First published by Grant Rayner on 27 Dec 2021
14 min read
Intrusion Testing
This is the fifth article in a series of articles where I’ll be sharing lessons learned relating to physical intrusion testing.
The first article highlighted the importance of modelling a specific threat for an intrusion test. The second article focused on the value of testing multiple layers of security during an intrusion test. The third article focused on reconnaissance and surveillance, and the fourth article introduced overwatch.
This article focuses on a topic near and dear to my heart: safety during physical intrusion tests. In this article, I’ll describe different aspects of safety you should consider during your physical intrusion tests.
A physical intrusion test can expose you, as the intruder, to a range of risks. Here’s a snapshot of the risks you may be exposed to during different intrusion tasks:
In my own experience, given I typically conduct intrusion tests in locations where I’m not a citizen or resident, I’m acutely aware of the risks of being apprehended by either members of the public or local law enforcement. In some countries, even with a Safety Letter, I would almost certainly be taken to the local police station and detained until my story could be verified. Not great.
In the following sections, I’ll break down different aspects of safety during physical intrusion tests, with the objective of helping you integrate these aspects into your planning processes. As with most security projects, the start point is a sound assessment of the risks.
Almost every aspect of security starts with some form of risk assessment. The process of identifying, analysing and mitigating risks is also a key aspect of planning for a physical intrusion test. As an intruder, your safety will depend on your ability to identify and mitigate risks along likely access paths. For your client, there are also risks involved if something untoward occurs during the intrusion test.
As a start point, focus on determining the likelihood and consequence of the following events:
The likelihood of injury or detection should be carefully evaluated during your planning. For example, when determining a breach point along the perimeter barrier, you would typically want to select a location out of public view to avoid detection. By doing so, you’ll also give yourself time to carefully negotiate the barrier, further reducing risk.
Being detected is a key concern that can have a major impact on the intrusion test. I’ve almost been compromised by people walking their dogs, people taking a shortcut to the beach to go fishing, and school children. Effective surveillance in advance of the intrusion will help to determine the level of human traffic around the facility, giving you the information you need to avoid people during your intrusion. Overwatch, discussed here, also helps to ensure the coast is clear.
There are a few other factors to consider at the outset of the project, because they present higher-than-normal levels of risk.
First, you’ll need to determine whether security officers are armed. If they are, don’t agree to conduct an intrusion test. The same rule applies if employees are armed. In some countries, you may also face an armed threat from members of the public. An armed individual seeing you attempting to break into a facility may shoot first and ask questions later.
Second, determine what techniques are permissible to access barriers. As I’ll discuss below, negotiating barriers can present serious risks for the intruder, particularly in cases where the only permissible technique is to climb the barrier. Finally, there may be areas of the facility that present specific risks. Sections under construction or renovation are one example. There may also be dangerous goods stored at the facility.
Aside from the basic risks outlined above, you’ll find that other risks will emerge once you start your planning.
Once you start evaluating the facility using online resource, such as Google Maps, you’ll get a sense of the obstacles and conditions at the facility. Your awareness and appreciation of the risks will become even more clear once you’re on site, conducting surveillance and reconnaissance. These risks will shape how you plan your intrusion.
The ultimate heist would be to pretend to be from Company XYZ and commission an intrusion test on Company XYZ with the objective of removing sensitive information or other items of value. A variation of that theme would be a criminal who, if caught, shows a fraudulent letter saying they are acting as part of an agreed physical intrusion test.
If you are approached to conduct a physical intrusion test, your first priority should be to verify who you are working with and the legitimacy of the task. If you haven’t worked with the organisation before, do some basic due diligence. Check their LinkedIn profile, enquire with a peer from a different company, and speak to someone more senior to them in their organisation to make sure they actually do have authorisation.
Once you’ve confirmed you’re not being set up to conduct the heist of the century, your next task is to ask your point of contact in the client organisation to nominate a primary and alternate contact person at the target facility.
This contact person should be formally notified that an intrusion test will take place, and a rough time period for the test. There’s no need to provide specific dates, times or methods. The reason you would restrict the details of the intrusion is that there’s always a risk they may leak this information, which will raise the level of alert and make it difficult to conduct an intrusion under realistic and typical conditions. For the same reasons, this contact person should be instructed not brief security officers at the facility.
As the intruder, you won’t deal with this contact person unless there’s an incident during the intrusion test. The contact person’s details should be included on a Safety Letter and you should have their phone number programmed into your phone in case there’s an incident during the intrusion test.
Before you set foot anywhere near your target facility, you’ll need to make sure you have an official document that you can use to explain your activities.
This piece of paper is your Safety Letter.
If you’re conducting an intrusion, always have a Safety Letter. If you are stopped by security officers, members of the public, or law enforcement, your Safety Letter will be essential to prevent an escalation (or to prevent a good beating, in some cases).
A Safety Letter is a one page letter prepared by your client that includes the following information:
Ensure that the letter looks official. Ask for the letter to be printed on company letterhead with original ‘wet’ signatures.
It’s useful to include primary and backup points of contact in the organisation in the letter, as well as different numbers to call to verify your activities. You don’t want to be detained because your point of contact is in the cinema with her phone off.
Once you have the letter, make additional copies. Place the Safety Letter inside a waterproof bag to protect it from moisture.
If you’re changing your attire at different stages of your intrusion, ensure you keep the Safety Letter on your person.
If there are other people supporting your intrusion, such as people in overwatch, ensure they also have Safety Letters with their names on the letter.
At what point during the intrusion should you put your hands in the air and pull out the Safety Letter?
In my view, the Safety Letter is a last resort. In a perfect world, you should always aim to enter the facility, complete your task, and exit the facility without being apprehended and without declaring that you’re conducting a test.
If you are stopped during your intrusion, provided you assess it’s appropriate and safe to do so, remain in character and try to talk your way out of your situation. Act in the role of an intruder, and use your planned pretext or cover story.
Of course, it depends on what you’re doing at the time you’re detected. If you’re straddling the perimeter fence and you’re approached by a member of the local constabulary, you’ll probably want to declare you’re conducting an intrusion test and carefully show them the Safety Letter. However, if you’re stopped and questioned by the facility’s security officers while conducting surveillance and reconnaissance, lead with your pretext and try to talk your way out of the situation. If that approach fails and you end up in the security office watching the security officer dialling the local police station, that’s an appropriate time to whip out your Safety Letter.
If you’re inside the perimeter or building and you’re approached by the company’s security officers, again, you should default to your pretext and either talk your way into the facility, or talk your way out of the facility.
Be careful when presenting the Safety Letter. You want to avoid a situation where you’ve been trying to evade security officers, then — when cornered — you quickly reach inside your jacket. Keep your hands visible and explain that you’re conducting an intrusion test. Say that you have a Safety Letter in your pocket and, with their permission, would like to take it out and give it to them. If the security officers have already restrained you, then explain where the Safety Letter is located and asked them to pull it out and read it (hopefully you haven’t tucked it away in your underwear…).
On a practical and serious note, if you are apprehended, don’t resist attempts at restraint. Allow the security officers to do their job and make sure you don’t give them any reason to doubt you’re who you say you are.
Let’s move from safety during planning to safety during the intrusion itself.
Some perimeter barriers are specifically designed to cause injury to anyone stupid enough to try to cross them. Nasty injuries, in some cases.
It’s likely you’ll be constrained in how you can negotiate perimeter barriers. For example, it’s unlikely your client will want you to cut through their fence. It’s also unlikely you’ll be allowed to dig underneath the fence. Effectively, the only option available to you to cross the barrier will be up and over. Coincidentally, this is exactly the type of activity most barriers are designed to prevent. You’ll therefore need to be able to neutralise whatever nasty features have been built into the barrier to prevent it from being climbed.
As an intruder, your first consideration is to make sure you understand the barrier and are fully prepared to cross the barrier safely. You’ll need to conduct reconnaissance and surveillance to better understand the barrier, and the risks inherent in breaching that barrier. You may also need to prepare specific equipment. For example, you may prepare equipment to cover the pointed ends of a palisade fence, or to smother razor wire (the art is to select a material that doesn’t get snagged in the razor wire, ensuring you don’t have to leave it on the fence as a clear sign of an intrusion).
These types of preparations are realistic for any intruder intending to breach the perimeter. No one wants to be impaled trying to cross a palisade fence, or lacerated trying to get through razor wire. Safety first!
There’s also a fall risk from high barriers. While you may be able to scale one side of the barrier using a ladder, you will probably have to drop down the other side without assistance. You’ll therefore need to make sure the area you’re dropping down into is clear of obstacles. You’ll also need to consider the type of clothing you’re wearing when crossing barriers. A good pair of cut resistant gloves will be essential in many contexts. If you need to wear specific clothing because of the pretext you’ve selected, consider crossing the perimeter barrier wearing appropriate clothing for that activity, and then change into the clothes for your pretext once in a covered area within the inner perimeter. Also make sure your footwear is appropriate. Not all shoes are well-designed for climbing fences.
If you assess that the risks involved with crossing the barrier are high, but it’s still possible to cross safely given appropriate preparations, have a second individual standing by near the point of intrusion with a medical kit and a phone. If an incident occurs while crossing the perimeter barrier, that individual can provide immediate assistance. The second individual should have the contact details of someone on site that they can contact in the event of an incident. I’ve covered this aspect in more detail in an article on overwatch. If you believe the risks involved with climbing the perimeter barrier are unacceptably high, don’t be afraid to say exactly that to your client. An actual intruder would face the same risks, so if it deters you, it will also deter them. Your assessment provides valuable feedback for your client. In your report, make a note as to what actions you would take if you couldn’t climb the barrier. For example, you may note that you would attempt to cut through or dig under the barrier (even if those actions aren’t possible given the constraints of the project).
Quite a number of your intrusions will be conducted at night. Moving in the dark presents a host of different hazards within the inner perimeter area, including uneven ground, drains, low pickets or even snakes (yes, snakes).
You’ll be at most risk if you try to run within an inner perimeter area at night. It typically won’t be an option to use a flashlight when moving around, so you’ll need to move carefully to avoid injury. This approach will work to your favour, as someone running within the inner perimeter is more likely to attract the attention of security officers. Once you’re inside, move like you work there.
Again, be sure to wear appropriate footwear with good grip and ankle support.
Poor weather provides an advantage to the intruder. Rain will reduce the effectiveness of perimeter sensors, video surveillance and observation by security officers. Security officers may not patrol in the rain. Rain is generally your friend. However, wet weather will also make crossing perimeter barriers more dangerous. Be additionally careful, and follow the advice above regarding clothing, gloves and shoes.
Every intrusion test should result in you coming into contact with the facility’s security officers at some point. If not, you’re either really, really good at your job, or they’re bad at theirs. Depending on the circumstances, direct interactions with security officers may place you and them at risk. You therefore need to carefully work through the safety aspects. At the same time, if you are confronted by security officers, you don’t need to be overly conservative and simply surrender yourself and declare game over. It’s okay to try to evade them. It’s also okay to use your pretext or cover story to either talk your way out of — or into — the facility.
How you decide to interact with security officers will depend on the threat group you’ve agreed to model for the intrusion. As you go through your planning, consider how someone from this threat group would respond to detection and interdiction by security officers at different stages of an intrusion.
A useful approach is to consider how you might respond to detection and interdiction by security officers along the intrusion timeline:
When it comes to your actual response to detection or interdiction, you’ll typically have a few options at your disposal. You could take one of the following actions:
Each of these responses will reveal different things about who you are and what you are doing. Again, the key is to stay in character based on the threat group you are modelling for the test. One point to note is that just because the security officers apprehend you, doesn’t mean the intrusion is over and you need to deploy your Safety Letter. You could remain in pretext and the security officers may bring you into the facility. You could use this opportunity to observe the inside of the facility, with the aim of then convincing them to release you. Given the right conditions, you may even have the opportunity to continue with the intrusion.
When it comes to dealing with security officers, there are a few other considerations to take into account from a safety standpoint:
There’s a few things you can’t do because they’re stupid:
And, to reiterate an earlier point, don’t conduct intrusion tests at facilities where the guards are armed. That would be really stupid.
Some larger complexes may have vehicles inside the complex that employees can use to move between buildings. Large campuses or data centres may have bicycles or golf buggies available for this purpose. In such facilities, it will often be more conspicuous to move between buildings on foot. You should therefore make use of whatever vehicles are available to move around the facility. When you’re scoping the intrusion test with your client, determine whether the use of vehicles is permitted.
While dogs can present a hazard during an intrusion, they are typically manageable provided you come prepared. When you’re scoping the intrusion test with your client, always ask whether there are dogs inside the perimeter.
Wild dogs can also be a concern, particularly during surveillance of rural facilities. Wild dogs typically won’t be aggressive provided you stay calm and give them some space. Wild dogs tend to be territorial, which may impact how you go about your surveillance in the lead up to the intrusion.
If you’re conducting an intrusion test in a less developed country, consider the medical risks involved with being bitten by a dog at the facility. Some facilities may have untrained and poorly fed dogs on site as a means to deter intruders. You may want to think twice about agreeing to an intrusion test at such facilities.
If there are dogs roaming freely inside the perimeter, come bearing treats and always have an option to either exit the perimeter or get yourself out of reach. Dogs can be sneaky, so pay close attention to your surroundings as you move about.
It’s not an option to harm dogs during an intrusion test. If you believe you’ll face a situation where the only option available to you is to harm a dog (either by drugging them or physically harming them), don’t go ahead with the intrusion.
If security officers roam with dogs on leashes, they’ll be easier to spot. Remember that the handlers may let the dogs off the leash if they spot an intruder. If this is a possible scenario, you will want to declare yourself to the security officer before they release their dog.
Finally, if dogs are a likely concern, carry a small first aid kit containing antiseptic and pressure bandages. Wear cut resistant cloves and appropriate clothing.
While property damage may not be a risk to your safety as an intruder, unwanted property damage could certainly be a risk to your organisation’s reputation. When scoping the intrusion test, determine whether it’s permissible to damage property during the intrusion, and to what extent. For example, you could ask your client whether it’s possible to do the following:
Align the types of damage with the threat group you’re modelling during the intrusion test. What tools would that group be likely to access and use during an intrusion? Would the threat group need to use covert techniques? If so, they are unlikely to want to cause visible damage during their entry.
In practice, most clients won’t be willing to have property damaged during an intrusion test. In such cases, it’s useful to explain in the report the options that would have been available to you as an intruder, if you had been able to use different tools and techniques during the intrusion, and the possible outcomes.
Physical intrusion tests have the potential to cause more than just physical damage. You’ll also need to consider the ethics and appropriateness of the different activities you plan to incorporate into your intrusion test.
The pretexts or cover stories you plan to use during the intrusion are one consideration. Here’s a few examples of pretexts that would not be appropriate in most situations and could cause harm:
Overall, I’m not a fan of using pretexts to ‘trick’ your way into a facility. Yes, it may be realistic in some contexts (if modelling a threat that uses such techniques), but taking such an approach does not provide sufficient feedback to your client regarding the state of physical security at the facility. The client learns nothing about the effectiveness of barriers, lighting, cameras, access control and intrusion detection. As all they learn is that Bill at the front counter can be tricked into providing a visitor’s pass. As an insight into the state of security of the facility, that’s pretty underwhelming. It’s also not great for Bill, whose competence will come into question and who may be at risk of losing their job.
Distractions and diversions are another potential cause for concern. Here’s a few examples of activities that probably aren’t appropriate in most situations:
A poorly considered diversion may result in panic at the facility. Expanding on the examples above, what if the fire service is activated to respond? Or what if someone trips and falls down the emergency stairs? People could also react in unanticipated ways. At the extreme, an incident could cause an elderly security officer to have a heart attack. You wouldn’t want that on your conscience, so don’t plan anything too dramatic.
Safety is a fundamental aspect of a physical intrusion test. You, as the intruder, must carefully consider the risks and take the necessary actions to minimise those risks. Identify potential risks during initial planning, and continue to evaluate risks during surveillance and reconnaissance. Also be mindful of ethical concerns, particularly when using social engineering techniques.
The physical intrusion test, as an activity, should be an opportunity to identify security vulnerabilities. The activity should not cause harm to you or anyone else at the facility, either physically or psychologically.
How to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
26 Jan 2022 · Read now
How you can integrate distractions and diversions into your physical intrusion tests to enable you to access the facility and achieve your objectives.
25 Jan 2022 · Read now
When to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion.
22 Dec 2021 · Read now
How to integrate surveillance and reconnaissance into your physical intrusion tests.
06 Aug 2021 · Read now
Exploring the value of testing multiple layers of security during an intrusion test.
23 Jul 2021 · Read now
Why it's important to model a specific threat when conducting physical intrusion tests, and how to go about the process of establishing a valid threat model.
22 Jul 2021 · Read now