ME
EDUARDO ARRIOLS
• Security Consultant
• Co-Founder of HighSec
• C|EH, E|CSA and other
• Twitter: @_Hykeos
• Blog: http://highsec.es
¿Why?
No matter what security measures have been implemented in digital controls (firewall, IDS, etc.) when physical access is
possible
General Phases
1. Planning and Intelligence: Obtain information about thebuilding, physical security controls, etc. and elaborateintelligence task with that information to plan the attack
2. Breach: Access to the target building facilities
PhysicalPenetration Testing
DigitalPenetration Testing
SocialPenetration Testing
Attack physical devices connected to the network
Phishing, Watering Hole…
Tailgaiting, Impersonification…
Red
Team
Integral Security
Red Team exercises
Controlled but real intrusion in a organization, using physical, digital or social vectors to obtain the most important asset of
the company
Definition
Evaluation of securitycontrols and the
effectiveness of blue team
Multidisciplinary team: Specialists in physical,
logical and social engineering security
Adversary mindset:Combined, silent and
high-impact attack
Red Team
Penetration Testing vs Red Team
Penetration Testing (Digital) Red Team
Finding, evaluating and exploiting vulnerabilities in one dimesion
Finding, evaluating and exploiting only the vulnerabilities that make possible obtain
the goals
Static methodology Flexible methodology
No matter attacker´s profile Obtain the attacker's profile
The security team normally are warned about the test
Without notice
Office schedule 24 hours
Just finding and exploiting the vulnerabilities
Measure bussiness impact of successful attacks.
Information Gathering
Social & Physical Intrusion
Take Control of Devices
Network Access
Get Access to Servers
Search Assets
Exfiltrate Information
General Phases
Way
Planning and Intelligence
Breach
Defining Targets and Scope
Information Gathering
Preliminary Analysis
Reconnaissance (Passive and Active)
Intelligence
Planning and Analysis
Practice
Execution
Planning and Intelligence
• Information Gathering– Understanding the company and their most important assets
– ¿Where are those assets?
• Reconnaissance - Passive– Walk around the building
– Driveway
– Windows (lateral, interior, exterior, parallel opening)
– Exits
Planning and Intelligence
• Reconnaissance - Active– Surveillance of employees and guards
– Uniforms and badges
– Locate elevators
– Blind sectors of cameras and sensors
– Walk around the public area of inside the building
– Locate the boardroom
– Wireless networks
– Emergency maps
• Intelligence– Evaluate conversation opportunity with staff
– Gathering information about employees
Breach
• Bypass of access control– Lock Picking
– Tailgating
– Key pad
– Biometric
– Badges• Contactless
• Smartcard
• Magnetic
– Not controlled physical Access• Windows
• Garage
Breach
• Bypass of sensors and alarms– Motion sensor
• PIR
• Photoelectric
• Ultrasonic
– Magnetic sensor
– Communications systems inhibition
• Bypass of surveillance systems
• Social Engineering for obtaining physical access
¿And then?
• Exploitation and access to the corporate network (Red Team)– Physical backdoor (PwnPlg, Raspberry, etc.)
– External device (Keylogger, Network Sniffer, etc.)
– Access to unprotected computers (Kon-Boot, etc.)
– Call Interception (Telephony and VoIP)
– Kioskos and hardware device
• Obtaining confidential information (Objetive)
Red Team
Bypass of Access Control
Bypass of RFID Access Control
1. Read employ card2. Clone employ card
If fail:3. Analyze4. Change content
orEmulate / Brute Force
Conclusions
Requirement of creativity and lateral thinking in implementing real physical intrusion.
Red Team approach as a solution to conduct a comprehensive integral security evaluation in an organization.