News -

Black Team War Stories: The Tipping Point

Industry: Research and Development

Sensitive Assets: Personally Identifiable Information (PII)

Objectives: Determine an attackers potential post breach activities

Client's Expectations: Breach is assumed simplistic

==========================================================================================

Background

The tipping point, as I have coined it, is the moment during a physical assessment when you identify the cracks in what initially seemed an impenetrable fortress and the tower of cards starts to fall. This is where you get your first entry point. It's at this moment you gain access and your other objectives start rolling in. This is something shorter engagements fail to demonstrate.

==========================================================================================

The Target

NCC Group was recruited to assess one such fortress as part of a two-site engagement.

Two ground teams had been deployed to assess the buildings sequentially. Team 1 acquired access card imagery and were successfully able to breach and achieve their objectives. This put some friendly pressure on Team 2 to achieve their site objectives.

Despite significant intel from Team 1, the second site appeared to be a different kettle of fish altogether. The second site had a completely fenced perimeter, a staffed main entrance with barriers, security perimeter sweeps and access cards that could not be easily cloned to open doors, this was not going to be an easy breach.

==========================================================================================

Recon

The most important part of any physical assessment is the recon.

Understanding your target is key to a successful breach; footfall, entrances, security cameras, security staff, shift times etc. We had been monitoring the target site for several hours and had only seen staff enter the building through the access-controlled barriers, past the security desk.

Team 1 had provided our own facsimile access cards and we had devised a plan to overtly approach the main entrance, attempt to tailgate the barriers and present our cards if challenged. This would be noisy and could raise our profile though - we want to be the grey men, go unnoticed and blend into the environment. There had to be another way...

A secondary building was attached to the main site via an enclosed walkway with no access controls between the two. It had its own perimeter door that we had been observing but no one had entered or exited all morning, it felt like a dead-end. Suddenly at 1230, a staff member approached the door and entered, followed shortly after by another two. We identified the secondary building was a canteen and while footfall was low and only used during lunch hours, it was another entrance into the target site and didn't require us to pass security. This was our tipping point.

==========================================================================================

Breach

The next day, armed with our fake access cards and our tools we headed to site. We had noticed staff heading for the canteen door took a different path from those going to the car park so positioned ourselves to intercept in key locations -the door shut quickly so we needed to be quick.

We waited, the canteen began to fill but no one seemed to be using the door, as time passed we adjusted position to not rouse suspicion. Just as we were considering other options we spotted a target heading towards the building using the path we had previously observed during recon. It was go time.

The target opened the door just wide enough to pass through, we were able to catch the door but not without our target noticing. They requested we scan our access card - we had identified the card technology but our cards only looked like theirs, it wasn't going to work. We obliged, scanning our fake card.

*beep*

Despite being unable to clone an access card, we had still identified the RFID technology in use and printed onto some blank cards using that same technology. This meant the reader would acknowledge our invalid card and present a red light to signal failure, but the audible cue of that beep was all the target needed to validate us. We were in.

==========================================================================================

That’s a Wrap!

The NCC Group Black Team was able to gain access not just through the latest tools and gadgets but also by understanding human patterns, how to act like we belong and understanding what opportunities to take. Without spending time on recon and intelligence gathering, it's just a 'smash and grab' with a high chance of detection and failure. The Black Team takes the time to study a site and identify where ingress security is weak and exploit with stealth and precision. This better provides a realistic simulation of a real breach attempt and results in useful data to increase the security of the site we assess.

Topics

  • Technology, general

Contacts

Related content

  • The Black Team saves Christmas Part two: the breach 

    With time running short, it was time to make our move on the naughty and nice lists. Upon approaching the reception with the same cheery demeanour as the other elves, we noticed a pile of new elf passes on the desk...

  • Black Team War Stories Part 4 (final): Textbook

    In the final part of this Black Team war stories series Mark F explains how we were approached by a multinational R&D company, which returns a profit of billions per year. Their primary concern was unauthorised access to their laboratories and the reputational damage that could potentially be caused if members of the public broke in.

  • The Black Team saves Christmas - Part one: surveillance

    On a cold winter day, NCC Group’s Black Team began one of their most challenging operations to date - testing of a high-profile client based in the North Pole. Read on for a festive tale complete with elves, hot chocolate, and a compromised sleigh…

  • A Whole New World

    It is no secret that the physical security world has taken a back seat during the pandemic, but now, as we return to the work place, secure environments face a new challenge. Here, we explore some of the key things for organisations to consider with the return back to the office.

  • “Knock, knock! It’s the Covid inspectors!”

    As workforces return to the office, there are a number of physical security considerations organisations need to make. In this blog, Jan Hutchins explores new tactics that could be used to breach offices, and what businesses can to do to protect themselves.

Enter your email address to follow NCC Group Newsroom

When you choose to create a user account and follow a newsroom your personal data will be used by us and the owner of the newsroom, for you to receive news and updates according to your subscription settings.

To learn more about this, please read our Privacy Policy, which applies to our use of your personal data, and our Privacy Policy for Contacts, which applies to the use of your personal data by the owner of the newsroom you follow.

Please note that our Terms of Use apply to all use of our services.

You can withdraw your consent at any time by unsubscribing or deleting your account.
Check your inbox

Email sent to __email__. Click the link there to follow NCC Group Newsroom.

Okay