First published by Grant Rayner on 25 Jan 2022
7 min read
A good magic trick relies on diversion. The magician’s objective is to get you to focus on one thing, so you don’t notice something else.
You can use the same technique during a physical intrusion test.
This is the sixth in a series of articles where I’ll be sharing lessons learned relating to physical intrusion testing.
The first article highlighted the importance of modelling a specific threat for an intrusion test. The second article focused on the value of testing multiple layers of security during an intrusion test. The third article focused on reconnaissance and surveillance, and the fourth article introduced overwatch. The fifth article focused on safety.
In the context of physical intrusion tests, a distraction is an activity designed to draw the attention of the security officers to a specific area. Static guards may turn and observe this area, or security officers in a control room may focus on video surveillance feeds from that area, ignoring others.
A diversion, on the other hand, is an activity designed to make security officers (or other groups) displace and physically move to a specific area.
Let’s explore how you can integrate distractions and diversions into your physical intrusion tests to enable you to access the facility and achieve your objectives.
There are several categories of people that may detect your attempt to access a facility. Security officers in a control room may be monitoring the feed from security cameras. Reception staff at a lobby counter may be monitoring people moving through a turnstile. An employee walking through a door may be mindful of people trying to tailgate into the office behind them. Your objective is to momentarily distract these people from what they should be doing, so they don’t notice your activities.
Imagine sitting in a library. It’s quiet. All of a sudden, someone over to your right bursts into laughter. You and everyone else looks over. That’s a simple (and effective) distraction. A diversion is a notch up from a distraction. A diversion must either provoke focused curiosity (security officers focusing on one video monitor, and ignoring others), or demand an on-site assessment or action (the deployment of security officers to a specific part of the facility).
To force a sustained change in activity, a diversion must be compelling.
What types of events are compelling?
In the following sections, I break down how to design effective distractions and diversions. I’ll do this by focusing on the how, the why, and the what and how.
Before you determine exactly what action will be suitable as a distraction or diversion, you should determine what you want to achieve from the action. Every distraction or diversion must have a clear objective. For example, you may want to divert security patrols away from the north-east corner of the perimeter to enable you to cross the perimeter barrier. Or, you may want to distract security officers in the lobby while you are moving through security checks so they don’t do a thorough inspection of your bag.
Your objective should always have a target audience. You will want to focus your efforts on a particular group of people within the facility. This group will typically be the security officers, but could also be counter staff at a reception counter or even employees at an entrance.
To achieve your objectives you’ll need to time your distraction or diversion to perfection. Timing your diversion (the when)
As with a magic trick, the timing of your distraction or diversion is the key to you achieving your objective. You’ll need to nail the timing so that you can complete your activity while attention is diverted away from you.
A simple way to approach timing is to consider whether you want the distraction or diversion to occur just before, during, or just after the planned activity.
Because it’s difficult to keep to an exact timeline during an intrusion, a practical approach is to consider where you want to be when the distraction or diversion is initiated. If you’re crossing a perimeter fence, do you want the action to occur before you approach the fence, or once you’re at the base of the fence?
When thinking about timings, also consider how long you want your distraction or diversion to hold people’s attention. If you need to slip through a door, you may only need seconds while someone’s head is turned away from the door. If you need to get over a complex perimeter barrier, you may need a few minutes. Whatever activity you devise for your distraction or diversion, you need to be sure it will give you the space you need to complete that activity. Also be sure to factor in time for decision making and movement. If you want a security patrol to redeploy, you’ll need to give them time to do that. A redeployment may require a supervisor to assess the situation, make a decision, and only then direct the movement of the security patrol.
I’m not going to go into detail about different types of distractions or diversions, because every facility has different characteristics. The type of action that will work in one situation probably won’t work in another.
That said, I’ve included some basic principles below to help shape your planning.
Distractions and diversions must be noticeable to have any chance of achieving their objective. If the action is not sufficiently noticeable, there’s a risk it will be overlooked or ignored. You’ll therefore need to carefully position the distraction or diversion to ensure it’s visible to your intended audience. For example, the activity must be visible either directly via line of sight from a security post or via the video surveillance system.
To be noticeable and to attract attention, distractions and diversions will need to involve some combination of movement, light and/or sound.
People have innate sense of what’s real and what’s not real. Your distraction or diversion must pass the ‘sniff test’ and be sufficiently believable to trigger your desired response.
You need to know that your diversion or distraction has been effective and you have the time and space you need to continue. To do this, you may need to position yourself so you can observe and area and detect activities that confirm your action has worked. You could, for example, sit in the lobby in close proximity to the lift area, knowing that as soon as the distraction is activated you can be at the turnstiles within a matter of seconds.
Sometimes, you’ll need to take a leap of faith. For example, if you want the security officers in the control room to focus on a specific camera view (while ignoring others), you’ll just need to hope that your distraction has been effective. You won’t have any way of knowing it has been effective, aside from the fact that security officers haven’t been dispatched to locate and detain you.
Your distraction or diversion should be designed to be ‘just enough’ to enable you to achieve your objective. Planning distractions or diversions is fun, and there’s always a risk that you’ll spend a lot of time on it and overbuild a solution. Don’t overdo it. Ensure you have a plan for failure
Consider the impact on your intrusion plan if your distraction or diversion doesn’t work. Particularly in the case of diversions, where you’re trying to force the redeployment of security officers, think about what you’ll do if that redeployment doesn’t happen.Do you continue with the activity anyway? Or do you have a plan B? Or, is there a way to amp up the diversion to make the action more compelling and force a response?
Carefully consider safety when planning distractions and diversions. Could the action result in damage to property? Could a guard rushing across the inner perimeter area trip on a drain or on uneven ground and injure themselves?
Fire is an obvious diversion, and can work effectively if executed properly. The art is setting up the fire so it’s safe and there’s no risk that it spreads, and so that it looks natural (i.e., so it doesn’t look like an obvious diversion). However, if you screw it up, you will be responsible for causing a major incident. Employees could be injured trying to fight the fire, and the fire department could be called to the scene. Not a great outcome.
One of the downsides to distractions and diversions is that they may make an otherwise docile guard force more alert. Should you risk waking up the person in the control room that’s supposed to be monitoring the video surveillance system but has decided to take a short nap instead? Of course, you won’t know for sure whether the people in the control room are alert. You’ll need to take an educated guess based on the size of the security team, the layout of security cameras, and the time of the intrusion.
If you need to trigger an alarm sensor, the methods you use should be innocuous and should not suggest an intrusion is underway. For example, if you wanted to trigger the perimeter sensors on a fence, you could find an area with trees and deadfall and throw deadfall against the fence (provided your position can’t be seen by security cameras or patrols).
Similarly, if you wanted to obscure a camera, you would do it in a way that appears natural. Placing tape over the camera is clearly suspicious, and may alert the facility to a possible intrusion. Instead, you might place a piece of rubbish over the camera in such a way that it appears the wind blew the rubbish and it got caught on the camera.
As with other aspects of physical intrusion testing, you’ll need to carefully adapt your approach to suit local conditions.
One of the challenges you’ll face with most intrusion tests is that you’ll never actually know if the facility is being effectively monitored by video surveillance. There could be five alert individuals in the control room observing every movement on every camera. Or, there could be one guy sitting in the control room whose attention is totally focused on not spilling potato chips on the floor while watching reruns of Breaking Bad. If you’re really lucky, the video surveillance system may not be monitored at all. Problem is, you won’t know.
If knowing what is going on inside the control room is an important part of your plan, then you’ll need to focus on social engineering techniques to gather the information you need to proceed.
You might think that professional security officers won’t be tricked by distractions and diversions. That, fortunately for you, is not the case. Security officers are primed for incidents occurring at the facility. At the first hint of an incident, they’ll respond. How they respond, of course, may vary. Security officers may initially check video surveillance monitors. They may then escalate their response by sending officers out to the location of the incident.
At least in my experience, security officers won’t go through the process of wondering whether an incident is a distraction or diversion before they respond. They’ll respond to what they see.
To your benefit, most guard forces will have substantial lapses in their attention, due to a range of reasons. In fact, you may be able to take advantage of natural diversions during different stages of your intrusion.
Some of the activities at your target facility may already provide natural distractions and diversions. If you’re able to time your intrusion to take advantage of these activities, you may not need to devise your own actions.
Obvious examples of natural distractions and diversions include the period when everyone is arriving at, or departing from, the facility. Lunch breaks and shift changes also provide natural distractions for security officers. There’s a lot of movement, and it’s significantly easier to move within a larger group of people.
Security officers will also be distracted during handover periods. Security officers may not be closely observing the video monitors during handover. On the downside, note that twice the number of guards will be on site during the handover period.
Distractions and diversions can provide you the time and space you need to execute difficult activities during your intrusion.
When planning distractions and diversions, be clear on your objective and carefully consider timings. Consider the advice above regarding how to devise an effective distraction or diversion. Where you can, take advantage of natural distractions and diversions.
As you employ distractions and diversions into your physical intrusion tests, take note of what works and what doesn’t work. After each intrusion test, try to get to the bottom of why an action didn’t work, or didn’t work the way you had intended. Take the opportunity to speak to security officers or other people at the facility, so you can understand how the action was perceived from their perspective.
Most importantly, be safe. There’s plenty of scope for some very hare-brained ideas when it comes to distractions and diversions. Carefully think through the potential consequences of any actions before moving forward with your plan.
How to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
26 Jan 2022 · Read now
Exploring the different aspects of safety you should consider during your physical intrusion tests
27 Dec 2021 · Read now
When to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion.
22 Dec 2021 · Read now
How to integrate surveillance and reconnaissance into your physical intrusion tests.
06 Aug 2021 · Read now
Exploring the value of testing multiple layers of security during an intrusion test.
23 Jul 2021 · Read now
Why it's important to model a specific threat when conducting physical intrusion tests, and how to go about the process of establishing a valid threat model.
22 Jul 2021 · Read now