'Red Team' Testing - Resilience Challenged
Tuesday, 3rd December 2019
Trident Manor personnel were tasked with undertaking a penetrative test of a facility that was involved in the management of sensitive and confidential materials. The team were able to breach numerous layers of security and reach the confidential area where data was stored without being challenged. How robust are your systems?
Trident Manor was tasked by an American client with assessing the robustness of a European site that was being used for the management of sensitive and confidential material. It was decided that an adversarial attempted penetrative test, a ‘Red Team’ test was the most appropriate way of achieving this.
Prior to deployment the OSINT team undertook a full review of the site, personnel, activities and other social media leakages that enabled a lot of data to be gathered including satellite imagery of the site that showed the primary data management point. All of this was achieved from a desktop; whereas historically deployments would have had to have been made.
Using UK and European personnel direct surveillance was undertaken of the site to establish any pattern of life that could be exploited. It was seen that a rear gate was left open for vehicle and pedestrian traffic after 0700 hrs and that nobody entered the main building before 0830 hrs. A security office was located at the side of the rear gate but was left unoccupied after 0600 hrs; there were no other signs of security personnel on the site, or at least conducting patrols.
CCTV cameras were identified which covering the rear gates as well as some of the internal buildings access points, but spatial coverage did not exist. Intruder detection external alarm boxes were seen but it was not possible to see whether an operable system existed or how well installed it had been.
A perimeter check found a metal palisade fence in good condition but easily scale-able. The main office building and reception area were designed to be welcoming, therefore were not designed for security and offered little in the way of layered protection. On checking the office building sensible use of intruder detection systems and CCTV were noted.
By analysing all of the data that had been received a decision was taken to enter the site via the rear gate without wearing hi-vis jackets and head directly for the primary data management building and to see how far the penetration could go.
The following morning the Trident Manor personnel were able to enter via the open rear gate. Walk across the yard and go to a door leading into the main data management area. The door was open, and a couple of people were inside, the Trident Manor personnel smiled and waved before continuing to walk into a more secure area; still unchallenged.
An electronic lock was not working, and the team were able to reach a door that highlighted ‘Confidential Area’. “Thanks for the heads up” reported the team. This door was covered by CCTV cameras and had an access control system on the door. Bodily force was used to see whether the alarm would be triggered; the door opened into the primary data management area allowing direct access. The team took photographs before calling the site manager to outline what had happened and what had been found.
To some this may seem extreme but imagine it was your data, your companies data or sensitive information about your family that was obtainable because of simple lapses in security. The purpose of these type of activities is not to catch people out but to challenge and test the robustness of physical, technical and operational measures before putting forward suggestions about how best to manage and reduce the risks or vulnerabilities that exist.
So in this case what were the main findings.
- 1.No risk assessment had ever been undertaken at the site to understand what threat sources could impact their operations and the methods that could be used.
- 2.There were failures in operational practises and a lack of robust procedures particularly around access control and the challenging of third parties.
- 3.It is no good having physical security features if a vulnerability is created by staff. It was established that the rear gates were actually automated but because of time delays there were not used during the daytime. Physical features have to be proportionate and operationally effective; if not they won’t be used.
- 4.If physical barriers exist leading into sensitive areas the robustness and integrity of physical, technical and operational measures must be more robust. Where failings are identified they should be fixed as a matter of priority.
- 5.Data protection also includes what information is shown and shared. Was there are reason to highlight that a door led to a ‘Confidential Area’ ; let’s not make it easy for adversaries.
- 6.The whole site lacked a security culture and general awareness and vigilance of the threats and risks that existed against their type of organisation.
Trident Manor was able to submit the findings alongside dozens of recommendations about how to increase the robustness of the site and the protection of the assets within.
Whilst this case study shows failings in the security measures that were in place other penetrative tests have taken place around the world that has found a very high standard of security and protective operations in place.
If you or your organisation think you may benefit from Trident Manor’s ‘Red Teams’ or other vulnerability assessment and evaluations programmes please contact Andy Davis (Managing Director) directly for a confidential discussion about how we can meet your global protective needs.