Original Research
Locks & LeaksRisk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.
The mission of Locks & Leaks is to promote the physical security red teaming profession, elevate the discipline, and develop a practitioner community to advance and mature red teaming tradecraft. Our core is red teaming – but our mission is ultimately to help our organizations (and blue team partners) make better security decisions and systems. To do this, we need effective and mature security risk management – a concept that frequently eludes even the best-staffed security organizations.
Below is an outline of the L&L structure. As new posts are published, the below text will turn to links.
Locks & Leaks Overview
PhySec Red Teaming Introduction
-
What’s the Point? Why do organizations conduct physical red team assessments, and who should do it?
-
Red Team Resources: Equipment, vendors, job descriptions, and training resources [Github – updated monthly]
-
Types and Approaches
-
Cyber vs. Physical
-
Internal vs. External
-
-
Ethical Considerations – An Introduction
-
Legal Implications of Red Teaming
PhySec Red Teaming as a Profession
-
Breaking Into the PhySec Red Team Profession
-
Part 2: Videos, courses, skills, connections, and next steps for those interested in a career in PhySec Red Teaming.
-
Growth as a PhySec Red Teamer
-
You’re through the door and are now a red team professional, now what?
-
-
What does maturity look like?
-
Envisioning a robust and mature PhySec red team profession.
-
-
Red Team Analysts
-
The secret weapon on a team full of secret weapons.
-
Perspectives: Analyst | Manager
-
-
12 Tradecraft Talents
-
The areas of expertise that can position you as a sought-after operator for red teams (or broader security teams).
-
Red Team Types & Targets
A series on how to safety test non-traditional security teams.
-
Breaking into Buildings (BiB)
-
Executive Protection
-
Event Security
-
Mail Screening
-
Security Awareness (tailgating, unescorted visitor, etc.)
-
Crisis Management
-
Data Centers
-
Analytical Red Teaming
-
Countersurveillance Detection Teams
-
TSCM Program Testing
-
Training Staircase (Training, Workshop, Drill, Exercise, Red Team)
Red Team Tradecraft
-
Tradecraft Overview
-
Red Team Tools
-
Surveillance
-
OSINT
-
Probing (TED – Try Every Door)
-
Door/Lock Bypass Options
-
Lockpicking
-
The state of RFID Hacking, badge cloning, and access control exploitation
-
Social Engineering
-
Ethics & Social Engineering
-
Cover Stories & Escape Plans
-
-
Destructive Entry
Building a Red Team
-
Build vs. Buy Decision (Part 1, Part 2)
-
Choose a Red Team Model
-
The Foundation
-
Red Teaming in Industry Standards
-
Key Partners for physec red teams
-
Internal: Within the PhySec Org
-
Internal: Across your Company
-
Internal: With other company red teams
-
External: Across the Industry (RT vendors, exploit vendors, other RTs)
-
-
Governance Documents (Red Team handbook, communications plan, etc.)
-
“That’s On Me”: Owning Red Team Mistakes and Misfires
-
Legal Eagles: When and how to work with your legal team
-
CMMI for Red Teaming: Certifying that you have de-risked your red team
-
De-Risking the Red Team: Legal considerations
-
-
12 Step Roadmap to Starting a Red Team
How to Prioritize as a Red Team
-
Overview
-
BANPE: Brainstorm, analyze, narrow, prioritize, execute
-
-
Poison Circles
-
Threat Modeling
-
Tactics
-
Threat Actor Identification, TTP review, and complexity determination
-
-
Types of Tests
-
Scratching the Surface vs. Deep Dives
-
Threat-Focused Tests
-
Vulnerability Focused Tests
-
Asset & Impact Focused Tests
-
-
Prioritizing Frameworks and Templates
-
Using Planning to Promote Buy-In
-
Prioritization Factors
-
[Resource] Prioritization Template
-
-
Monthly Vendor Testing
Covert Chronicles
Sanctioned crime stories and lessons learned while (mostly) safely conducting red team assessments:
-
Long Guns & Lessons Learned
-
All It Takes is a Vest
-
My First Time
-
When the Red Team gets Red Teamed
-
“Please Stop Chasing me, over”
-
Hiding a Secret Safe
-
Low-Speed Chase
-
Scooter Surveillance
Red Team Lifecycle
A step-by-step guide on how to carry out your red team
Phase 1: Proposal
-
Will you Red Team Me?
-
What is a proposal, and why write one? Learn how to proactively address detractors, gather buy-in, ensure safety, and get CYA approvals.
-
-
Scoping a Red Team Assessment
-
[Resource] Red Team Proposal Template
-
Safety & Security Considerations
-
[Resource] Template and Examples
-
Armed Security & Law Enforcement
-
Phase 2: Planning
-
Resource Allocation, Timeline, & Budget
-
Communication Plan
-
Stakeholder Engagement planning, and creating the appropriate communication channels (internal within the team, external to various people, law enforcement notification, etc.)
-
-
Go/No-Go Decision
-
Letters of Authorization (LoA)
-
[Resource] LoA Template
-
Phase 3: Execution
-
Safety Briefing, Notifications, and Communication
-
STOPOP: Knowing When to Stop
Phase 4: The Aftermath
-
Closeout: Ending the Operation (how to STOPOP)
-
Tagalong Tasks
-
Actions to take 1 minute, 1 hour, 1 day, and 1 week after STOPOP
-
Phase 5: Reporting
-
Communicating Findings to Leadership
-
Writing a Red Team Report
-
[Resource] Red Team Report Sections (describing vulnerabilities, severity, complexity, and potential mitigation options)
-
*Phase 6: Vulnerability & Risk Management
-
Who Tracks Red Team Findings?
-
Vulnerability & Risk Management Teams
-
The Red Team
-
-
Ways Tracking Red Team Findings
-
Convincing Leadership to Mitigate Risks
*Phase 7: Trend Analysis
-
Identifying and Highlighting Trends in Red Team Findings
Phase 8: Retesting
-
Retesting Overview
*Typically not completed by the red team.
Red Team Lifecycle for Consultants
The lifecycle of conducting a red team assessment should largely follow the above lifecycle. Several additions are essential for third party consultants:
-
When to Red Team: More importantly – recognizing when a client is not ready for a physical penetration test.
-
Proposal: Drafting a business proposal and Statement of Work
-
Identifying which phases the client wants involvement with.
-
Want to help?
If you have expertise, experience, insight, or interest and you can contribute, please email us. We are always looking for writers, different perspectives, resources, and more.