Original Research

Locks & Leaks

Risk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.

Who does Physical Security Red Teaming?

Technology companies, banks, government agencies, energy companies, consultancies, and many organizations that protect critical assets, work in high-risk environments, or simply want to have industry leading security all conduct PhySec (fizz-sec) red teaming. When you have significant threats (e.g., North Korea regularly trying to steal your crypto-funds) or assets (e.g., $1B of intellectual property, research, or funds) and you want to make sure that what’s important is safe and secure – a red team is the best tool. Red teaming is common in high-consequence arenas, from local government (can you break into a police station evidence room?) to federal (can you sneak into the Pentagon?), banks (can you steal an employee’s login info?), technology companies (can you steal our source code?), infrastructure (can an individual take down part of the electric grid?), and much more.

Most of the things we value in society are protected by multiple types and layers of security. We have a great deal of faith in these layers of security, relying on them to feel safe and to go about our daily business. The best way to determine whether these layers are working effectively, or at all, is to test them, and to do it before our adversaries do. This is as true for businesses as it is for national infrastructure. It is better, safer, cheaper, and smarter to test your own security before someone malicious does.

Why conduct Red Teaming?

If you have high-value assets, serious threats to your organization, or have discovered significant vulnerabilities the hard way – red teaming is for you. Red teaming should enable the business to carry out its mission with greater confidence, fewer surprises, and no interruptions. A good red team assessment will provide the business with key information relating to:

  • Threat Actors and their Tactics: The intelligence-gathering and analysis conducted as part of red team operations will define specific threat actors (bad person/group with an objective), document history of their attacks, and identify most probable tactics they are likely to use against a specific organization. This makes it much easier to focus resources and defend against those tactics.

  • Undiscovered Vulnerabilities: Identify site-specific or global undiscovered vulnerabilities of varying severity. Red teams will often say “better us than them”, meaning it is better that an internal team uncover an organization’s weaknesses than someone with bad intentions.

  • Addressing Hubris: As security and risk management professionals, we think we know how to best protect our business, people, assets, and reputation. With stakes this high, even the most revered experts must be willing to test their decision-making and organization against real-world situations to see if its security measures hold up. Professional sports teams never go from practice straight to head-to-head games with their opponents. They have scrimmage, drills, pre-season, and other low-risk tests of their effectiveness. Likewise, a red team is any security organization’s scrimmage partner.

  • Better Budgeting: Red teams challenge security assumptions and determine whether the money spent on security, compliance, and risk management is truly keeping businesses safer. There are many ways to allocate a budget that will theoretically result in risk reduction. A red team determines whether these measures truly reduce risk, giving organizations confidence and providing the data to be most efficient with resource distribution and security investments.

  • Protecting Assets: Other than being targeted by real-world adversaries, there is no better way to understand how well businesses are protecting assets than a red team assessment on most valued company assets. Efficient red teams target the company’s assets, whether they are employees, knowledge, intellectual property, servers, crypto assets, passwords, company bank accounts, financial assets, equipment, or much more.

  • Protecting Business: An assumption built on an assumption which is built on another assumption is a house of cards ready to collapse when one foundational assumption turns out to be false. Red teams are assumption assassins. They systematically identify corporate, security, and risk management assumptions and test their validity, equipping the leadership with the clarity and information needed to make better informed decisions. All of this enables the business to operate uninterrupted, minimizing surprises and strengthening both resilience and confidence.

  • Leveraging Perspective: Red teamers are experts in security and have a keen understanding of the mechanisms that both drive security efforts and that can stop good initiatives in their tracks. They have been on the receiving end of security measures that make it impossible to breach an organization, and also have easily evaded expensive security measures that serve no purpose but to create excitement or enrich a vendor. Typically, once on the inside, it is impossible to view an organization through the eyes of an adversary, because most threat actors are unlikely to share where they plan to attack, or which weaknesses they are actively exploiting. A red team provides that external perspective and tests against it, with the added benefit of having seen similar situations and various ways to prevent the adversaries from succeeding. Much like many teams dread inspections or audits, the wish to opt out of red team assessments can be almost instinctive; however, red teams have the processes, tools, and mechanisms to test the efficacy of measures and processes that no one else is assessing or conceivably even thinking about. Red teams can be an excellent diagnostic tool for many vectors of security, from assessing overall security posture to advising on budget allocation and providing analytical support to lend to more informed decision-making.

Red teaming is not just a tool, it’s a philosophy that challenges the status quo and actively seeks out ways to improve security. It’s about harnessing the power of critical thinking to protect your most valuable assets and keep your organization and people safe. By emulating potential threats and assessing your defenses, it helps ensure that your business can withstand the very real and growing threats that exist today. From the Pentagon to tech start-ups, red teaming helps us take the guesswork out of security and replaces it with evidence-driven decisions, ensuring our precious resources are directed where they can make the most significant impact.

Physical Intrusion Testing