Spartan9
Published in

Spartan9

Lessons from Physical Intrusion Testing: Modelling the Threat

Photo by Calvin Ma on Unsplash

Over the last few years, there’s been an uptake in demand for physical intrusion testing. An increase in the number of organisations wanting to evaluate their security is positive and should be welcome news. Physical intrusion tests are an excellent technique for identifying and fixing security vulnerabilities.

At least, they are when they’re done well.

Unfortunately, like some other aspects of security, physical intrusion testing runs the risk of devolving into a superficial ‘tick the box’ activity, with limited meaningful outcomes. In some cases, the key requirement is that a test is conducted, meeting compliance requirements. The actual outcomes of the test are less of a concern.

Someone got through the lobby turnstile again. Great. So what?

In fact, it’s probably better that the outcomes of the intrusion test are as bland as possible. Nothing to see here.

It should be obvious that this isn’t the best approach to any security program, let alone physical intrusion testing.

Aside from wasting time and money, one of the problems with poorly executed physical intrusion tests is that the results can provide a false sense of security. A poor test can also result in a lost opportunity to identify real vulnerabilities and make meaningful improvements to security.

Over the years, I’ve recorded a lot of internal notes regarding how physical intrusion testing programmes can be made more effective. These notes have been made after intrusion tests that I’ve been involved with, and after reviewing the intrusion testing programmes conducted in other organisations.

In the interest of assuring good security — and getting the full benefit from the time and money spent doing physical intrusion tests — there’s value in sharing some of these notes so that other organisations can benefit from a variety of insights and approaches.

To avoid writing one epic article, I’ll break up my notes into several different posts. This is the first of these posts, which will focus on the importance of modelling a specific threat during an intrusion test.

The intended audience is both the client organisation (the company who is paying for the test, and whose facilities are being tested) and the intruder’s organisation (the individual or company that will be planning and conducting the intrusion).

Lesson 1. Model a specific threat

Often physical intrusion tests just focus on getting into the facility. Almost as if the intrusion was a test of the intruder’s individual capabilities and ingenuity, when in fact it’s not. If an ‘anything goes’ approach is adopted, this will result in the intruder adopting a hybrid set of tactics and techniques just to get the job done, which isn’t necessarily realistic.

My view is that intrusion tests should model the capabilities and techniques of an actual and credible threat. Within limits, of course.

Everything comes back to a risk assessment

This threat should be identified through the client organisation’s process of threat and risk assessment. In an ideal world, these threats and risks should have been what shaped the organisation’s approach to physical security (and other aspects of security). It follows that one of the core objectives of the intrusion test should be to validate the effectiveness of these security measures against these specific threats.

Examples of threat models

Here’s a few examples of threat groups that an organisation may model for a physical intrusion test:

  1. An ex-employee is seeking to access their old work area on the 24th floor to sabotage a project in retribution for their recent dismissal.
  2. A criminal is seeking to access the facility to steal IT equipment for personal financial gain.
  3. A terrorist is seeking to bring a bag containing explosive materials into the facility, with the intent to detonate the device in a populated area.
  4. A competitive intelligence operative from a private security company is seeking access to information relating to an upcoming project on behalf of their client. Their plan is to install listening devices in executive meeting rooms.
  5. A human rights activist is seeking access to the roof of a facility so they can hang a banner denouncing the company’s human rights record in an emerging market.
  6. A mentally unwell member of the public believes a conspiracy theory that the company’s products are causing mass sterilisation and has decided that it’s time to confront the CEO and say enough is enough.
  7. An intelligence operative from a foreign government is seeking to access the facility to steal sensitive information relating to a defence department contract from an executive office on the 5th floor.

This list of threats is diverse, and not all threats will be applicable to all organisations or all types of facilities. The client organisation will need to determine which threats are the most appropriate for the intrusion test based on their threat and risk assessment. As a start point, a good approach would be to focus on the most likely threats and risks.

Identify the characteristics of the threat group

Looking at the list of threat groups in the list above, it should be immediately apparent that the capabilities and intentions of each of these groups will vary significantly. These variations will have a range of practical implications when planning an intrusion test.

As a start point, each of these threat groups has different motives and objectives. Some objectives may require them to access the most secure parts of the facility. Other objectives could be achieved by simply waiting in the lobby or the car park.

Each of these groups will accept different levels of risk. A human rights activist may not want to harm any person or steal or damage equipment, while a criminal may be prepared to steal whatever isn’t bolted down and will be quite content to cause harm to anyone who tries to stop them.

Different threat groups will have different capabilities. When considering a group’s capabilities, consider what they know and what resources they have available to them. As an example, some threat groups may have a good knowledge of how security security systems work and perhaps how to defeat them, while most will have none. When conducting an intrusion test, regardless of the level of knowledge and experience of the person conducting the intrusion, they’ll need to be able to apply the level of knowledge and experience of the individual or group they are modelling and not colour too far outside the lines.

Each threat group will have different levels of experience. Some groups may be well practiced and professional. Others may have never done this type of thing before. Experience will impact the threat group’s preparation and their willingness to accept risk during the operation. A good lesson here is to not be afraid to use someone who has never conducted an intrusion before, if that fits with the characteristics of the threat you’re modelling.

Different threat groups will operate using different tactics and techniques. The individuals conducting the test will therefore need to be familiar with the tactics and techniques of the threat group they are modelling. Some threats groups may conduct extensive reconnaissance and surveillance (e.g. the intelligence operative), while others may conduct none (the mentally unwell member of the public). Once the intrusion operation is underway, all activities — including planning and reconnaissance — should be conducted based on an understanding of how that threat group would operate in the real world. This understanding should not only consider the group’s capabilities, but also their limitations (more on limitations below).

Each threat group will also have different levels of knowledge of the facility. An ex-employee may know the facility well, while a criminal or activist may have no knowledge of the facility other than what they can observe from the outside. The level of facility knowledge will have a major impact on how the intrusion test is conducted (more on this aspect shortly).

Build a threat persona

In their operational plan, the individual planning the intrusion should build a persona for the threat they are modelling. This persona should break down the various factors identified in the section above, describing the level of knowledge of the threat, the equipment they are likely to have available to them, how they are likely to operate, and so on.

Here’s a few of the considerations the individual planning the intrusion should factor into a threat persona:

  • What are the threat group’s objectives?
  • What specific parts of the facility would the threat group have to access to achieve those objectives?
  • Can the group’s objectives be achieved during working hours, outside of working hours, or both?
  • Is the threat group local, from somewhere else in the country, or from another country?
  • Does the threat operate individually or in small teams?
  • Will the same person (or people) conducting reconnaissance and surveillance also be conducting the intrusion?
  • To what extent will the threat group apply cover stories and subterfuge? Looking at the examples earlier, an intelligence operative could be expected to have a well-developed cover story. The mentally unwell member of the public, not so much.
  • How well does the threat group understand the facility and its operations?
  • How much risk is the threat group willing to accept to achieve their objectives?
  • How likely is the threat group to seek assistance from an insider?
  • What tools and equipment are available to the threat group, and how effective are they at using those tools? (Anyone can buy a set of lock picks, but not everyone can use them).
  • How much time does the group have available to them to plan and execute the operation?

This list covers the basics, and there’s scope to get into more detail with developing the persona if you like. For example, some threat groups will want to conceal themselves from surveillance cameras (e.g. intelligence operatives, criminals and ex-employees) while others won’t be bothered if they are on camera (e.g. mentally unstable people or terrorists). These details matter if you want to ensure the physical intrusion test is realistic.

At the end of this process, the individual planning the intrusion should have a one page document that describes the threat they are modelling, covering the various characteristics discussed above.

Choose your fighter

After going through the processes of defining the threat you intend to model, it should be clear that you can’t just grab anyone to conduct the intrusion test. The intruder will need to look like someone from the threat group. Age, gender, ethnicity and physical appearance all play a factor here. How the intruder dresses during the operation is another aspect to consider.

Conduct the operation in character

Each stage of the intrusion operation should be conducted in character, based on the threat being modelled. If reconnaissance and surveillance is conducted in preparation for an intrusion, these activities should be conducted in the manner befitting the threat group. The same goes with any human intelligence gathering activities that are conducted in support of the intrusion (I’ll be discussing intelligence gathering in more detail in a separate post).

All threat groups have limitations

All threat groups have things they can and can’t do. An intelligence operative may be extremely capable, but the demand to ensure the operation remains covert and deniable will constrain their approach. A criminal may be highly motivated to break into the facility, but they may not have thought past getting through one of the external doors.

One of the key benefits of modelling threats is that it places guardrails on the intrusion operation. Otherwise, as noted in the opening, there’s a risk that the intruder will take an ‘anything goes’ approach to achieve a successful intrusion. They’ll adopt the best aspects of each of the threats simply to achieve the objective of getting into the facility. Such an approach isn’t realistic and could almost be considered cheating. (Do threat groups ‘cheat’ to achieve their objectives? No, they don’t. They will all operate within the parameters of their capabilities. Capabilities will vary, as will constraints and limitations).

Knowledge of the facility

Unless you’re modelling an insider threat, the intruder should not have any knowledge of the interior of the facility. Such knowledge would provide an unfair advantage and may be unrealistic based on the threat being modelled. For these reasons, if your organisation is conducting a testing program, it’s good practice to meet the individuals conducting the test at a different facility. Also be mindful of what information you provide during your discussions.

For one intrusion test I conducted in Taiwan (which is not where I’m based), I was not even told the location of the facility. I had to find the facility myself, which proved to be challenging because the address of the facility wasn’t publicly available. The facility ended up being in a rural area many hours away from Taipei. Quite the adventure.

On the other hand, if you’re modelling an insider threat, such as an ex-employee, it would be necessary to take the intruder through the facility so they can become familiar with the layout. This approach may seem unusual, but if that’s the threat you’re modelling, that’s the approach you should take. (What you may not be able to simulate is the fact that current employees may recognise an ex-employee and confront them).

Use different threat models

If an organisation is running a program of intrusion tests over a period of time, there’s certainly an advantage in conducting different tests using different threat models. This approach will help validate the organisation’s security against a range of threats.

To wrap up, at least in my experience, modelling a realistic threat is one of the keys to ensuring that an intrusion test is realistic and that the recommendations arising from the test are relevant in the context of the facility’s security design.

At the end of such an intrusion test, the organisation should be in the position to be able to make a valid assessment of how secure their facility is against a specific threat. There’s value in knowing this information, particularly when prioritising security improvements.

In the next article on physical intrusion testing, I’ll focus on the importance of testing multiple layers of security. As you’ll learn, getting through a lobby turnstile does not an intrusion test make. Read now.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store