Your Guide to Red Team Physical Security Assessments
Author: Matt Hulse
In the world of cybersecurity, red team physical security assessments are often overlooked in favor of more cyber-focused exercises. However, the two are more interconnected than you might think.
At Millennium Corporation, our philosophy is anchored around the concept of full-spectrum operations. This means our red team assessments normally contain a physical security aspect in the hopes of maximizing the potential for impactful cyber effects. For example, during an assessment, our operators may attempt to physically infiltrate a server room in order to compromise the target organization’s network. This tactic is especially useful for “air-gapped” systems or networks
What Goes into a Red Team Physical Security Assessment?
First, it’s important to identify your objectives. Physical security is more than a compliance box to be checked off. Instead, you should view the physical security assessment as a part of a larger cyber assessment that is designed to meet your specific goals and expectations. For example, maybe you’re looking to validate the security of your current credentials system by seeing if the red team operators can bypass the need for a physical ID or biometrics to gain access to critical infrastructure or key facilities.
Once the objectives of the assessment are defined, the red team should conduct reconnaissance exercises to better understand their target. This is similar to the steps required for a cyber assessment. The more you know, the more effective your assessment will be. This includes examining the company’s “patterns of life” and third-party vendors to understand their roles at the company as well as the tools and processes they use as part of their everyday responsibilities. All of this reconnaissance feeds directly into the planning phase.
During this phase, the red team should begin planning out their attack and identifying the different engagement points through which they want to evaluate their target. This also includes the different strategies they plan to use during the assessment, such as social engineering (showing up in person or calling over the phone), leveraging cyber tactics to surreptitiously add their operators to an access list, and so on. It’s crucial to coordinate your plan with the appropriate stakeholders as well as legal authorities. This not only ensures that the operation can continue if the red team is stopped or apprehended, but more importantly, it helps to ensure the safety of the team itself.
Next comes the execution phase, also known as the actual red team physical security assessment. During this phase, the red team will actually attempt to breach the target facility using previously agreed upon methods. This is a critical aspect of the execution phase, as the red team will need to abide by standard safety practices, rules of engagement regarding behavior, and other physical security precautions. This is also the stage at which operators will collect evidence on what they did during the assessment. This evidence is then used during the final reporting stage to help provide future-looking mitigation recommendations and recognize where the target security team performed well.
Red Team Physical Security Best Practices
- Limit Excessive Read Ins: While it’s important to notify the appropriate authorities and select stakeholders ahead of a red team physical security assessment, we suggest limiting that circle as much as possible. Red teaming is most effective when it mimics real-life adversarial techniques, so practicing discretion ahead of the assessment helps to preserve its value by testing the authentic responses of your employees in real time.
- Keep Your Results Confidential: Likewise, we recommend that clients not talk publicly about the details of their red team physical security assessment after it has been completed. Even if the team performed well, sharing the details of your assessment gives bad actors a clear view of your current defenses and where potential weaknesses may lie. However, that doesn’t mean that you shouldn’t share results with your internal team, executive leadership, or board of directors, as doing so is critical for strengthening security measures moving forward.
- Treat the Assessment as a Growth Opportunity: The purpose of a red team physical security assessment is to be helpful and informative, so treat it as a growth opportunity rather than a punitive audit! At Millennium, we always offer a debrief and report after the assessment has concluded to help our clients understand how we infiltrated their facility and what they could have done differently to stop us.
- Know When an Assessment Makes Sense for You: Red teaming involves a significant amount of preparation and resources, and starting off with a full-blown physical security assessment isn’t always the right move. Sometimes companies need time to evaluate their own physical security defenses and establish standard procedures before they’re ready for an outside assessment. In this case, a tabletop exercise can be a really effective way to rehearse hypothetical scenarios and the appropriate responses before jumping into a red team physical security assessment.