Our Physical Penetration Testing Methodology

Before you hire someone to physically break into your organization, it is probably a good idea to understand what steps they are going to take. In this blog, we will review our physical penetration testing methodology, which is the basic outline for any physical penetration test we perform. If you haven’t already, it might be a good idea to check out what questions a physical penetration test helps you answer and the top 3 ways I broke into your company to get a better understanding of what a physical penetration test entails.

What Standards is our Methodology Based on?

Technical Guide to Information Security Testing and Assessment (NIST 800-115)

The Penetration Testing Execution Standard (PTES)

Payment Card Industry (PCI) Penetration Testing Guidance

Our Physical Penetration Testing Methodology

Our physical penetration testing methodology can be broken into 3 primary stages, each with several steps.

Planning

1. Gather Scoping Information

After initiating the project, scoping/target information will be collected from the client. In the case of physical penetration testing, this information will include the addresses of target locations, compromise goals to help us focus our attacks, and information that can help us prevent issues, such as areas of the building that are off-limits and alarm instructions.

2. Review Rules of Engagement

This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project. Additionally, the client will sign a “Get out of Jail” card that the test team can use to show they are authorized to be testing, should they be caught.

Execution

1. Reconnaissance

Once the test has officially begun, a start notification will be sent to the client. The first phase will involve gathering as much information about the target location as possible. This process will start before the engineers are even on-site. They will search open-source intelligence to try to gather information to help them blend-in to the environment. This will include things like the normal attire for employees, if there are employee badges easily accessible, evaluating the various egress routes from Google Maps, trying to identify favorite restaurants of employees where a badge can be read, etc.

Further reconnaissance will be conducted once the engineers are on-site. During this time, the engineers will identify the various ways to enter the building, conduct traffic pattern analysis, and evaluate the physical security controls present from outside the facility.

2. Threat Modeling

For this assessment, the threat modeling phase serves to evaluate the different attack vectors that may lead to accessing the building. The types of attacks and likelihood of these threats materializing will serve to inform risk rankings/priorities and outline the attack plan going forward. In a typical physical penetration test, the goal is to identify the level of risk to an organization. As such, Triaxiom will start with the attack vector that has the least amount of risk. Once they gain access, if they remain uncaught, they will exit the building, and then try a different attack vector a few hours later. Each attack will be slightly less sophisticated until the engineer is caught. This allows the organization to quantify the level of risk they have.

3. Exploitation

This phase will involve the engineer attempting to physically break into the facility. There are a myriad of methods that the engineer will attempt,

Physical Penetration Test Examples: RFID Cloner
An RFID Cloner can be concealed in a laptop bag, and will steal employees badges nearby.

dictated by the threat modeling phase above. Some of the tactics that may be employed include:

  • RFID Cloning – If RFID access cards are in use, an RFID Cloner can be used to read the contents of an employee badge and create a duplicate badge which can be used for entry.
  • Tailgating – Tailgating involves following an employee into the building or having an authorized user open the door for a member of the attack team, potentially utilizing social engineering.
  • Physical Control Bypass – Triaxiom will attempt to gain access through bypassing the physical security controls in place. This includes setting off motion activated doors from the outside, using an under-the-door tool to open the door from the inside, or other various methods to bypass  security mechanisms.
  • Social Engineering – Triaxiom may employ the use of social engineering to try to gain access to the facility. This may include pretending to be facility maintenance or a delivery driver, for example.

4. Post Exploitation

After successfully gaining access to a facility, Triaxiom will continue to take actions to evaluate and demonstrate the risk. Some of the areas that will be evaluated after gaining access include:

  • Network Access Controls – Can Triaxiom gain access to the network and elevate permissions?
  • Clean Desk Policy – Can Triaxiom find information which could be detrimental to the company if found? This includes items such as passwords, written down credit card information, etc.
  • Employee Challenges – Triaxiom will walk around the facility and see if employees will challenge a visitor they don’t recognize.
  • After-Hours Access – Triaxiom will attempt to remain in the facility after all employees leave for the day.
  • Sensitive Area Access – Triaxiom will attempt to further their access and gain access to other sensitive areas within the facility, such as a datacenter or server room.

Post-Execution

1. Reporting

After completing the active potion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable pictures from the assessment. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links.

2. Quality Assurance

All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.

3. Presentation

The final activity in any assessment and the last step in our physical penetration testing methodology is a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.

Hopefully this gives you a better understanding of our physical penetration testing methodology. As always, we welcome your comments so please reach out!