Red teaming and its real-world value to your organization
There is only one way to know that your security system is working - Red team testing. Our clients may at times find the results of a red team painful to hear, but always useful, an indispensable resource.
What is red teaming?
Red teaming is akin to a cyber penetration test, although for the physical security arena. Role players simulate bad actors in an attempt to thwart security processes and systems against the backdrop of a real-world scenario. As with cyber security testing, the goal is to help clients identify critical vulnerabilities.
When should an organization use a red team?
Organizations can benefit from red teaming almost any security measure they wish to stress test - from access control to badging systems, from human engineering to officer attentiveness. Even the best designed security can benefit from an objectively executed test of a threat-based scenario. The following are actual case studies from Chameleon's files, where a red team helped businesses and government agencies identify security weaknesses and ultimately remedy them.
Fencing and perimeter breach
Company A had spent hundreds of thousands of dollars installing a perimeter fence with barbed wire and fence sensors, supported by closed-circuit television cameras. Despite this costly installation, a red team player managed to uncover several entry points. At the first, the player was able to climb a steam pipe, which was in a camera blind spot, and cross the fence without setting off the sensors. At another location, the player found a padlocked gate that was easily opened by moving a pipe that secured the gate to the ground.
Social engineering and tailgating
Company B worked out of a highly secure research facility. It had recently posted job openings for internship positions. A red team player used LinkedIn to research Company B employees and their names. The player went to the facility with this information and tailgated an employee entering through the main gate. The player assured the employee he was there to meet "Mr. Smith" about a job (name gleaned from research.) The employee escorted the player throughout the facility, explaining key building features and introducing him to other staff. The player was able to leave with this information, unconfronted.
Artificial intelligence camera system
Company C had recently started relying on an artificial intelligence (AI) system to help monitor a network of several hundred security cameras. Over the course of several red team exercises, the company's security operations center was able to pinpoint important strengths and weaknesses in the system. Several incidents of suspicious behavior were used to “train” the AI to better detect criminal conduct. The red team players also advised, from their point of view, on better location and configuration for the cameras.
Dumpster dive data leak
Company D was using dumpsters outside their office building to dispose of documents containing corporate records and personally identifiable information on their employees. A red team player sorted through the dumpster trash for sensitive materials, which they eventually found. The player obtained three trash bags-full of personnel documents, emails, invoices, research material, and handwritten notes about the company. Dumpster diving is a frequently used method of gathering intelligence about an organization and is legal in many cities. The information gleaned by the red team could have been used with malicious intent in any number of ways, to support a variety of schemes.
Conclusion
Red teaming is a vital practice that can help organizations improve their security posture, close operational gaps, and stamp out vulnerabilities. Chameleon Associates provides expert consulting services for private and public sector clients looking to bolster their defenses.
To learn more about this service, check out our Red Teaming and Penetration Testing webpage.
