The Watchers: Enhancing Team Operations in Surveillance

During a black team engagement, you will likely want to photograph an employee badge. This will allow you to make a physical copy of the badge with your own picture and name on it. However, if you are copying an employee badge’s appearance than at this stage your likely still in the recon phase and may not be inside the building yet.

This means that you are often going to be using cameras and techniques for getting high quality photos outside of the target building. And this is where today’s topic comes up, are you allowed to, and to what degree, follow and record employees outside of work?

There are many reasons why you may want to go after someone outside of the target building, after all, the building is where all of the security is and the employee is bringing out many useful things that you can use such as

• ID badge

• Physical Keys to the building

• Company laptop & phone

• Company & building knowledge

But while all of these things are very enticing to a pentester, even more so since they are outside of the security of the target building, there are a lot of things to consider and get cleared up before you go stalking employees in a cafe.

Securing Consent: The Non-Negotiable First Step

Photo by Gabrielle Henderson on Unsplash

First thing to understand, and this is very important, is that an employer cannot consent to such engagements outside of work on behalf of the employee (unless of course you’re dealing with military where this may literally be apart of their contract but even then its iffy).

Therefore, for everyone’s protection (the client, the employee and you) it is best to get the written consent of both client and employee. Now this does make the employee aware that you may go after them in some ways, the benefits of this far outweigh the potential legal issues.

Ideally you will get a handful of employees to consent to this to both maximize your probability of success, after all not all employees go to public places like cafes and you won’t know their habits before hand, and to reduce the expectation that any one employee will be the target.

Navigating the Engagement: The Art of Limitation and Precision

Photo by Akshar Dave🌻 on Unsplash

Once consent is secured, defining the scope of this part of the engagement is your next critical step. This phase is about balancing the need to expose potential security vulnerabilities with the absolute necessity of respecting personal boundaries.

I highly advice to NEVER put into scope the ability to go through somone’s personal belongings, there just isn’t ever a need to in this context. For example, suppose you go through someone’s bag find a key fob and clone it only later to discover it wasn’t to their office but to their private residence, now you have to inform that employee that you not only went through their personal bag (which may have other personal things in it) but also created a copy of their home’s key.

Instead take a hands off approach, include things like the ability to:

• Photograph employee IDs and badges

• Clone an employee badge ONLY IF you can do so without going through their personal belongings (long range reader, or they leave it on the table at a public place)

Social engineering and elicitation is another thing to consider. When an employee is at the office an employer may be allowed to give you consent to chat with them, even lie to them, but outside of work is different.

Here again, it is best to get both the employee and employer’s consent. In my experience it is also usually a good idea to only do these types of things during work hours when employees are either working from a public place or taking their lunch break at a restaurant nearby the office.

Techniques and Considerations: Observation and Shadowing:

Now that all the legal issues are out of the way, lets start talking about execution