This post describes some of the factors that a team should take into account while planning and executing a physical penetration test.
As a disclaimer, some may find the heavy use of military jargon alarming. Such language is not intended to suggest or encourage an adversarial relationship between the security professionals and their clients; rather, it’s the simple result of two facts: (1) A large number of professionals in this field have a military or law-enforcement background, and (2) the military has, out of both necessity and experience, developed an efficient way of communicating many of the unique concepts that apply to this field.
Learn Your SOPs
Develop a Standing Operating Procedure: Every engagement and every client is unique, and each deserves to be treated as such. However, the general principles guiding how a team plans for and conducts physical security assessments are not. A standing operating procedure (SOP) should address a number of specific elements:
(1) How the team assigns roles for an engagement and the responsibilities associated with those roles.
(2) How the team plans for an engagement. This subsection should answer important questions such as:
- Who is responsible for what aspects of planning?
- What is included in an operational plan?
- What are the expected deliverables from the planning phase?
(3) Common Tactics, Techniques, and Procedures (TTPs). If all members of the team need to be proficient in (or at least familiar with) common TTPs, they should be enumerated in the SOP. Since a mature physical penetration test often depends on the use of specialized tools, they should be included in this list. Detailed explanations of how to use them may be beyond the scope of the SOP, but the SOP should at least serve as a comprehensive reference point to all that may be included in any given assessment.
(4) Cross-Training Skill Requirements: To their detriment, many organizations still compartmentalize physical and logical security, despite their growing interconnection. The buzz phrases to describe how “cyber” systems affect physical security are “cyber-physical security” and “cyber-physical systems.” Even if the engagement is purely physical, the team should know what to look for, from a logical perspective, to emphasize to importance of a holistic security approach to the client. Security professionals coming from a logical penetration testing already know of some things to keep an eye out for. Examples include accessible WAPs, Ethernet jacks, unlocked computers, posted passwords, etc. A good SOP will define, from an organizational standpoint, those specific non-physical skills which must be learned or mastered prior to placing individual team members on physical penetration tests.
Developing an SOP serves a number of purposes. One is facilitating intra-team communication and expectations by giving everyone the same reference point. This is especially useful as the composition of the team (or teams) changes and new members come on board. Though everyone has a different approach, the SOP helps to regulate and make engagements more effective and efficient. By clearly defining responsibilities and expectations, it helps hold team members accountable for their assigned roles.
The SOP is not written in stone, and deserves to be revisited frequently (for instance, as part of the After-Action Review). Updating it as necessary helps to ensure it remains useful and relevant.
The Planning Process
The team’s SOP dictates general guidelines to be followed in the planning process, but not the details of a specific plan. Planning is where the team acknowledges the unique nature of each engagement and develops a strategy to meet its needs. Once a plan is complete it is incumbent on all members to know it and abide by it. Respect the plan.
Thorough and proper scoping is the clarion call of the security professional. It helps protect us while ensuring we meet the needs and expectations of the client. Though scoping is not more important in a physical penetration test than a logical penetration test, the results are more tangible and therefore, often more sensitive. Scoping establishes the “Rules of Engagement,” so to speak, and necessarily affects all aspects of the engagement. As such, it must be addressed up front. Develop a list of questions for scoping, require that they be answered in full, and enlist the help of maps and other resources if necessary or helpful. Scoping is particularly important in shared or rented space (such as a corporate office, high rise, strip mall, or business park).
Many people prefer execution to planning, but a mature security professional should be fully invested in both phases. Spending more time in the planning phase helps ensure success when it comes to execution. The team should be able to reference the SOP to see what questions need to be addressed in the plan, but a complete plan should address at least the following:
- Answer the 5 W’s
- Assign roles
- Provide a concept of the operation
- Establish a communications plan
The plan should also address some of the following, perhaps less obvious details:
- Exfiltration routes: Of course the team will consider how to enter the target location, but how to leave deserves just as much attention. If you choose to exit the same way you came in, that’s fine. However, you may want to explore a different exit in order to avoid alerting suspicion. If that’s the case, it needs to be addressed in the planning and close-target reconnaissance phase (see below). Ideally, each team member should have a primary and secondary route. Identifying that in the planning phase also facilitates communication. For instance, a team member simply has to say or text “primary exfil” instead of “I’m leaving out the back door on the north side of the building.” If you use texts to communicate during the execution phase, consider building a custom list of predefined texts to make the communication process even quicker.
- Communications: As mentioned above, your plan should address communications. Not just the primary and, if possible, secondary means, but also timing. For instance, the plan may call for some form of radio contact every X minutes. Assuming the team will be separated, if one member falls silent, how do the other members know that he or she hasn’t been stopped by security personnel, as opposed to, for example, losing reception as they move deeper into the building? The plan should also address what to do if, for example, one or two communication windows is missed. Should the other team members exfil? Should a driver move to a rendezvous point? Speaking of which…
- Rendezvous / Rally Point(s): In the context of small-unit tactical movements, these have been with us since at least the time of Robert Rogers, father of the modern-day U.S. Army Rangers. They simply refer to a predefined meeting point, with the emphasis in this case on predefined. The team needs to know where these are prior to separating and starting the execution phase, especially in the event that communications are lost for whatever reason. In addition, the team may want to identify multiple points depending on the contingency being carried out, or the designated rendezvous point may change with the passage of time.
- Abort Criteria: Determining criteria for what constitutes a successful engagement is an obvious result of the planning process. However, a mature team should also consider under what circumstances they will abort their current attempt, withdrawal from the target location, and reset. Agreeing upon criteria is a good way to regulate the actions and responses of individuals with varying degrees of risk tolerance, encouraging them to act as a team. Disregarding the criteria may result in the team or one of its members being stopped. Provoking a response provides some value to the client by showing why and how their personnel react to security issues, but it will likely prevent the team from identifying all issues in need of remediation, which is where the real value of a physical penetration test comes from. As with all aspects of the plan, it’s essential to stick to the abort criteria once it has been agreed upon.
The team will be able to fill in some aspects of the plan remotely, through thorough scoping and map reconnaissance, but a complete operational plan will necessarily wait until they are on site, which leads to our next point.
Close-Target Reconnaissance (CTR)
Rolling up on the client location, hopping out of the car, and strolling in does not provide sufficient value to the client. CTR should be a phase distinct from execution, and should be used to complete the operational plan. As such, the team needs to allot time to it from the beginning. While onsite, the team should not allow itself to be distracted by targets of opportunity. Reconnaissance and planning take time, patience, and discipline, but they also lead to more effective execution.
After-Action Review (AAR)
Everyone enjoys reflecting on a good engagement, but to really derive value from these discussions they should be formalized to some extent. A thorough AAR should cover the intent of the engagement, the conduct of the execution phase, and successes and failures. It should include elements that worked and elements that did not work or need revising (for examples, new or revised TTPs). It should involve all members who participated in the engagement, even if they only participated in planning and not execution. The team should consider documenting the AARs, and should assign responsibility for making changes to the SOP or any other team documentation if deemed necessary.
Finally, any serious physical penetration tester should strive to be a parkour master. When gazing upon a chain link fence, a physical penetration tester should see not an obstacle, but an opportunity to demonstrate their parkour sills. Beginners should consider starting with free-style walking. There are plenty of resources available on the internet that can help you improve your parkour abilities.
And remember, always wear a helmet.