Red team diaries: Physical

SE01 E01 (To protect the identities of those involved, this article is a dramatization of events taken from a mixture of engagements.)

Share

The mark

Somewhere in Europe, the clock strikes five. It’s raining hard, and an HR consultant has finished work for the day at his client’s office. He carefully tidies the desk he’s been using, then wishes the few other workers present a good weekend. He takes his client-loaned laptop to a small IT room adjacent to the main lobby, using a temporary key card to enter. He closes the door and, after dropping the key card into a mailbox in the lobby, is ready to leave.

Freezing rain hammers on the lobby windows. The contractor holds the glass door open with his foot, trying to open his umbrella without getting his suit wet.

“Let me get that for you,” a voice says from the other side of the umbrella. It’s a man, dressed quite casually, who leans in to hold the door. “And have a nice weekend.”

The man pulls the door fully open, smiles, and brushes past into the lobby. The contractor smiles back automatically, barely registering the interaction, and walks towards his car, his mind already on dinner and the weekend ahead.

The red teamer

It can happen to anyone. I’d been shadowing the contractor going in and out for weeks. I knew exactly when he would be leaving. I’d also phoned the reception desk to ask whether I could have a parcel delivered there. I’d asked who would be there to receive it and when I could come to pick it up. More important, when couldn’t I come to pick it up? When was the lobby unstaffed?

I had one goal: to break through the client’s physical security, acquire a laptop, and penetrate the restricted network to access high-value intellectual property.

My name is Tom, and I’m a red teamer. I test clients’ readiness to prevent, detect, and respond to cyber attacks. A red teamer is like a boxer wearing pillows on their hands instead of gloves; red teamers simulate an attack without doing any damage, but with the same stakes. This helps clients to find and fix the gaps in their defenses so that they are ready when they are attacked for real.

This story is about my work with a financial entity, which owns custom-developed trading algorithms and workflows designed to predict trends in certain markets. In the hands of a financially-motivated adversary, this intellectual property could potentially make millions and competing organizations could save years in research and development.

So, that Friday afternoon I was sitting in my car, packing my laptop bag with the compact toolkits I needed for the physical break-in. The HR contractor left dead on time every Friday—sometimes, routine is the enemy. Around 16:55, I locked up and approached the building, walking slowly until I saw him through the glass doors. The moment he stopped to open his umbrella, I knew I was in.

The intruder

With my laptop bag hanging from my shoulder, I walked directly to the key card mailbox. It was the kind available from any standard retailer, making replica keys easy to obtain. I hadn’t bothered to find one though: I could open those simple locks on my own.

I turned my back to the CCTV cameras, making sure my hands were out of view, and slipped a lock-picking tool, a jiggler key, into the lock. I moved it gently. The mailbox opened.

The mailbox was full of access cards that had not yet been deactivated for the day. I slid them into my inside jacket pocket and walked to the IT room that I had seen the HR contractor accessing. The first key card I took out of my pocket unlocked the door.

The HR contractor had left his laptop on the closest table. I felt a pang of excitement. I already knew exactly what laptop models the organization used; I had seen them front and center in corporate videos and under the arms of the workers moving through the building’s lobby. Over the last few days I had researched the potential weaknesses those models have. It pays to be prepared.

Organizations cannot hide all this information, but they should understand how attackers may use it to enable their actions.

The HR contractor’s laptop went into my bag, along with a second, different model (just in case). I left the room, posted the stolen key cards back into the mailbox to avoid raising an alarm, and strolled from the building. Easy.

Read the next installment of this Red Team series ‘Episode 2 – Cyber’ here.

Related content

January 14, 2023 Our thinking

Do you need a red team?

A red team will always take the path of least resistance and will stop the engagement when they reach a predefined point.

Read more
November 17, 2022 Our thinking

Red team diaries: Post-engagement

A red teamer discusses assignments related to assessing clients’ readiness for preventing, detecting, and responding to targeted attacks.

Read more
November 17, 2022 Our thinking

Red team diaries: Cyber

A red teamer discusses assignments related to assessing clients’ readiness for preventing, detecting, and responding to targeted attacks.

Read more

Check out our latest research on WithSecure Labs

For techies, by techies – we share knowledge and research for public use within the security community. We offer up-to-date research, quick updates, and useful tools.

Go to WithSecure Labs

Our accreditations and certificates

Contact us!

Our team of dedicated experts can help guide you in finding the right solution for your unique issues. Complete the form and we are happy to reach out as soon as possible to discuss more.