Physical Pentesting For Sales
How to Sell a physical pentest
No matter where you are in your physical pentesting career, from just starting out to a old veteran, having clients actually pay you for your services is mandatory, unless you intend on crossing that line from pentester to robber (which I don’t recommend or condone), and therefore better understanding how to sell your services is vital.
One of the hardest things to do in sales is to get that foot in the door, that moment where you can get the customer to say “Alright, you have my attention.”
When it comes to cyber based pentesting, most people are pretty familiar with what things are at risk, how bad it can be if you’re compromised, etc. However, when it comes to physical security, I find many companies, government entities, research facilities and private offices seem to be lagging very far behind in their understanding of just how vulnerable they are.
One of the best methods of selling a physical pentest that I have found in my 20 years in the business is simply to ask the client
“ Tell me about your cyber defense … Are you happy and confident with your current defenses? “
Most of the time they will eagerly tell you about what features they have in place and it is for these reasons they don’t feel the need to add anything to their arsenal of defense, to which I would reply with something like,
“That is very impressive that you have all those things in place, and that you regularly run pentesting to ensure attackers cannot breach what you defenses you have, you clearly understand the value of a pentest and security. But let me ask you, have you ever done a physical pentest?”
Getting a client to list out all the things they currently have in place and explain why they have them is a great way to instill cognitive dissonance, which is something that occurs when a person tries to hold two contradictory views simultaneously. By having them explain the need for everything above for cyber defense and then admit they have never done any such testing on the physical side, they are simultaneously admitting they know why they should, but haven’t.
This is often the time I get the would be client to that moment of “Alright, I’m listening.”
As a salesmen it is very helpful if you know a few good war stories of physical pentests to better illustrate to a customer their importance.
Story Time
I was once tasked with breaking into a building in the middle of downtown in a major European city, without a team to support me and I only had 4 days. I started by visiting the office I wanted to attack, which happened to be on the second floor with only an elevator for access, chatting with the secretary and claiming I was introducing myself as the new hire for a neighboring company a few floors above them.
I told her that I was making the rounds to all the floors of the building to inquire if they too were experiencing internet issues in the building, and of course taking the opportunity to introduce myself as the new bright eyed person who had just landed their dream job in Europe for the first time (this gets me sympathy).
While chatting with the secretary, she asked if I would like any coffee, which I eagerly accepted and commented that our office coffee machine was broken and I was delighted to have my much needed caffeine fix.
She told me that as long as our coffee machine was broken, I could come and use theirs in the mornings, which got me an excuse to return each day to chat with the secretary. I spent two days building rapport and eliciting useful information from her, which included:
* They had a night cleaning staff that came every night
* Their security provider was very laxed and once didn’t notice they had disconnected a camera for cleaning for almost a week.
* They shared a rear terrace with a few other companies
* All doors had an RFID access built into the door handle, and what type of cards they used (these cards happened to be cloneable)
These bits of info were more than enough to work up a plan of attack.
The Plan
I spent the first two morning chatting up the secretary and getting much needed info, and spending afternoons scouting the building for entry points and general observations. Each evening I sat at a bar across the street to watch for when the automatic lights in the target office came on, which would tell me what time their cleaning staff arrived each night.
My plan was to break in through the rear terrace at the same time the cleaning staff entered through the front, which having scouted the building I knew I could do with an underdoor tool. Why this method you may ask … because the cleaning staff will do two things for me that are both invaluable
They never know all the employees in the office and rarely, if ever, stop and interrogate someone posing as an employee after hours
The first thing they do upon entering the building is turn off all the alarms.
On the third night I executed my plan, and was able to get into the building just as the cleaning staff conveniently turned off the alarms, after which I managed to:
steal the source code for every project this company was developing
copy employee journals and notes for things like access codes, credentials, and sensitive information
Planted various bugs to monitor the entire office and many work stations (including bugging the board & VIP meeting rooms to listen to VIP & corp conversations)
Copied sensitive documents, both internal & customer based
Installed back doors on a few work stations
Opened a safe with sensitive items inside
Stole a “to be burned” bin full of sensitive customer records
Generally compromised the entire company in a single evening
Now, the reason I am taking you along this physical break in is simple. Explaining to a client just how much damage I did within 3 days to this company is on a different level than the vast majority of cyber attacks, and the sad reality is that while most companies prioritize cyber defense, they tend to be very lacking on physical. It is the very rare cyber attack that can achieve everything I listed above and especially in such a short period of time.
Yes they have locks, cameras and badge readers, but very few organizations ever test these measures to see stand up against attackers While most major companies will run cyber pentests, it is the rare company who has even considered running a physical pentest, and as a result their security is only as good as they assume it to be.
The Sliding Scale of Physical Pen testing
As a physical pentester you will deal with all kinds of clients, from the very wealthy to the tight budgeted, and it is in your best interest to have multiple services you can offer them. Here are some of the services a good tester can offer to a client
Black Team Engagement
This is the full on physical pentest, usually with a team and performed over the course of days to weeks depending on the target. The team knows very little, if anything about the client building (it is often good to ask the client if they have any special things they want the pentester to go after but its not necessary).
A good rule of thumb is around one week per building as a starting point for how long the engagement will take. This will be adjusted based on difficulty (eg location of the building, how much security is in place, etc).
While this sort of test can be performed solo, it is much better to be performed with a small team, but for every team member, the cost also increases, and unlike cyber pentesting adding more testers does not shorten the testing time. This is because things like rapport building, social engineering, employee observation, etc cannot be shortened by simply throwing more people at it, these things take time.
Purple Team Engagement
This is an engagement where the pentesters work with the defense team in real time to demonstrate how various attacks at different stages will work. The pentesters walk with the defense team through a real engagement but are not focused on stealth as much as a black team.
This type of test is often referred to as a “catch and release test” or a “security walk through”, where both teams go to a location (like the lobby of the building) and the pentesters show, and possibly demonstrate how they would breach various aspects of security, after which, this process is performed throughout the entire building. The pentester is assessing and showing the defense team every security weakness they encounter and possibly demonstrating various methods as they see fit.
Because the tester isn’t trying to actually break in, this type of test is much shorter and often only takes 1 – 2 days per building.
Security Awareness Training
This is more of a lecture and presentation than a pentest, in which the pentester goes onsite to the client building and gives a live lecture / presentation on all their pentesting tricks.
As I referenced in my post Front Heavy Security, employees are an organization’s second line of physical defense and sadly are almost always neglected in their security training and awareness.
Having given hundreds of these presentations over my career, I have found that employees love these presentations as they see it as a career criminal divulging all their secrets.
Employees love it even more if you have already performed a physical pentest and can actually walk them through how you broke into their office and all the things you were able to accomplish. Because employees are the second line of defense for an organization, after either a Black or Purple Team engagement, I always recommend a follow up Security Awareness Training for the employees.
This type of service usually only lasts a few hours.
Conclusion
Hopefully this article will help any physical pentester or salesmen better understanding how physical pentests work and how to sell the various services that are associated with them to clients.
Best of luck with the sales.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.