Physical Red Teaming: Betrusted it is not only digital, but also physical

For the company ACME, we carried out Physical Red Teaming activities aimed at assessing the physical security setup and posture of its buildings, located in the center of Clerville.

The objectives of this type of assessment are multiple:

• evaluate physical security and test the effectiveness of the central security service;
• verify the possibility of fraudulently entering the offices during the day by passing through the turnstiles;
• determine whether it is possible to move freely across building floors without an escort;
• check whether access to the offices is possible during the night.

ACME occupies two different floors of a building shared with other independent companies. The building has multiple guarded entrances, shared garages, and an external video surveillance system.

The complex is monitored by a central security desk at the main street-facing entrance, staffed by dedicated external personnel (security guards). On the floors reserved for ACME, there are separate guest reception desks, staffed instead by company employees.

Our three Red Teaming attacks

Betrusted carried out two external reconnaissance activities, one during the day and one at night, involving different Red Teamers (RT) using different disguises, and identifying two weak points in the coverage range of the external cameras. During the daytime reconnaissance, it became clear that the flow of employees entering and leaving the building during the lunch break could be exploited. This period coincides with the shift change of the security staff, reducing overall monitoring effectiveness.

Betrusted developed three distinct attack scenarios, two during the day and one at night, carried out at different times and on different days, after receiving approval from the ACME point of contact.

First daytime attack, two Red Teamers involved

This attack involved two RTs. The first was tasked with distracting the security personnel, while the second was responsible for passing through the turnstiles by simulating a phone call and claiming to have forgotten their badge.

The operation concluded successfully, allowing the second RT group to access ACME’s premises, reach the authorized floors, and identify themselves to the internal contact.

Second daytime attack, with three Red Teamers

The second attack, conducted during daytime hours, was carried out by three RTs in two distinct phases, at the beginning and at the end of the lunch break.
The objective was to blend into the flow of people entering and exiting the building and pass through the access turnstiles using tailgating techniques and cloning of a legitimate badge that had been temporarily borrowed. Once inside, the team reached ACME’s floors and also managed to bypass the internal reception desk.

This second operation also concluded successfully, allowing the Red Team operators to access the offices and move freely within the spaces, collecting photographic evidence of the activity before presenting themselves to ACME’s internal contact.

Third nighttime attack, involving two Red Teamers

The third attack, conducted during nighttime hours, was carried out by two Red Teamers, who exploited gaps in the coverage of the external cameras to access the garage area, where they performed door-opening maneuvers using lockpicking techniques.

The attack was technically successful; however, a passerby noticed suspicious movements and alerted law enforcement, who intervened and stopped the Red Teamers. The operators then identified themselves and contacted ACME’s internal point of contact.