How to get into Physical Penetration Testing

In an Australian community chat room, someone asked about wanting to get into physical penetration testing. As I’ve previously heard with some regularity this question being asked, often in conjunction with being part of a Red Team, I thought it might be worthwhile sharing my thoughts here.

Let me first preface this with, this is my perspective, and opinion of the current Australian market in late 2020. Not as an authoritative view, but as a single observer with some experience in this area. If you’re here because you’re looking to get a role in this area, here’s my frank thoughts on the landscape. Here goes.

Doesn’t get more succinct than that, from a veteran in the space.

1. Physical Penetration Testing =/= Red Teaming

Let us start by clarifying, that Red Team and Physical Penetration testing are not the same thing, but are often misused interchangeably by many to little consequence. But since we’re talking about careers, I feel it is important to get the terminology right.

Physical Penetration testing is focused on testing physical security controls, to find unintended behaviours/outcomes while verifying the assumptions of the controls. If you’re just checking a list of controls for the existence of said controls, that’s just an audit. Not a Penetration Test.

Red Teaming is about adversary simulation.
Typically with broader scope, and covers physical, digital and social aspects of the simulation objective. More Tactics, Techniques, and Procedures (TTPs) are in play, and typically are cross-domain. Such as using a digital attack (phishing) to gain social authority (a fake “authorisation”) to gain access to a physical location/kidnap a person. The intent here is to identify potential unknown unknowns, that are often overlooked. You are doing the preparation, and behaving the same way an actual adversary will, but just short of causing any actual harm.

My crude explanation won’t do full justice to the definitions, so here’s a few blog post by a Red Team legend, a master in the field, and my teacher (hence the similar views); Wayne Ronaldson.

Hopefully that clarifies the definitions. There are more “Physical Pentests” than proper “Red Teams” in Australia. For the rest of this piece, I’ll be focusing on the Physical Security Penetration Test, not Red Teaming. That said, this is one definition of Red Teaming, there are a few different schools of thoughts around it. But one thing is clear, it’s beyond just a physical security check.

2. Best way to get into the field?

Photo by Caleb Jones on Unsplash

For physical penetration testing, if you’re only focused at physical security, consider looking at a locksmith’s career pathway. There are TAFE courses for it. I don’t know much about it beyond that as that was not my pathway.

You could also do the government route, and join ASIO/Military, and specialise in physical security bypass skills. Again, not my pathway, so I don’t know much about it, but heard it was a viable option.

In the private/commercial sector, within the Cybersecurity context is the pathway that I walked as a practitioner, and facilities management, from an employers’ perspective. Physical security is currently still quite a small part of the total work done; jobs are far and few between as they costs a lot. Here’s why I think it is so.

A mid-tier security consultant’s day rate is roughly $1.5k, a team is typically 4–5 people, but at least 2–3 people that makes up the break and enter team. (Never solo, always have someone watch your back). You’re looking at at least 10 days for on the short end, but typically upwards of at least 20–45 days for more comprehensive engagements. IMHO, anything less is likely just an audit, and you’re likely walking around checking locks and doing a mental simulation 😉. That’s costly! You’re looking at costs starting at $30k + material costs + insurance for that one engagement. Not many organisations have that kind of money to spend on security as a whole, let alone an assessment like this; and those that do, want to make sure they get their money’s worth.

That unfortunately is quite a high benchmark to meet. So, to set expectations; this typically (there’s at least 1 person I know that has done this as a junior, she’s awesome) isn’t an entry level job unless you have like Liam Neeson in Taken, “I have a special set of skills…”. So for this area, as Synick says, you become a web/mobile/app/hardware pentester first, and then maybe get the opportunity to go on physical pentest/red teams; if your firm manages to land a job. There’s also internal Red Teams, and physical security assessment professionals; but those are super super rare.

Going back to the original question; depends on how focused you are on just doing Physical Penetration tests. My hot take; if physical is all you want, go the locksmith path, if you’re keen on the cybers too; become a penetration tester with a consultancy (how to become a pentester? There’s lots of info out there, so I won’t talk about it in here). The government path if you want that life, and want to be mission driven. The reality is that commercial physical penetration tests are part of security assurance, such as Protective Security Policy Framework and there’s a limit to the regularity physical penetration tests will continue to drive value. Hence the rarity of work. Because of that, the competition is strong, and many really experienced people, typically get first pick.

3. How do I get started?

When I first started, I thought the same thing.

What should I have in my kit? What tools should I learn?

Very quickly, I learnt that it’s the mindset and knowledge that helps me more, than just relying on the tool. Understanding why and how a tool works is deeply important to understanding why what you found is a vulnerability and can be exploited; which is what that is important to help the client understand the impact.

I have a SDR, multiple lock pick sets, a pick gun etc, and didn’t really use them. When I needed to actually do the work, I mostly just used a butter knife, a shim, a clipboard, high vis vests, and lots of smiles 😋. Don’t get me wrong, I love my “toys”, and continue to buy them to “play” with, but you can do quite a bit with very little tools. ( As a quick aside, check the legalities of possessing these tools in your locale. Some of these even require a license to operate. )

So, it’s not all about tools. It’s about the mindset, and knowledge. Tools are important to know, as they help you do your job well, but they should not be the focus. Tools will typically be determined, and provided by your employer or improvised on-site. You’ll learn about the tools as you go along.

Best to educate yourself, and actively engage with the community.

Why am I talking about mindset so much?
How important really is developing that mindset?

I once won a CTF by solving an “impossible” tamper evident bypass challenge at OzSecCon, simply by using a knife, a syringe, nail polish and lots of patience. Tools that one would not typically consider a hackers/physical pentester’s toolkit. This allowed me to tamper with evidence, get access to computer hardware, etc. without visible detection of tampering. So definitely relevant skills.

For the curious, the challenge was to defeat “Glitter Nail Polish to Make Your Laptop Tamper-Proof”. More details on what that entails is in Mos&Boo’s write-up at the bottom; and yes, 4384 is the max attainable score on highest difficulty.

Where do I go to start developing these skills? Go back to the previous section; “2. Best way to get into the field?”. Or go be creative, and look at building your own pathway into the industry.

4. The reality

One perspective I have that few others have, is that I’ve hired a phyiscal pentest before. I commissioned it, set the scope, signed the waivers, my mobile on-call, bailed the pentesters out of bad spots, and paid them bills. Here’s a customer’s view of it.

Photo by Ben Rosett on Unsplash

I expected the people on the job to have skills to think outside the box. To look at any possible way to compromise my security, and to challenge my assumptions of my physical security; from testing the assumptions and expectations I have in my systems, people, processes, and tools (eg locks). If an attacker can bypass “locks” by asking front desk to let them in; that’s something I want to know.

A pentest is more than just a checklist of controls; but a proactive attempt to subvert, circumvent or avoid them all together. Or even cause it to act in unintended ways; such as potentially causing my building’s heating to explode, or cause the elevators to not work. (I’m not talking about Red Teaming yet, just physical pentests.)

As physical pentests often deal with real people (who are unknowing targets) and real infrastructure (that may cost millions to fix if broken), thus a deep understanding of the impact and consequence of your actions is needed; and to think on the fly, while remaining calm and level headed in the most stressful situations. The reality of this maturity is that it is for your and the client’s safety. As you can imagine, breaking into a place, you can potentially be in some pretty difficult situations; stuck behind one-way and timed locked doors, to getting attacked by security carrying stun guns, or even real guns. To all perception, you’re being sus, and doing a “crime”. Only thing that is saving you, and separating you from a criminal, is the letter of authorisation and waiver in your pocket. I need to know you will remain calm despite the situation; so that I can cleanly de-escalate the situation and debrief my employees; and that you’ve not caused them harm for doing their job, and it becomes a WorkSafe/OHS complication. These typically come with maturity, experience, and knowing your craft well. Hence why these engagements typically goes to someone with more seniority in their career.

The other reality is, I can’t justify regularly spending $30k plus per year, on testing my physical security; only when significant changes happen to a building. How frequent is that? Of that, how many need that level of security assurance? Then there’s the competing concerns for budget. Hire another security guard to patrol, or hire a physical pentest to tell us again what we already suspect but can’t do much about.

That is why, even for some of the best specialist teams out there, there isn’t a lot of work in this field. Especially when compared to the pace and speed of web pentests.

The other thing that needs to be said, physical pentests is a physical affair. You need to be where the work is; and most commercial teams operate out of Sydney and Melbourne, and one team that I know out of Brisbane. So, if you’re not there, you are stacking the odds against yourself. If I can hire a local team in Melbourne/Sydney, unless I’ve special requirements, I’ll hire local so that I won’t have to pay your travel costs.

There isn’t a lot of work in this field; so if you want to pursue it, go for it, but keep that in mind. No matter your passion, reality of supplying something there’s little demand can be a harsh reality check. Doing Red Teaming and Physical Penetration testing is the dream job for many cybersecurity professionals out there today, me included.

You can potentially be that unicorn that makes it. But you’d have to be creative about it. Not something I can write a guide for, as it’s your personal custom hack, into the industry 😉

Anyway… just my 2c, and experience.
Enough of my ramblings.

There’s many more really kick-ass people in the Australian community that knows way more than I do in these matters. But, I hope that helped you, that is looking to embark on this journey.

🖖

Friendly neighbourhood cyber-janitor, cyber-landscaper, cyber-cartographer, and herder of cyber-cats (and unicorns). Just sharing my 2c. License CC-NC-BY-SA