Our technical consultant Jay has recently been researching the latest methods and tactics for physical intrusion. He’s compiled his knowledge to draw up a new methodology for IRM but we’ve whittled it down to provide you with the highlights.
1. Understand the location
Location reconnaissance is the key to identify potential opportunities, access routes and the day-to-day operations of the workplace.
Whilst you may already be provided with a location as part of the scope, check if there are any additional sites. These could allow for other options for intrusions and attack vectors that the client hasn’t thought about.
Physical Security and Access Control
There may be CCTV style surveillance, posted/roaming security personnel, barrier control/gated areas or combination of a number of options.
Simply driving or walking past the site can reveal a lot of key information that isn’t available from sources like Google maps. Ideally, security personnel will be avoided, however, an element of social engineering could be introduced if contact is unavoidable. In both cases, prior research on individuals will help.
You may be able to get hold of blueprints and layout plan, such as floor plans for available office space adverts or public planning permission documents.
2. Create a profile
To gain entry and maintain access, you’ll need to have a clear idea of the character you’re going to play to generate a convincing scenario.
It is important that the name you choose is believable and up-to-date. By’ up-to-date’, I mean ensure that you suit the character that you are “playing”; if you are younger and are “playing” Reginald Underhill you’re not going to be suited to your name which could give something away. Although it might be amusing to give yourself an extravagant name and get away with it, you may cause a large amount of suspicion.
Picking a role
When entering a business/office, tailor your role and your purpose within the building carefully to how the place operates. Look for roles that are available through OSINT, public websites or even taking an educated guess based upon the business work.
Don’t oversell yourself when choosing a role. For example; if a job offer has been identified through OSINT for a Senior Operations Director and you have never had a role or operated at that level with no experience, it is likely not going to be very effective.
What to wear?
It is important to take note of the dress code that workers adhere to. You should define you character around the style of clothing you plan to wear and vice versa.
You may have the opportunity to create a sense of higher authority. For example, by wearing a suit and tie if the normal workplace staff tend to dress casually. This can help to create the persona of authority reducing the likelihood of being stopped when tailgating, being asked more questions of having your ID challenged.
During the reconnaissance phase you should have identified potential entry points, CCTV presence, (hopefully) complexity of locking mechanisms as well as the patterns of staff members. If you manage to identify junior, less technical or generally flustered/busy members of staff, this could be helpful.
Picking and choosing who to engage with in advance allows you to create a perfect scenario where you maintain control at all times.
People occupied with other things can be utilised when trying to gain access to a locked area, get through a door (tailgating), gaining sensitive information through questioning as well as getting further information about the office.
Bypassing physical security
An opportunity could arise for the bypassing of physical security without human interaction. Should a checkpoint/turnstile be “unmanned and uncammed” then it can be vaulted negating the need for a conversation with security to let you in. Locked doors could also be picked through means of lock picking as well as server cabinet lockers or other assets that could be locked away.
When initial access has been granted you must always look for an opportunity to elevate trust. For example, interacting with a managerial member of staff or tailgating into a restricted area where you wouldn’t be questioned.
Preparing forged assets such as authorisation emails or a visitor’s lanyard can also provide a backbone to your planned scenario. These can acts as props to add substance to your story.
Understanding the business/organisation or place of work including its staff can be very beneficial. If you prepare a list of names which you can use when questioned, you are much more likely to be trusted.
4. Physical Intrusion Social Techniques
There are many techniques documented throughout social psychological studies which explain “how to hack the human mind”. Below are a few easy/quick examples of social engineering techniques that can be put into practice:
You owe me
- Tricking a member of staff into believing that they owe you something because you have helped them with something trivial.
- “Here let me get that for you…” holding a door open for someone heavily lumbered is an easy way to tailgate a member of staff through a door. You scratch their back; they subconsciously scratch yours.
Are you sure?
- Making someone question their own true judgment based on a confident challenge by the intruder.
- “We don’t have anything planned in today?”, “Are you sure? I’m here once a month… every month! See here!!” *queue forged maintenance log*.
- Engaging in a conversation which the contact can relate to on a personal level to take away from the seriousness of the situation (ideally used after a first engagement conversation, to quickly dismiss a conversation or to open a potentially awkward conversation).
- Complaining about tiredness on a Monday morning;
- Try and involve their weekend and engage on a personal level with anything they throw back;
- It’s been a long day…
- Physical contact with the staff member can be used to induce trust by seeming like the “nice guy”.
- “I’m so sorry I’m having a really bad day today I have no idea what is going on here…” *tap on the shoulder* “Don’t worry about it honestly; it happens to me all the time”.
So that’s it. A whistle-stop tour on some physical intrusion techniques that our technical team use when conducting red teaming and physical intrusion assessments with clients. If you have any further questions or queries, pop an email to firstname.lastname@example.org
You can learn more about IRM’s scenario-based testing services here.