so practicing discretion ahead of the assessment helps to preserve its value by testing the authentic responses of your employees in real time.
Keep Your Results Confidential: Likewise, we recommend that clients not talk publicly about the details of their red team physical security assessment after it has been completed. Even if the team performed well, sharing the details of your assessment gives bad actors a clear view of your current defenses and where potential weaknesses may lie. However, that doesn’t mean that you shouldn’t share results with your internal team, executive leadership, or board of directors, as doing so is critical for strengthening security measures moving forward.
Treat the Assessment as a Growth Opportunity: The purpose of a red team physical security assessment is to be helpful and informative, so treat it as a growth opportunity rather than a punitive audit! At Millennium, we always offer a debrief and report after the assessment has concluded to help our clients understand how we infiltrated their facility and what they could have done differently to stop us.
Know When an Assessment Makes Sense for You: Red teaming involves a significant amount of preparation and resources, and starting off with a full-blown physical security assessment isn’t always the right move. Sometimes companies need time to evaluate their own physical security defenses and establish standard procedures before they’re ready for an outside assessment. In this case, a tabletop exercise can be a really effective way to rehearse hypothetical scenarios and the appropriate responses before jumping into a red team physical security assessment.

Ultimately, holistic security programs should encompass technology, people, and facilities. By testing physical security using a red team in conjunction with cyber defenses, organizations can gain a more complete understanding of their current strengths and weaknesses.

Want to learn more about our Red Team services? Contact Millennium today to see what we can do for you!

Penetration Testing vs. Red Teaming—What’s the Difference?

Author: Matt Hulse

Penetration Testing and Red Teaming are two critical aspects of cybersecurity testing. Although they might seem similar, they serve different purposes and therefore require unique approaches. This article dives into these distinctions, providing insights to help you incorporate both strategies into your organization’s cybersecurity testing program.

The need for cybersecurity testing services like Penetration Tests and Red Teaming is on the rise. Initially valued at $1.62 billion in 2021, the global Penetration Testing market is expected to grow at a CAGR of 13.9% over the next seven years, eventually reaching $4.84 billion by 2030. There are multiple factors driving this trend, including an uptick in ransomware attacks; the ever-shifting regulatory landscape; and the rising popularity of IoT, smartphone adoption, and cloud-based services.

What Are Penetration Testing and Red Teaming?

Penetration Testing, or “Pen Testing,” involves simulated cyber attacks on a computer system to identify vulnerabilities that real attackers might exploit.There are two main types of Penetration Tests:

1. Manual Penetration Testing: Security experts with specialized experience in Penetration Testing actively explore your systems, software, and hardware to detect vulnerabilities, and then exploit those vulnerabilities to demonstrate the risk.

2. Automated Penetration Testing: Using a toolset of largely automated scanning and exploitation frameworks, these software tools scan your environment for common vulnerabilities, such as missing or frequently used passwords. Automated Penetration Testing is a good strategy to incorporate into CI/CD environments to rapidly and automatically test software as part of the deployment lifecycle.

By contrast, Red Teaming takes a broader perspective. While Penetration Testing focuses on breaking into specific systems, Red Teaming simulates a full-spectrum attack on your organization. It’s a realistic stress test that considers the human factor, organizational behaviors, physical security, and more. Red Teamers look at potential business impact rather than merely breaching the system.

4 Key Differences Between Penetration Testing and Red Teaming

Objective: Penetration Testing aims to find and exploit vulnerabilities within specific systems, whereas Red Teaming assesses overall security, including human elements and business impact.

Scope: Penetration Testing usually has a defined scope, focusing on technical vulnerabilities. Red Teaming, on the other hand, evaluates broader aspects of the organization, sometimes using non-technical means.

Methodology: Pen Testing can be manual or automated and typically follows a set pattern. Red Teaming is more flexible, often employing unconventional methods to simulate real-world threats.

Outcome: The success of a Pen Test is measured by the vulnerabilities uncovered and exploited. Red Teaming measures success by the broader understanding of organizational risk and potential business impact.

At Millennium Corporation, we emphasize real-world experience across all our Red Team operators. Our tailored solutions consider your unique cybersecurity requirements. Whether you need in-depth Penetration Testing or comprehensive Red Teaming, our expertise ensures a thorough review of your organization’s cybersecurity defenses.

Want to learn more about our Red Team services and additional cybersecurity solutions? Contact our team today to see how we can help you create a more secure operating environment.

5 Ways to Improve Your Next Red Team Attack Simulation

Author: Matt Hulse

Cybersecurity is an ever-evolving business. New attack vectors are emerging every day, and cybercriminals are constantly looking for novel ways to evade current detection methods. According to research by Checkpoint, firms faced an average of 1,248 attacks each week from January to March 2023—marking a 7% increase compared to the same period last year.

For enterprise businesses, this creates a pressing need to strengthen existing defenses in the event of a security breach. That’s where Red Team Simulations come in.

Red Team Attack Simulations offer a comprehensive way to test your current defense, detection, and response capabilities in a highly realistic environment. By simulating how an adversary would move throughout your organization during a real attack, security teams can stress-test existing defensive protocols while also developing a deeper understanding of how attackers would target and exploit your environment.

So, what goes into a successful simulation?

Key Elements of an Effective Red Team Attack Simulation

Our Red Team services incorporate a range of well-known and advanced tactics, techniques, and procedures (TTPs) to simulate threats from common cybercriminals as well as more sophisticated threat actors like nation-state-sponsored attackers. This delivers a more realistic experience to internal security teams, ultimately preparing them for real-world threats.

Below are some of our top tips for conducting an effective Red Team Attack Simulation:

Limit people in the know. The fewer people who know the assessment is underway, the more realistic and accurate the results. With a Red Team Simulation, we’re testing your ability to not only prevent an attack but to also respond to it. Leverage a small number of “trusted agents” who are read in to the assessment, but don’t let your defensive teams know. This way, their responses can be assessed as a true and accurate depiction of their ability to defend.
Have an objective. With penetration testing, the goal is to prove that vulnerabilities can be exploited. The potential risk of that exploitation is often left to the imagination. In a Red Team Attack Simulation, the goal is different. Exploitation of vulnerabilities enables the threat actor’s true objective. What is that objective? Is it to steal proprietary information? Is it to deploy ransomware? Create a persona to represent the simulated threat and let it serve as the guide for your Red Team.
Establish clear rules of engagement for the simulation, but don’t handcuff the team. Your organization relies upon your information systems to operate. While a determined adversary has no rules in terms of their activities, it is important to establish clear rules of engagement that define systems, networks, facilities, and personnel that are either in-scope or out-of-scope. An effective Red Team Simulation needs to be able to operate as closely as possible to that of the threat actor you’re attempting to emulate. This includes targeting users in your environment. Human error is one of the most common causes of security breaches. Forty-three percent of people have made mistakes at work that compromised cybersecurity, and 85% of data breaches are caused by human error.
Consolidate learnings to improve future detection and response – After your simulation is complete, it’s important to conduct a post-mortem to evaluate what went well and where there is room for future improvements. Many Red Team providers already offer this service as part of their services but if you’re planning on conducting a Red Team Attack Simulation in-house, this step is a critical part of ensuring future security benefits.
Don’t grow complacent – Finally, Red Team Simulations are an ongoing endeavor, and security teams will need to continually test their defenses if they hope to keep up with the rapidly evolving pace of cybercriminals. When creating a defense plan for your organization, be sure to incorporate periodic Red Team Attack Simulations to regularly evaluate current security protocols and identify any potential weaknesses. As you develop a deeper understanding of the threats to your environment, leverage alternative personas to simulate different attack objectives and continue to improve your defenses.

Ready to learn more about Red Teaming and what you can do to strengthen your cybersecurity skills? Check out our Millennium Red Team solution to learn how you can better secure your cyber and physical assets alike.