WEBVTT 1 00:00:00.040 --> 00:00:03.720 Welcome back, everyone, Ready for another deep dive Today, we're 2 00:00:03.759 --> 00:00:07.799 going exploring the world of physical red teaming. Oh interesting, Yeah, 3 00:00:07.839 --> 00:00:12.119 we've got an excerpt from this book Physical Red Team Operations, Okay, 4 00:00:12.279 --> 00:00:17.239 by Jeremiah Talamantes. It's well, it's all about how security 5 00:00:17.239 --> 00:00:21.519 professionals test physical security, you know, like in the real world, right, 6 00:00:21.600 --> 00:00:23.960 And they actually used the same tactics as like real 7 00:00:24.000 --> 00:00:25.440 world bad actors would. 8 00:00:25.239 --> 00:00:29.199 So kind of like thinking like the enemy to beat them, Yeah, 9 00:00:29.879 --> 00:00:30.600 at our own game. 10 00:00:30.960 --> 00:00:33.119 And you know, it's funny. The book starts off with 11 00:00:33.240 --> 00:00:37.759 this this crazy story about a group of hackers who 12 00:00:37.799 --> 00:00:40.880 actually like infiltrated a US oil refinery. 13 00:00:41.079 --> 00:00:44.159 Whoa really yeah, not virtually, I'm assuming no, like. 14 00:00:44.119 --> 00:00:45.200 Physically got inside. 15 00:00:45.320 --> 00:00:48.560 Oh wow, that's a what do they use like some 16 00:00:48.679 --> 00:00:49.920 high tech method to do that? 17 00:00:50.159 --> 00:00:52.439 No, that's the thing they didn't. Oh wow. It was 18 00:00:52.479 --> 00:00:57.560 all like walkie talkies, ock picks, ladders, like basic stuff. 19 00:00:57.600 --> 00:00:59.439 But they applied it all strategically. 20 00:00:59.560 --> 00:01:01.960 That's interest saying that they didn't use some super high 21 00:01:02.000 --> 00:01:05.719 tech method. It was more yeah, just basic stuff. 22 00:01:05.799 --> 00:01:09.519 Yeah. And it's almost like more unsettling, right that it 23 00:01:09.560 --> 00:01:10.480 was so low tech. 24 00:01:10.599 --> 00:01:12.439 Yeah, if they can get into a refinery that easily. 25 00:01:12.439 --> 00:01:13.400 What else is vulnerable? 26 00:01:13.480 --> 00:01:15.760 Right? Like, if a refinery is vulnerable to that, what 27 00:01:15.799 --> 00:01:18.840 about other places? Right? Yeah? And the author he was 28 00:01:18.840 --> 00:01:22.959 actually hired to like test their security. He even said, 29 00:01:23.000 --> 00:01:25.760 and I quote the implication is pretty devastating. 30 00:01:26.079 --> 00:01:28.680 Yeah, I can see why he'd say. That really exposes 31 00:01:28.719 --> 00:01:34.280 how there's this gap between perceived security and actual vulnerability totally. 32 00:01:34.719 --> 00:01:37.959 Like sometimes the simplest method is the most effective, absolutely, 33 00:01:38.040 --> 00:01:41.359 especially if you can exploit human error or complacency. 34 00:01:41.640 --> 00:01:44.200 Okay, so this leads us to the methodology that the 35 00:01:44.400 --> 00:01:48.359 book outlines. It's called red tmopsia. 36 00:01:48.239 --> 00:01:50.000 Red tmopsia okay, yeah, and. 37 00:01:49.920 --> 00:01:53.239 It's a twelve step process. It's kind of like a 38 00:01:53.280 --> 00:01:54.200 military operation. 39 00:01:54.760 --> 00:01:57.359 Wow, twelve steps. Yeah, so what is that? What does 40 00:01:57.359 --> 00:01:58.840 that acronym actually stand for? 41 00:01:59.319 --> 00:02:04.879 So it's rules of engagement, reconnaissance, direct, preparations, trigger, mobilization, execute, staging, 42 00:02:04.959 --> 00:02:09.680 assess and acclimate, maneuver operations, offensive, strike, penetrate and control, 43 00:02:09.919 --> 00:02:15.319 secure opiord and then evacuate, evade, and cover. Hmm. Oh wow. Yeah. 44 00:02:15.360 --> 00:02:18.599 So it's it's pretty Uh, that's a mouthful. It's a mouthful, 45 00:02:18.759 --> 00:02:20.280 but you know, it makes sense that it would be 46 00:02:20.319 --> 00:02:23.639 so structured given like the sensitive nature of what they're doing, 47 00:02:23.840 --> 00:02:26.240 And the book uses a lot of imagery, you know, 48 00:02:26.360 --> 00:02:30.560 of soldiers and weapons really, which really emphasizes how seriously 49 00:02:32.319 --> 00:02:33.520 these teams take their work. 50 00:02:33.639 --> 00:02:35.960 Yeah, it makes you really realize it's not just a 51 00:02:36.039 --> 00:02:39.840 game exactly, it's their real world consequences. 52 00:02:39.960 --> 00:02:43.199 Yeah, so before we before we break down this whole methodology, 53 00:02:43.280 --> 00:02:47.960 let's let's clarify what exactly is physical red teaming. Yeah, 54 00:02:48.560 --> 00:02:49.759 what are we actually talking about? 55 00:02:49.840 --> 00:02:52.400 Yeah, when we say that, it's essentially i'd say it's 56 00:02:52.400 --> 00:02:58.159 all about understanding a target's vulnerabilities from an attacker's perspective. 57 00:02:58.199 --> 00:03:01.960 So it's more than just breaking in. It's about identifying 58 00:03:02.680 --> 00:03:06.680 the most likely ways that someone could attack based on 59 00:03:07.080 --> 00:03:08.879 the target's own threat profile. 60 00:03:09.319 --> 00:03:12.919 Okay, so, like if you're testing the security of a bank, 61 00:03:13.520 --> 00:03:16.360 you'd need to think about how a bank robber would 62 00:03:16.360 --> 00:03:18.080 act as opposed to say. 63 00:03:18.000 --> 00:03:21.039 A vandal Exactly. You have to tailor the approach to 64 00:03:21.120 --> 00:03:24.319 the most realistic threats. And that's where this concept of 65 00:03:24.360 --> 00:03:28.919 TTPs comes in. GTPs tactics, techniques, and procedures. By actually 66 00:03:29.000 --> 00:03:33.479 studying the patterns that real world bad actors use, red 67 00:03:33.479 --> 00:03:37.280 teams can create these realistic simulations, okay, to see how 68 00:03:37.319 --> 00:03:40.080 the target would actually respond in a real situation. 69 00:03:40.280 --> 00:03:42.319 Oh, so they're not just trying to get in any 70 00:03:42.400 --> 00:03:44.159 way possible, they're trying to get in the way that 71 00:03:44.199 --> 00:03:47.000 a real attacker would. Yes, which makes the test that 72 00:03:47.120 --> 00:03:48.000 much more valuable. 73 00:03:48.080 --> 00:03:51.319 Absolutely, And that leads into a very important aspect of 74 00:03:51.319 --> 00:03:54.960 physical red teaming, which are the rules of engagement or ROWE. 75 00:03:55.680 --> 00:03:59.520 This is essentially a contract that outlines the specific boundaries 76 00:03:59.520 --> 00:04:01.919 and limitations of the operation, so. 77 00:04:01.840 --> 00:04:05.039 Things like like what areas are totally off limits, what 78 00:04:05.120 --> 00:04:10.560 tactics are acceptable, how to handle potential damage to property exactly. 79 00:04:10.599 --> 00:04:15.560 It's all about ensuring that everything's done ethically, legally and 80 00:04:15.719 --> 00:04:18.639 with you know, minimal disruption to the client. And damage 81 00:04:18.680 --> 00:04:22.279 to property is a big one because sometimes it's necessary 82 00:04:22.439 --> 00:04:26.920 to kind of simulate a real attack, like you know, 83 00:04:27.079 --> 00:04:30.240 picking a lock or disabling a sensor, but that is 84 00:04:30.319 --> 00:04:33.800 always discussed and agreed upon with the client beforehand. 85 00:04:33.360 --> 00:04:35.079 Right like in that lock example you were talking about, 86 00:04:35.079 --> 00:04:38.040 before damaging the lock might be okay if that's like 87 00:04:38.399 --> 00:04:41.959 a really common way that people attack that type of facility, 88 00:04:42.160 --> 00:04:44.759 and the client knows and understands the risks. 89 00:04:44.560 --> 00:04:47.439 And the cost precisely, it's a delicate balance, you know, 90 00:04:47.959 --> 00:04:54.560 between realism and the client's needs, and clear communication and 91 00:04:54.639 --> 00:04:57.560 documentation are absolutely essential throughout this entire. 92 00:04:57.360 --> 00:04:59.120 Process, right, Transparency is key. 93 00:04:59.279 --> 00:04:59.560 Yes. 94 00:05:00.079 --> 00:05:02.639 So once those those ground rules are set, then the 95 00:05:02.680 --> 00:05:05.079 Red team can get to like I think the most 96 00:05:05.120 --> 00:05:08.519 exciting part, which is reconnaissance, you know, getting to be 97 00:05:08.560 --> 00:05:10.759 sneaky and all that. Yeah. 98 00:05:10.959 --> 00:05:14.240 So what's their definition of reconnaissance? 99 00:05:14.560 --> 00:05:16.800 Let me see, hold on. The book defines it as 100 00:05:17.000 --> 00:05:21.399 a mission to obtain information by visual observation or other 101 00:05:21.480 --> 00:05:25.160 detection methods about the activities and resources of an enemy 102 00:05:25.199 --> 00:05:30.040 or potential enemy, or about the meteorological, hydrographic, or geographic 103 00:05:30.120 --> 00:05:34.879 characteristics of a particular area. Oh wow, that's from Reconnaissance 104 00:05:35.319 --> 00:05:37.879 US Army FM seven ninety two, Chapter four. 105 00:05:38.079 --> 00:05:43.360 Okay, So basically just gathering intel before you before you 106 00:05:43.399 --> 00:05:43.959 make your move. 107 00:05:44.040 --> 00:05:47.839 Yeah, exactly. And the book outlines a specific process called 108 00:05:47.839 --> 00:05:51.399 the covert reconnaissance method covert reconnaissance method, uh huh, which 109 00:05:51.439 --> 00:05:54.279 is a six step system for gathering information and verifying 110 00:05:54.319 --> 00:05:57.319 your goals for repeatable results. 111 00:05:57.360 --> 00:05:58.560 Okay, so six steps. 112 00:05:58.680 --> 00:06:02.279 Yeah, it all starts with gathering open source intelligence or. 113 00:06:02.279 --> 00:06:06.680 OCENT so like Internet sleuthing essentially, Yeah, pretty. 114 00:06:06.399 --> 00:06:08.759 Much, okay, And it's really amazing what you can find 115 00:06:08.800 --> 00:06:12.040 out about people and places just by you know, searching online. 116 00:06:12.240 --> 00:06:15.240 Like the book actually mentions how even a simple name 117 00:06:15.319 --> 00:06:19.560 like John Doe can be turned into actual actionable intel. 118 00:06:20.120 --> 00:06:20.519 Hmmm. 119 00:06:20.920 --> 00:06:22.240 It's kind of crazy, it is. 120 00:06:22.279 --> 00:06:25.040 It just highlights how much information is available, i know, 121 00:06:25.120 --> 00:06:26.480 right in the digital age. 122 00:06:26.560 --> 00:06:28.720 It's crazy for everyone. 123 00:06:28.240 --> 00:06:30.879 And how Red teamers can use that to their advantage. 124 00:06:31.079 --> 00:06:35.319 Yeah, but it's not it's not just about online research. 125 00:06:35.920 --> 00:06:36.600 What else is there? 126 00:06:37.160 --> 00:06:41.639 The next step is estimating resources resources, which includes things 127 00:06:41.680 --> 00:06:46.040 like time and travel, right, yeah, especially for you know 128 00:06:46.279 --> 00:06:47.680 multi day operations. 129 00:06:47.720 --> 00:06:49.319 Yeah, especially those those. 130 00:06:49.199 --> 00:06:52.600 Logistical details can really you know, make or break emission. 131 00:06:52.759 --> 00:06:55.680 Sure. So it's not just about being like sneaky and 132 00:06:55.839 --> 00:06:59.639 picking locks, No, it's it's about the planning, the logistics 133 00:07:00.079 --> 00:07:03.079 and being able to adapt to like unexpected challenges. 134 00:07:03.199 --> 00:07:07.759 Yeah, exactly. And the book also highlights a very specific 135 00:07:07.839 --> 00:07:12.399 method for tactical guidance during you know, execution. It's called RECONCU, 136 00:07:12.800 --> 00:07:19.199 which stands for contact conceal capture. It emphasizes how how 137 00:07:19.360 --> 00:07:24.399 it's like a multi layered approach to planning and carrying 138 00:07:24.399 --> 00:07:25.480 out these operations. 139 00:07:25.560 --> 00:07:27.480 That's really interesting how much goes into all of this. 140 00:07:27.759 --> 00:07:28.879 It's a lot more than I thought. 141 00:07:29.199 --> 00:07:31.839 Yeah, so even if we're not, you know, planning to 142 00:07:31.839 --> 00:07:35.720 infiltrate oil refineries, what can we learn from all this? 143 00:07:35.959 --> 00:07:38.560 What does all this mean for you know, the average person? 144 00:07:38.720 --> 00:07:41.920 I think I think the biggest takeaway is that security 145 00:07:41.959 --> 00:07:46.040 is often about more than just technology. It's about understanding 146 00:07:46.120 --> 00:07:50.839 human behavior, identifying weak points, thinking like an attacker so 147 00:07:50.920 --> 00:07:52.319 you can stay one step ahead. 148 00:07:52.399 --> 00:07:55.439 It's like a mental exercise in risk assessment. 149 00:07:55.560 --> 00:07:56.120 Yeah, exactly. 150 00:07:56.160 --> 00:07:59.199 Even in our daily lives, we should be thinking what 151 00:07:59.240 --> 00:08:02.519 are my weak point points? What would someone who's motivated, 152 00:08:02.720 --> 00:08:04.120 what would they try to exploit? 153 00:08:04.199 --> 00:08:07.759 Exactly. You have to develop that security mindset, which you 154 00:08:07.759 --> 00:08:11.079 can apply to anything from your home to your work 155 00:08:11.319 --> 00:08:13.160 to your online accounts. 156 00:08:12.759 --> 00:08:16.040 That's a really good point. It's about being proactive and 157 00:08:16.079 --> 00:08:18.920 thinking critically about you know, our own security. 158 00:08:18.480 --> 00:08:22.199 Posture, right, And as technology and physical security become more 159 00:08:22.240 --> 00:08:26.680 and more intertwined, this is going to be even more important. 160 00:08:26.839 --> 00:08:30.680 That's a great segue to what we'll be exploring next time. Actually, 161 00:08:30.680 --> 00:08:33.919 I'm going to dive into some of the specific tactics 162 00:08:33.919 --> 00:08:37.159 and tools that red teams use during those like really 163 00:08:37.159 --> 00:08:40.600 intense offensive strike operations. Oh okay, yeah, I think lock 164 00:08:40.679 --> 00:08:45.399 picking bypassing alarms and even you know, dealing with those 165 00:08:45.519 --> 00:08:47.720 like ever present security cameras. 166 00:08:47.759 --> 00:08:49.440 Oh, that's going to be interesting. So that's where the 167 00:08:49.480 --> 00:08:52.159 planning meets the real world challenges. 168 00:08:52.320 --> 00:08:54.799 Yeah, that's going to be fun. Stay tuned for part two, 169 00:08:55.080 --> 00:08:59.000 where we unpack the tools and techniques of physical red teaming. 170 00:08:59.480 --> 00:09:03.240 Welcome back. Let's delve into that tactical side of physical 171 00:09:03.240 --> 00:09:07.440 red teaming, specifically those you know, heart pounding offensive strike operations. 172 00:09:07.559 --> 00:09:10.080 Okay, I'm ready to get tactical. So we talked about 173 00:09:10.080 --> 00:09:12.480 all the planning and reconnaissance that goes into a red 174 00:09:12.480 --> 00:09:17.000 team operation. But now let's imagine the team's actually on site, 175 00:09:17.200 --> 00:09:21.000 they're ready to put that plan into action. What like, 176 00:09:21.039 --> 00:09:24.159 what are some of the first obstacles they might encounter. 177 00:09:24.480 --> 00:09:26.440 So one of the most common things you'll see are 178 00:09:26.559 --> 00:09:27.440 ground sensors. 179 00:09:27.639 --> 00:09:28.000 Okay. 180 00:09:28.039 --> 00:09:32.159 These are devices that are you know, designed to detect 181 00:09:32.200 --> 00:09:35.399 any movement or vibrations in the ground. They're often used 182 00:09:35.399 --> 00:09:39.000 to protect like perimeters or like sensitive areas. 183 00:09:39.039 --> 00:09:40.879 So like those pressure plates you see in movies that 184 00:09:40.919 --> 00:09:42.840 trigger like traps, and stuff. 185 00:09:43.000 --> 00:09:46.200 Yeah, similar concept, but they're much more sophisticated. Okay, they're 186 00:09:46.200 --> 00:09:48.720 often buried underground, so they're really hard to spot. 187 00:09:48.879 --> 00:09:51.120 Oh that sounds tricky. How do they even know if 188 00:09:51.120 --> 00:09:51.639 they're there? 189 00:09:51.919 --> 00:09:55.200 Well, sometimes you can, you know, see signs of them, 190 00:09:55.399 --> 00:09:57.919 like you might see some cabling or some disturbed earth. 191 00:09:58.519 --> 00:10:01.039 But oftentimes it really requires there is a bit of cleverness. 192 00:10:01.039 --> 00:10:04.240 Like the book actually mentions this story, okay, where a 193 00:10:04.320 --> 00:10:07.840 Red Team volunteered to walk dogs at a nearby humane 194 00:10:07.879 --> 00:10:10.799 society just to get a closer look at the facility 195 00:10:11.000 --> 00:10:13.759 without you know, raising any suspicion. 196 00:10:13.879 --> 00:10:17.000 They used dog walking as a cover for reconnaissance. 197 00:10:17.840 --> 00:10:20.200 It's a pretty good cover, you know, in this case. 198 00:10:20.279 --> 00:10:23.879 It gave them a plausible reason to be there, and 199 00:10:24.000 --> 00:10:26.919 it allowed them to you know, scan for any telltale 200 00:10:26.960 --> 00:10:29.559 signs of those ground sensors. But you have to make 201 00:10:29.559 --> 00:10:32.919 sure that your your cover story actually aligns with your 202 00:10:33.279 --> 00:10:35.240 your profile, right and the environment. 203 00:10:35.360 --> 00:10:38.279 Yeah, it has to be believable, right. Okay, So let's 204 00:10:38.279 --> 00:10:42.600 say they actually, you know, identify that there are ground sensors, 205 00:10:43.440 --> 00:10:45.200 then what how do they deal with them? 206 00:10:45.639 --> 00:10:48.600 Well, one tactic that the book mentions is to actually 207 00:10:48.840 --> 00:10:51.879 create a series of false alarms interesting to kind of 208 00:10:51.919 --> 00:10:55.759 overwhelm the system and like desensitize those security personnel. 209 00:10:55.919 --> 00:10:58.960 Oh so it's like the Boy who Cried Wolf. Yeah, 210 00:10:59.039 --> 00:11:01.120 but for secure systems exactly. 211 00:11:01.159 --> 00:11:05.080 But it does require you know, pretty precise timing and execution. 212 00:11:05.279 --> 00:11:10.200 If the red team ends up triggering like a real response, right, well, 213 00:11:10.279 --> 00:11:13.480 that could compromise the whole mission. But when it's done right, 214 00:11:13.679 --> 00:11:16.039 it can really create a window of opportunity. 215 00:11:16.279 --> 00:11:18.799 Okay, so false alarms are one option. What are some 216 00:11:18.879 --> 00:11:22.840 other ways to deal with these with these ground sensors, Well. 217 00:11:22.720 --> 00:11:26.480 Another tactic is to use tools to physically disable them, okay, 218 00:11:26.600 --> 00:11:29.600 or to disrupt their signals. Okay, but this requires you know, 219 00:11:29.759 --> 00:11:33.039 technical knowledge of how those systems work and having the 220 00:11:33.120 --> 00:11:34.679 right equipment to do it safely. 221 00:11:34.960 --> 00:11:37.519 So like some kind of high tech gadget that like 222 00:11:37.559 --> 00:11:39.320 sends out a jamming signal or something. 223 00:11:39.440 --> 00:11:42.840 Yeah, there are definitely specialized tools for that, but sometimes 224 00:11:42.919 --> 00:11:46.159 even something as simple as like a well placed piece 225 00:11:46.200 --> 00:11:50.039 of metal can disrupt a sensor signal. 226 00:11:50.279 --> 00:11:50.399 Right. 227 00:11:50.480 --> 00:11:53.320 It all depends on the type of sensor and the environment. 228 00:11:53.360 --> 00:11:58.799 So it's a combination of like technical know how and 229 00:11:58.799 --> 00:12:02.399 and creative problem solving. Okay, so ground sensors are just 230 00:12:02.440 --> 00:12:04.559 one layer of security. What else is there? 231 00:12:04.639 --> 00:12:09.039 Well, another common obstacle is fencing, particularly anti climb fencing, 232 00:12:09.559 --> 00:12:12.039 you know, designed to prevent people from climbing over it. 233 00:12:12.360 --> 00:12:14.879 Right, Yeah, so I'm guessing like a simple booster in 234 00:12:14.919 --> 00:12:16.080 your buddy's not going to work here. 235 00:12:16.200 --> 00:12:19.799 No, anti climb fencing usually has this like very narrow 236 00:12:19.879 --> 00:12:22.960 mesh pattern that's really hard to grip, and a lot 237 00:12:22.960 --> 00:12:25.559 of them even have like barbed wire or spikes along 238 00:12:25.600 --> 00:12:25.960 the top. 239 00:12:26.200 --> 00:12:30.039 Ouch. Okay, so how do red teams get past that? Like? 240 00:12:30.080 --> 00:12:31.240 Do they just bring ladders? 241 00:12:32.039 --> 00:12:36.679 Sometimes? Yes, But again the choice of tools and tactics 242 00:12:36.720 --> 00:12:40.120 always depends on the situation and the rules of engagement, 243 00:12:40.399 --> 00:12:43.759 Like a ladder might be too obvious or too risky. 244 00:12:43.840 --> 00:12:45.480 Okay, so what are their options then? 245 00:12:45.679 --> 00:12:49.000 Well, they might use things like wire cutters or bolt cutters, 246 00:12:49.480 --> 00:12:52.600 or even specialized climbing gear. It really depends on what 247 00:12:52.679 --> 00:12:55.000 kind of fencing it is, right and how you know, 248 00:12:55.000 --> 00:12:58.159 what level of security we're talking about. But sometimes it's 249 00:12:58.200 --> 00:13:01.639 about exploiting a weakness in the fence's design or how 250 00:13:01.639 --> 00:13:02.440 it was installed. 251 00:13:02.519 --> 00:13:05.440 Oh okay, so they have to be like part engineer, 252 00:13:05.600 --> 00:13:07.320 part athlete and part detective. 253 00:13:07.480 --> 00:13:11.080 Yeah, pretty much. Physical. Red teaming requires a pretty diverse 254 00:13:11.120 --> 00:13:11.720 skill set. 255 00:13:11.960 --> 00:13:14.840 I bet okay. So they bypassed the ground sensors, they 256 00:13:14.879 --> 00:13:19.360 scale the fence. What's next? Are they home free? Not quite? 257 00:13:20.200 --> 00:13:22.879 They still have to contend with locks, which is another 258 00:13:23.120 --> 00:13:25.639 you know, ubiquitous security measure. 259 00:13:25.720 --> 00:13:27.720 Oh yeah, right, the good old fashioned lock and key. 260 00:13:27.840 --> 00:13:29.600 I wouldn't have thought those would be so relevant in 261 00:13:29.639 --> 00:13:31.240 our like high tech world. 262 00:13:31.480 --> 00:13:34.279 You'd be surprised. Locks are everywhere and they come in 263 00:13:34.360 --> 00:13:38.120 a pretty surprising variety and complexity. 264 00:13:38.600 --> 00:13:43.200 So how does a red team approach something as seemingly 265 00:13:43.279 --> 00:13:45.519 simple as a lock? Like? Do they just carry around 266 00:13:45.679 --> 00:13:48.039 like a giant key ring with every key imaginable? 267 00:13:48.159 --> 00:13:50.000 It wouldn't be very practical, would it. No? 268 00:13:50.159 --> 00:13:50.600 Probably not. 269 00:13:50.799 --> 00:13:53.320 While having a variety of tools is definitely helpful, The 270 00:13:53.399 --> 00:13:56.360 key is knowing which tool to use for which lock. 271 00:13:56.600 --> 00:13:59.679 It's about understanding the mechanics of all the different lock 272 00:13:59.759 --> 00:14:03.320 type and what techniques you can use to buyopass them. 273 00:14:03.600 --> 00:14:06.799 So are we talking lock picking here like you see 274 00:14:06.840 --> 00:14:07.600 in spy movies? 275 00:14:08.000 --> 00:14:11.919 Exactly? Red teamers are usually pretty skilled in a variety 276 00:14:11.960 --> 00:14:16.480 of lock picking techniques. They use tools like tension wrenches, picks, rakes, 277 00:14:17.000 --> 00:14:22.000 even specialized electric lock picks for those more advanced locks. 278 00:14:22.080 --> 00:14:25.120 Electric lock picks, Now that sounds pretty high tech. 279 00:14:25.360 --> 00:14:28.840 Yeah. Technology is always evolving, and lock picking tools are 280 00:14:28.879 --> 00:14:32.519 no exception. But even with advanced tools, it still requires 281 00:14:32.559 --> 00:14:34.320 a lot of skill and a lot of practice. 282 00:14:34.360 --> 00:14:36.720 I bet it's a pretty satisfying feeling when you finally 283 00:14:36.720 --> 00:14:38.720 hear that click and that lock opens. 284 00:14:38.799 --> 00:14:41.120 I'm sure it is. But it's important to remember all 285 00:14:41.159 --> 00:14:45.759 of these skills are used in a controlled, ethical environment. 286 00:14:45.879 --> 00:14:49.519 You know, this is part of a professional security assessment. 287 00:14:49.200 --> 00:14:52.200 Right of course, it's all about helping those organizations improve 288 00:14:52.240 --> 00:14:57.120 their security. Yeah, you know, not causing chaos precisely. Okay. 289 00:14:57.159 --> 00:15:01.000 So let's say they've gotten past the ground sensors, the fence, 290 00:15:01.639 --> 00:15:03.039 the locks, Okay, they're in. 291 00:15:03.279 --> 00:15:06.879 What comes next, Well, they'll probably encounter some alarms, right, 292 00:15:06.919 --> 00:15:09.480 which are you know, another layer of security that's pretty 293 00:15:09.480 --> 00:15:12.200 common in these types of environments, And alarms can be 294 00:15:12.279 --> 00:15:15.000 really tricky because they're designed to trigger that you know, 295 00:15:15.039 --> 00:15:16.000 really quick response. 296 00:15:16.080 --> 00:15:20.120 Yeah, I'm picturing like flashing red lights and sirens going off. 297 00:15:20.759 --> 00:15:24.080 So how do how do red teams deal with that? Like? 298 00:15:24.120 --> 00:15:26.960 Do they just sprint for their objective and hope they're 299 00:15:27.000 --> 00:15:27.840 like fast enough. 300 00:15:28.120 --> 00:15:31.480 Well, it's a little morphinesse than that. Red teams need 301 00:15:31.519 --> 00:15:34.399 to understand all the different types of alarms and how 302 00:15:34.440 --> 00:15:37.320 to bypass them. For example, motion sensors are often used 303 00:15:37.360 --> 00:15:40.159 to detect any movement in specific areas. 304 00:15:39.799 --> 00:15:42.279 Like those laser beams you see in like heist movies 305 00:15:42.279 --> 00:15:42.600 and stuff. 306 00:15:42.679 --> 00:15:45.440 Yeah that's the Hollywood version, right, but in reality they're 307 00:15:45.480 --> 00:15:49.679 often much more discrete. They use infrared or microwave technology 308 00:15:50.080 --> 00:15:51.080 to detect movement. 309 00:15:51.360 --> 00:15:53.840 Okay, so how do you how do you even get 310 00:15:53.879 --> 00:15:56.519 past a motion sensor without setting off the alarm? Do 311 00:15:56.559 --> 00:15:58.600 you have to like freeze like a statue? 312 00:15:58.720 --> 00:16:01.720 It's it's not quite that simple. There are a few techniques, 313 00:16:01.759 --> 00:16:04.000 and they range from you know, maybe disabling the sensor 314 00:16:04.039 --> 00:16:08.600 itself to using some kind of distraction or just carefully 315 00:16:08.720 --> 00:16:12.559 navigating the environment so you can avoid the sensor's detection range. 316 00:16:12.759 --> 00:16:15.879 So like maybe toss a tennis ball to distract it potentially, 317 00:16:16.360 --> 00:16:19.279 or crawl on your belly to stay below its line 318 00:16:19.279 --> 00:16:19.559 of sight. 319 00:16:19.840 --> 00:16:23.919 Yeah, could involve things like that. It all requires careful 320 00:16:23.919 --> 00:16:27.240 observation and really understanding how that sensor works. 321 00:16:27.440 --> 00:16:30.559 I must be pretty intense trying to like move through 322 00:16:30.559 --> 00:16:34.919 a secured environment knowing that one wrong step could trigger 323 00:16:34.960 --> 00:16:37.840 the alarm and like bring the whole operation to a 324 00:16:37.879 --> 00:16:38.639 screeching halt. 325 00:16:38.759 --> 00:16:41.559 Oh yeah, there's definitely a lot of pressure. And motion 326 00:16:41.679 --> 00:16:44.679 sensors are just one type. Contact sensors, which are often 327 00:16:44.759 --> 00:16:47.440 used on doors and windows, are another challenge they'll face. 328 00:16:47.519 --> 00:16:49.600 So if you if you open a door or a 329 00:16:49.679 --> 00:16:53.279 window that's protected by a contact sensor, then the alarm 330 00:16:53.320 --> 00:16:54.279 goes off exactly. 331 00:16:54.320 --> 00:16:57.519 It's based on this simple circuit that breaks when the 332 00:16:57.519 --> 00:16:58.679 door or window opens. 333 00:16:58.720 --> 00:17:02.440 Okay, so how how do red teams deal with that? 334 00:17:02.720 --> 00:17:05.039 Do they have to find a way to open it 335 00:17:05.079 --> 00:17:06.640 without actually breaking the circuit? 336 00:17:06.759 --> 00:17:09.799 That's one approach, like maybe carefully shimmying a window open 337 00:17:09.839 --> 00:17:13.680 without unlatching it, or using a tool to bypass a sensor. 338 00:17:13.799 --> 00:17:15.480 Yeah, that sounds like it would require a lot of 339 00:17:15.519 --> 00:17:17.559 skill and like precision. 340 00:17:17.920 --> 00:17:20.599 Yeah, you definitely need a delicate touch when you're working 341 00:17:20.599 --> 00:17:24.559 with contact sensors. But like with any challenge in physical 342 00:17:24.599 --> 00:17:28.720 red teaming, it's all about understanding that system and finding 343 00:17:28.759 --> 00:17:30.759 that way to exploit its weaknesses. 344 00:17:31.119 --> 00:17:34.039 It's really fascinating how much of this is about kind 345 00:17:34.079 --> 00:17:37.799 of outsmarting technology. Yeah, almost like a game of chess. 346 00:17:38.240 --> 00:17:42.880 There's definitely a strategic element to it. But we can't 347 00:17:42.960 --> 00:17:47.839 forget about maybe the most pervasive security measure we see today, 348 00:17:47.920 --> 00:17:48.640 which our camera. 349 00:17:48.720 --> 00:17:52.119 Oh right, cameras are everywhere these days, everywhere. It feels 350 00:17:52.160 --> 00:17:55.680 like we're like constantly being watched. So how do red 351 00:17:55.680 --> 00:17:59.279 teams operate under that kind of surveillance? Do they have 352 00:17:59.319 --> 00:18:03.359 to like be Ninja's dodging spotlights and leaping from rooftop 353 00:18:03.400 --> 00:18:03.920 to rooftop. 354 00:18:04.079 --> 00:18:05.799 It's not quite as dramatic as that, but you know, 355 00:18:05.839 --> 00:18:08.720 avoiding cameras is a critical part of the job. 356 00:18:08.880 --> 00:18:09.200 Okay. 357 00:18:09.279 --> 00:18:12.359 Red teams will spend a lot of time studying blueprints, 358 00:18:12.400 --> 00:18:15.680 you know, analyzing camera footage, mapping out that whole environment 359 00:18:16.119 --> 00:18:19.119 just to identify any blind spots or any areas where 360 00:18:19.119 --> 00:18:20.599 they can move undetected. 361 00:18:20.920 --> 00:18:24.440 So it's about like understanding those limitations of the camera 362 00:18:24.559 --> 00:18:28.519 system and using the environment you know, to your advantage. 363 00:18:28.599 --> 00:18:32.079 Right, it might involve using shadows, staying low to the ground, 364 00:18:32.240 --> 00:18:37.559 timing your movements to those blind spots in the cameras coverage. 365 00:18:37.839 --> 00:18:41.599 Okay, but what if what if avoiding them is just 366 00:18:41.680 --> 00:18:44.920 not possible? Like what if they absolutely have to go 367 00:18:45.000 --> 00:18:47.519 through an area where there are cameras everywhere. 368 00:18:47.599 --> 00:18:50.880 In those cases, they might resort to other tactics like 369 00:18:51.000 --> 00:18:54.519 using disguises or blending in with the crowd to avoid 370 00:18:54.559 --> 00:18:55.880 being easily identified. 371 00:18:55.960 --> 00:18:58.920 So like maybe putting on a janitor's uniform, yeah, or 372 00:18:59.000 --> 00:19:01.640 you know, just usually strolling past with a group. 373 00:19:01.480 --> 00:19:05.319 Of tourists exactly. It's all about being creative, using deception 374 00:19:05.640 --> 00:19:07.119 to make yourself less conspicuous. 375 00:19:07.319 --> 00:19:10.000 What if even that's not enough, what if they actually 376 00:19:10.480 --> 00:19:14.799 need to like disable a camera temporarily. 377 00:19:14.319 --> 00:19:15.920 Well, there are ways to do that, but those are 378 00:19:15.920 --> 00:19:18.240 really those tactics are a last resort and only if 379 00:19:18.279 --> 00:19:21.839 it's specifically outlined in the in the rules of engagement. 380 00:19:21.640 --> 00:19:24.759 Right, because you don't want to like cause any unnecessary 381 00:19:24.839 --> 00:19:27.960 damage or raise any unnecessary alarms, right. It's about being 382 00:19:27.960 --> 00:19:29.880 strategic and minimizing risk. 383 00:19:30.000 --> 00:19:33.599 Absolutely, and it's important to reiterate these techniques are only 384 00:19:33.680 --> 00:19:37.119 used in a controlled and ethical environment as part of 385 00:19:37.160 --> 00:19:38.680 a professional security assessment. 386 00:19:38.880 --> 00:19:42.119 Of course. So we've talked about ground sensors and fences 387 00:19:42.599 --> 00:19:46.480 and locks, alarms, cameras. It sounds like like every step 388 00:19:46.519 --> 00:19:48.440 of the way there's another challenge to overcome. 389 00:19:48.640 --> 00:19:48.839 Right. 390 00:19:49.240 --> 00:19:53.599 But let's say the Red Team has navigated all these obstacles, 391 00:19:53.880 --> 00:19:57.880 they've reached their objective. What happens next, Well. 392 00:19:57.799 --> 00:20:00.440 That's when they move into the penetrate and control phase. 393 00:20:00.640 --> 00:20:03.640 And that I mean that sounds that sounds pretty self explanatory, 394 00:20:03.799 --> 00:20:05.519 but what does what does that actually involve? 395 00:20:05.599 --> 00:20:10.720 It's basically about establishing that foothold within the target environment, 396 00:20:11.400 --> 00:20:16.079 maintaining control of the situation, and ensuring that the mission 397 00:20:16.160 --> 00:20:17.079 objectives are met. 398 00:20:17.240 --> 00:20:19.400 So it's not enough just to get in. They have 399 00:20:19.480 --> 00:20:22.160 to be able to stay there and carry out their plan. 400 00:20:22.559 --> 00:20:25.559 And that might involve things like setting up like a 401 00:20:25.680 --> 00:20:30.200