The Insider Threat
Most companies still think about physical attacks as an outside problem.
Meaning that when we think about who is going to be breaking into our building to steal intellectual property, bug the corporate board room or gain access to the servers, its somehow, in most people’s mind, a guy in a black hoodie or balaclava sneaking in.
But now ask yourself this question, if given the choice, would you rather sneak around a building in he middle of the night trying to bypass an unknown number of sensors and alarms, or simply walk through the building holding a coffee and a smile ?
This is why, for a large number of organizations, your biggest risk will always be insider threats, or perceived insider threats.
Two Kinds of Risk
Most organizations fall into one of two broad physical risk categories.
The first category is the business that sells merchandise.
Jewelry stores, electronics shops, laptop resellers and other merchandise-heavy businesses have a very specific problem. They hold goods that can be grabbed, moved, fenced, resold, stripped, or converted into cash quickly.
Their physical risk is often direct theft. The attacker does not need deep access to sensitive records or internal systems. They need proximity to the product, speed, and a way out.
For those businesses, smash-and-grab attacks still, and likely will always be the norm, and what these organizations should be actively working to prevent.
That said, daytime retail attacks have become more common and more aggressive. Flash-mob style thefts changed the assumptions for businesses that used to think the worst-case physical attack would happen after closing.
A group can enter during normal hours, overwhelm staff, take what they came for, and leave before a good guy with a gun arrives. This is a big reason why understanding your threats time on target is incredibly important.
The second category is the organization that does not really sell merchandise.
Pension companies, banks, insurance firms and similar organizations usually do not have display cases full of goods. Yes, they have laptops, phones, network gear, but nobody is breaking into google headquarters to steal laptops, their real exposure is access.
Access to things like: documents, credentials, conversations and intellectual property.
For these companies, the attacker is trying to collect information, plant a device, photograph documents, obtain a credential etc, and this will likely represent the bulk of organizations that will hire physical pentesters.
And most of these businesses rely, or have setup a variation of front heavy security to protect all of the above, which usually means an expectation of catastrophic failure.
Why It Always Boils Down to Insider Threats
For this conversation, we’re ignoring the merchandise businesses. However, do keep in mind that merchandise-based businesses do have real insider threats that happen every single day.
The former employee, the disgruntled janitor, the person who needs a few extra bucks who used to work for you or currently still does, any of these people can turn on you, knowingly or unknowingly.
So insider threats on merchandise-based businesses are a real thing. However, we are going to be focusing on who is likely to employ the vast majority of physical pen testers, and that’s the other category.
A physical attacker does not need to start as an insider to become an insider threat.
They only need to get past the point where people stop questioning their presence, eg front heavy security’s often single point of security barrier.
Most people, when they think of a bad guy, they think of somebody who’s going to break in in the middle of the night wearing a balaclava or a black hoodie. The problem is that companies and organizations that deal with espionage, pension companies and the like, the ones that we’re discussing, it is far easier and far more effective to break in during the day when all of the alarms and cameras are off because you can sweet-talk your way past a person, past a guard, past a secretary. You cannot do that with an alarm or a camera.
But understand that regardless of whether it was somebody who jumped through a window or cloned a badge or broke in from the outside, or if it was somebody who was already inside, a legitimate insider threat, both of these things are going to converge to an insider threat or a perceived insider threat where everybody around you, everybody around the attacker, assumes that the attacker, either a real employee who’s turned or an actual person who’s not supposed to be there, is legitimately there, and therefore it devolves into an insider threat.
And this is where one of the biggest oversights of all physical security comes into play, and I have seen this more times than I can count, and that is even companies that hire physical pen testers to come in and pen test the building, it’s almost always the same playbook.
Try to sneak into the building and then try to gain access to some secure location, but as I just mentioned, regardless as to how the threat gets inside, it will become an insider threat. Most physical pentesters will tell you, that once you have a foothold into the building, the game is over, they have won.
And this is the big issue.
But Did You Test It?
One of the first questions in security should always be, did you test it?
Not, did you buy it. Not, did the vendor promise it works, but did you test it?
This is where a lot of companies get exposed. They will talk confidently about cameras, access control, visitor management, etc, but when you ask when they last tested a physical insider threat scenario, the answer is usually silence.
Most organizations have never done it. They are relying on their front heavy security, their parameter barriers to protect them while not considering that anyone who bypasses these barriers will likely have complete access to everything.
I can already hear SOC members, facility managers, and security guards saying things like, ah, but our server room is always locked, or you need an access control badge to get onto any other floor. And it’s like, yes, you do, but also understand that privilege escalation, whether it’s through cyber or physical, is not a difficult task. It can rely on patience, but it’s not very difficult.
Understand that part of front-heavy security says that any person who’s gotten beyond the security choke points or perimeter barriers is authorized to be here.
That’s the assumption. How else did you get this far into the building? And so when people are using under-door tools or lockpicking or pulling card readers off the wall, etc., but they’re inside the building during daylight hours, 99 times out of 100, people assume they must be authorized to be here and they don’t care.
And that’s one of the biggest problems. And that’s one of the reasons why front-heavy security is so dangerous.
Ask Yourself This Question
Assume that there is one person inside your building who is not supposed to be there during daylight hours. Would normal employees be able to spot them if they were acting normal, dressed appropriately, and maybe even had something that looked like a real functioning badge?
Now ask yourself the question, what areas and things do normal employees have access to within your building? This is what our insider also has access to.
Would they have access to conference rooms? Would they have access to unlocked laptops? Do employees leave badges laying around on their desks? Could they get into the server or archive rooms? What could they get access to?
And now, the big question. You, who is reading this blog, are likely to be very security-minded. That’s why you’re reading this blog.
So assume that you are the insider threat. Assume that you have already gotten inside your own building, inside the organization that you work at. What could you do?
Because you already have all the knowledge. You already know all the vulnerabilities, the ins and outs of the building. You know when Sally from accounting leaves doors cracked open, or you know where the keys are to the server rack or other things.
All of this information are things that actual physical attackers will discover over time. So if you were the actual insider threat, how much damage could you do, and would the security barriers that are currently in place stop you?
Conclusion
The purpose of this article is not to shame people who’ve never done an insider threat scenario or even a physical pen test. It’s to illustrate the point that for a large majority of companies and organizations out there, your biggest threat are going to be insiders.
And most people, most companies, most organizations have never even considered this, let alone actually tested it. And regardless as to what security vendors or your facility manager or your SOC say, until you have tested something, you have absolutely no idea how things will go.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Strategic Operations for Lone Operators - Advanced course for those who are interested in learning how to become a one man infiltration team.
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .