What Every Client Needs to Know About Physical Pentesting
How secure is your organization against physical intrusions? Can you confidently say that your security measures would thwart a determined intruder, whether they come from outside or within?
If you’re unsure, a physical penetration test (pentest) is a valuable step to identify vulnerabilities and fortify your defenses. But what should you, as a client, expect and demand from such a test to ensure it’s thorough, realistic, and valuable?
Let’s delve into the critical components and standards that should guide your expectations.
The Difference Between a Physical Audit and Physical Pentest
Understanding the distinction between a physical audit and a physical penetration test is valuable for comprehensively evaluating and improving your facility's security. Both methods serve distinct purposes and are integral to a robust security strategy.
Physical Auditing: A physical audit involves pentesters overtly walking through a facility to identify and document every vulnerability and security weakness. This process is thorough and systematic, with the goal of providing a comprehensive assessment of the current security posture. During an audit, the testers are not trying to be covert; instead, they openly inspect and evaluate all aspects of physical security. The primary objective is to identify potential vulnerabilities without attempting to exploit them. This method ensures that every possible entry point and security flaw is noted, offering a detailed blueprint for necessary improvements.
Physical Penetration Testing (Black Teaming): In contrast, a physical penetration test aims to simulate real threat actors—whether internal or external—attempting to compromise the facility covertly. Known as black teaming, this approach is designed to mimic the strategies and tactics of genuine adversaries. Unlike an audit, a penetration test is not as exhaustive in terms of identifying every possible vulnerability. Instead, the focus is on attacking viable methods of entry that a real attacker might exploit. The pentesters employ a variety of stealthy and obvious tactics to test the effectiveness of the facility’s security measures under realistic conditions. This method provides proof of concept by demonstrating how an actual breach could occur, highlighting critical areas that need immediate attention.
The Relationship Between Audits and Pentests: Generally, a physical audit should precede a penetration test. By conducting an audit first, the client ensures that their physical security has been thoroughly vetted and any glaring vulnerabilities are addressed. This foundational assessment brings the security posture up to a high standard, making the subsequent penetration test more meaningful.
The pentest then builds on the audit by testing the robustness of the improved security measures against realistic attack scenarios. Together, these methods provide a comprehensive evaluation of physical security, identifying both theoretical vulnerabilities and practical weaknesses that could be exploited by real attackers.
Pentests are usually performed for the following reasons
Compliance: In some organizations, physical security pentests are required. For example, with new security standards in Europe in 2024 some industries will be required to perform such tests
Security Testing: this is the gold standard, when a mature orgnaization with sufficient security wants to vet their current security posture
Security Budget Increases: CISOs and facility managers will sometimes use pentests as a reason to increase physical security budgets. In these cases, it is often required to convience the board to invest in security
Remember, as a client the ultimate goal of a pentest is to increase or confirm your organizations physical security. When a hacker pokes at your companies website, you expect they won’t find anything critical, you expect that the hacker can poke all they like but won’t find a way in.
The same should be true for a physical pentest, the black team should be able to poke all they like at your building but not be able to gain access and compromise your security and if they do.
Simulating Real Threat Actors
The cornerstone of an effective physical pentest is its ability to simulate real-world threat actors accurately. This includes both external threats—like intruders trying to breach your perimeter—and internal threats, such as employees with malicious intent. The test should mimic the strategies and methods a genuine attacker would use, providing a realistic assessment of your security posture. The goal is to uncover vulnerabilities that could be exploited by actual adversaries, giving you a true picture of your risk level.
Often a physical pentest will specify one of these two attack scenarios, or with a large enough team it can include both. It is also possible to use a real employee as a hybrid approach, where the employee is assumed to be working with external threat actors to assist in compromising the organization.
When deciding what scenario to use for a pentest, the client should decide what their biggest threat is. Both external and internal threats can compromise any organziation, but each may have their own assumed probabilities and risks.
While external threats are the assumed route for attackers, companies often overlook the risks that insider threats play. I’ve written extensively on the risks of insider threats, but consider if your organization could viably defend against an employee who wanted to steal documents, bug the meeting room, etc.
Many organizations have a flat physical security network, in that any employee (or most) will have full access to the entire building, often unvetted. This is similar to making every employee a Domain Admin, and while most of us immediately see the risk with the one, the other is usually overlooked.
Variety of Attack Methods
Once the black team (pentesters) has conducted thorough reconnaissance, they will compile a comprehensive list of all potential infiltration vectors. This list is then prioritized, ranking methods from most likely to succeed without detection to those most likely to result in getting caught. This strategic approach ensures a methodical and effective test of your security measures.
The testers should attempt as many of these methods as possible within the given timeframe, starting with the most stealthy and progressing to the more obvious techniques. Here are some examples to illustrate this approach:
Stealthy Methods:
Elicitation Tactics: This involves subtle questioning to gather information about the facility’s routine, such as the arrival times of third-party cleaning staff and the specific entry points they use. This information can be critical for planning a covert entry.
Impersonation: By copying or stealing employee credentials or even clothing, testers can attempt to gain access by blending in. For instance, timing a break-in for when the cleaning staff arrives, they might deactivate alarm systems while posing as employees working late.
Covert Entry: This could involve using tools or methods to quietly bypass locks or security systems without leaving obvious signs of tampering.
Loud Methods:
Tailgating: This involves attempting to follow an authorized person into a secure area without proper credentials, testing the vigilance of staff and the effectiveness of access control measures. I consider tailgating a loud method because most people are unprepared for a confrontation if this goes wrong and even fewer are savvy enough social engineers to sell their escape clause in a high stress moment which can compromise the engagement if done poorly.
Direct Physical Entry: In more blatant tests, the team might try to remove a door or window from its frame during working hours while dressed as repair personnel. This method checks the facility's response to obvious security breaches and the alertness of employees.
By employing a variety of attack methods, the pentesters can thoroughly assess the effectiveness of your security protocols against a spectrum of potential threats. Starting with stealthy techniques allows them to test how well your defenses can detect and prevent covert operations.
Moving to louder methods tests the robustness of your immediate response and overall alertness. This comprehensive approach ensures that every aspect of your security system is evaluated, providing a detailed and realistic understanding of your vulnerabilities.
It is vital that as many methods are tested as possible for the same reason why a web app pentest must do the same. If the black team doesn’t test a infiltration method, either due to lack of time or confidence in its success, the client will have no way of knowing if it would have worked.
Either way, pentesting teams should always include their list of possible infiltration methods into the report, even if they did not have a chance to test them so the client is aware of the potential infiltration method that could be used by real attackers.
Actionable and Realistic Solutions
One of the most critical outcomes of a physical pentest is the recommendations provided at the end of the assessment. These solutions must be actionable and realistic.
It’s not helpful to receive a list of impractical or prohibitively expensive measures. Instead, the suggestions should be tailored to your specific environment and constraints, offering feasible improvements that enhance your security without breaking the bank. The goal is to provide clear, attainable steps to mitigate the identified risks effectively.
For the pentester this will mean often coming up with a list of solutions for each vulnerability, from what they would consider the gold standard all the way down to something functional but cheap.
As I wrote about in this post, it is possible to come up with novel but effective methods to increase security without emptying your client’s bank account.
Realize that when it comes to physical security, there may be a lot of issues that your client wont have the right to resolve on their own.
For example, if the client is in a shared office space which allows anyone to enter into the building, that isn’t something your client will be able to change and so it will be up to the pentester to create solutions to such issues that are within their control.
Thorough Testing Period & Team Size
A robust physical pentest shouldn’t be rushed. Ideally, it should be conducted over several weeks to allow the testers ample time for reconnaissance and to test various infiltration methods. This extended period enables a more in-depth analysis and a higher likelihood of uncovering subtle vulnerabilities.
However, the duration can be adjusted if the client provides the testers with information that they would typically discover during the reconnaissance phase. This collaborative approach can streamline the process while still ensuring a thorough examination.
The black team should usually consist of between 2 - 6 people, this can vary depending on the experience of the team and the size / security of the facility. Generally speaking, the larger the team size, the more thorough the test will be; your team will have more time for recon, attack methods and back up plans in case a teammate gets burned.
If the team is small, only 1 - 2 people, a lot of the above gets compromised and compressed. While an experienced pentester can often still succeed even with a team of one, they will not have time to launch the same number of attacks, and if anything goes wrong there is no back ups to help them.
Unfortunatley for the client, a larger team will mean more expense and this has to be balanced. Generally speaking, the smaller the team size should correspond with higher experience level.
Focused on Client Goals and Critical Discoveries
The scope of the physical pentest should align with your specific security goals. Whether you’re concerned about protecting sensitive documents, safeguarding critical infrastructure, or preventing unauthorized access to restricted areas, the test should target these priorities.
Additionally, testers should have the freedom to pursue any critical vulnerabilities they discover during the assessment. This might include unforeseen risks like the potential for bugging board rooms or accessing confidential information that wasn’t initially considered but is crucial to your security.
That said, I highly encourage both black teams and client contacts to stay in communication with each other to avoid any legal issues, eg if the team gets caught breaking in at 2am and the client contact is asleep and therefore cannot vet their get out of jail letter.
Similarly, any critical vulnerability should be alerted and verified to the client before breaching, especially if it is not expressly stated in the ROE / SOW. For example, if the password / passcode for deactivating the alarm system is discovered it is adived that the team alerts the client contact and gets authorization to deativate it before doing so.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .