Your Guide to Red Team Physical Security Assessments
Author: Matt Hulse
In the world of cybersecurity, red team physical security assessments are often overlooked in favor of more cyber-focused exercises. However, the two are more interconnected than you might think.
At Millennium Corporation, our philosophy is anchored around the concept of full-spectrum operations. This means our red team assessments normally contain a physical security aspect in the hopes of maximizing the potential for impactful cyber effects. For example, during an assessment, our operators may attempt to physically infiltrate a server room in order to compromise the target organization’s network. This tactic is especially useful for “air-gapped” systems or networks
What Goes into a Red Team Physical Security Assessment?
First, it’s important to identify your objectives. Physical security is more than a compliance box to be checked off. Instead, you should view the physical security assessment as a part of a larger cyber assessment that is designed to meet your specific goals and expectations. For example, maybe you’re looking to validate the security of your current credentials system by seeing if the red team operators can bypass the need for a physical ID or biometrics to gain access to critical infrastructure or key facilities.
Once the objectives of the assessment are defined, the red team should conduct reconnaissance exercises to better understand their target. This is similar to the steps required for a cyber assessment. The more you know, the more effective your assessment will be. This includes examining the company’s “patterns of life” and third-party vendors to understand their roles at the company as well as the tools and processes they use as part of their everyday responsibilities. All of this reconnaissance feeds directly into the planning phase.
During this phase, the red team should begin planning out their attack and identifying the different engagement points through which they want to evaluate their target. This also includes the different strategies they plan to use during the assessment, such as social engineering (showing up in person or calling over the phone), leveraging cyber tactics to surreptitiously add their operators to an access list, and so on. It’s crucial to coordinate your plan with the appropriate stakeholders as well as legal authorities. This not only ensures that the operation can continue if the red team is stopped or apprehended, but more importantly, it helps to ensure the safety of the team itself.
Next comes the execution phase, also known as the actual red team physical security assessment. During this phase, the red team will actually attempt to breach the target facility using previously agreed upon methods. This is a critical aspect of the execution phase, as the red team will need to abide by standard safety practices, rules of engagement regarding behavior, and other physical security precautions. This is also the stage at which operators will collect evidence on what they did during the assessment. This evidence is then used during the final reporting stage to help provide future-looking mitigation recommendations and recognize where the target security team performed well.
Red Team Physical Security Best Practices
- Limit Excessive Read Ins: While it’s important to notify the appropriate authorities and select stakeholders ahead of a red team physical security assessment, we suggest limiting that circle as much as possible. Red teaming is most effective when it mimics real-life adversarial techniques, so practicing discretion ahead of the assessment helps to preserve its value by testing the authentic responses of your employees in real time.
- Keep Your Results Confidential: Likewise, we recommend that clients not talk publicly about the details of their red team physical security assessment after it has been completed. Even if the team performed well, sharing the details of your assessment gives bad actors a clear view of your current defenses and where potential weaknesses may lie. However, that doesn’t mean that you shouldn’t share results with your internal team, executive leadership, or board of directors, as doing so is critical for strengthening security measures moving forward.
- Treat the Assessment as a Growth Opportunity: The purpose of a red team physical security assessment is to be helpful and informative, so treat it as a growth opportunity rather than a punitive audit! At Millennium, we always offer a debrief and report after the assessment has concluded to help our clients understand how we infiltrated their facility and what they could have done differently to stop us.
- Know When an Assessment Makes Sense for You: Red teaming involves a significant amount of preparation and resources, and starting off with a full-blown physical security assessment isn’t always the right move. Sometimes companies need time to evaluate their own physical security defenses and establish standard procedures before they’re ready for an outside assessment. In this case, a tabletop exercise can be a really effective way to rehearse hypothetical scenarios and the appropriate responses before jumping into a red team physical security assessment.
Penetration Testing vs. Red Teaming—What’s the Difference?
Author: Matt Hulse
Penetration Testing and Red Teaming are two critical aspects of cybersecurity testing. Although they might seem similar, they serve different purposes and therefore require unique approaches. This article dives into these distinctions, providing insights to help you incorporate both strategies into your organization’s cybersecurity testing program.
The need for cybersecurity testing services like Penetration Tests and Red Teaming is on the rise. Initially valued at $1.62 billion in 2021, the global Penetration Testing market is expected to grow at a CAGR of 13.9% over the next seven years, eventually reaching $4.84 billion by 2030. There are multiple factors driving this trend, including an uptick in ransomware attacks; the ever-shifting regulatory landscape; and the rising popularity of IoT, smartphone adoption, and cloud-based services.
What Are Penetration Testing and Red Teaming?
By contrast, Red Teaming takes a broader perspective. While Penetration Testing focuses on breaking into specific systems, Red Teaming simulates a full-spectrum attack on your organization. It’s a realistic stress test that considers the human factor, organizational behaviors, physical security, and more. Red Teamers look at potential business impact rather than merely breaching the system.
4 Key Differences Between Penetration Testing and Red Teaming
5 Ways to Improve Your Next Red Team Attack Simulation
Author: Matt Hulse
Cybersecurity is an ever-evolving business. New attack vectors are emerging every day, and cybercriminals are constantly looking for novel ways to evade current detection methods. According to research by Checkpoint, firms faced an average of 1,248 attacks each week from January to March 2023—marking a 7% increase compared to the same period last year.
For enterprise businesses, this creates a pressing need to strengthen existing defenses in the event of a security breach. That’s where Red Team Simulations come in.
Red Team Attack Simulations offer a comprehensive way to test your current defense, detection, and response capabilities in a highly realistic environment. By simulating how an adversary would move throughout your organization during a real attack, security teams can stress-test existing defensive protocols while also developing a deeper understanding of how attackers would target and exploit your environment.
So, what goes into a successful simulation?
Key Elements of an Effective Red Team Attack Simulation
- Limit people in the know. The fewer people who know the assessment is underway, the more realistic and accurate the results. With a Red Team Simulation, we’re testing your ability to not only prevent an attack but to also respond to it. Leverage a small number of “trusted agents” who are read in to the assessment, but don’t let your defensive teams know. This way, their responses can be assessed as a true and accurate depiction of their ability to defend.
- Have an objective. With penetration testing, the goal is to prove that vulnerabilities can be exploited. The potential risk of that exploitation is often left to the imagination. In a Red Team Attack Simulation, the goal is different. Exploitation of vulnerabilities enables the threat actor’s true objective. What is that objective? Is it to steal proprietary information? Is it to deploy ransomware? Create a persona to represent the simulated threat and let it serve as the guide for your Red Team.
- Establish clear rules of engagement for the simulation, but don’t handcuff the team. Your organization relies upon your information systems to operate. While a determined adversary has no rules in terms of their activities, it is important to establish clear rules of engagement that define systems, networks, facilities, and personnel that are either in-scope or out-of-scope. An effective Red Team Simulation needs to be able to operate as closely as possible to that of the threat actor you’re attempting to emulate. This includes targeting users in your environment. Human error is one of the most common causes of security breaches. Forty-three percent of people have made mistakes at work that compromised cybersecurity, and 85% of data breaches are caused by human error.
- Consolidate learnings to improve future detection and response – After your simulation is complete, it’s important to conduct a post-mortem to evaluate what went well and where there is room for future improvements. Many Red Team providers already offer this service as part of their services but if you’re planning on conducting a Red Team Attack Simulation in-house, this step is a critical part of ensuring future security benefits.
- Don’t grow complacent – Finally, Red Team Simulations are an ongoing endeavor, and security teams will need to continually test their defenses if they hope to keep up with the rapidly evolving pace of cybercriminals. When creating a defense plan for your organization, be sure to incorporate periodic Red Team Attack Simulations to regularly evaluate current security protocols and identify any potential weaknesses. As you develop a deeper understanding of the threats to your environment, leverage alternative personas to simulate different attack objectives and continue to improve your defenses.
Ready to learn more about Red Teaming and what you can do to strengthen your cybersecurity skills? Check out our Millennium Red Team solution to learn how you can better secure your cyber and physical assets alike.