First published by Grant Rayner on 06 Aug 2021
8 min readIntrusion Testing
This is the third of several essays where I’ll be sharing a few lessons learned relating to physical intrusion testing.
In the first essay, I provide some background and context, and discuss the importance of modelling a specific threat for an intrusion test. In the second essay, I focused on the value of testing multiple layers of security during an intrusion test.
In this essay, I’ll share some insights related to surveillance and reconnaissance. I’ve also included some notes on probing and the value of taking photos and recording video.
Planning an intrusion demands having specific knowledge of the target facility’s layout and security measures. Most threat groups will therefore conduct surveillance and reconnaissance in the lead up to an intrusion. It follows that most intrusion tests should have a phase of surveillance and reconnaissance before the actual attempt at intrusion.
Each intrusion test provides a valuable opportunity to learn about current levels of security. Surveillance and reconnaissance activities provide two key benefits:
If an organisation can detect activity preceding an intrusion, they may be able to disrupt the intrusion during the planning stages and prevent the intrusion operation going ahead. As such, learning about different indicators of a potential intrusion, and being able to identify those indicators when they occur, is a hallmark of effective security.
There’s also substantial value in being able to see security measures from the perspective of an intruder. Key security concepts such as deterrence are difficult to evaluate when you’re standing on the inside looking out.
Of course, any techniques used during surveillance or reconnaissance should conform to the capabilities of the threat group being modelled for the test (as previously discussed in this essay).
For our purposes, surveillance is the long-term observation of the target facility. The focus of this observation is to understand patterns of activity and movement. Surveillance is typically conducted some distance away from a facility (that said, there are situations where you may conduct surveillance inside a facility). Surveillance is also typically conducted from a static location.
Surveillance can be conducted by a person in an observation post, watching activity first hand. Alternatively, surveillance can be conducted using video recording equipment and either watching a real time feed from the camera or playing back recordings at a later time. Here are a few examples of surveillance activities that may be conducted as part of a physical intrusion test:
From experience, sitting in a lobby lounge is significantly more comfortable than sitting in a thicket of shrubs!
Surveillance can last for hours or, if the project allows for it, days. In practice, however, most intrusion tests will have a limited time allowance for surveillance.
If you’re planning an intrusion test, or proposing an intrusion test to your client, always include at least eight hours for surveillance activities. This time block can be broken up into multiple surveillance tasks. Be sure to also provision the time needed to get to and from the target area.
When conducting surveillance, you’ll need to be economical with your time. Before stepping out of the door, be clear on what your surveillance is trying to achieve. Have a clear list of information requirements that you plan to collect. It may be that you need to conduct surveillance from different observation posts to collect different pieces of information.
There may be some projects where the layout of the facility makes surveillance difficult or even impossible. In such cases, surveillance may be an unproductive use of your time and you’ll need to consider other techniques to gather information.
As you start planning surveillance, ensure that the techniques you’ll be applying on the ground accurately mirror those of the threat group you’re modelling for the physical intrusion test. It’s particularly important to consider the capabilities of the threat group when it comes to selecting equipment for surveillance. For example, not every threat group will have access to high resolution imaging equipment, and very few threat groups will have access to night vision equipment. Similarly, not every threat group will be willing to sit in a thicket of shrubs and observe a facility.
While you’ll be some distance from the facility, each surveillance activity will need to have some form of pretext or cover story. Why are you standing in that car park with a camera with a telephoto lens? Why are you sitting in that thicket of shrubs with a notebook containing the timings of guard patrols? Moving in an out of observation posts also requires planning and, in many cases, some good old-fashioned fieldcraft. Whatever techniques or pretexts you employ, be sure to model these on the capabilities and intentions of the threat group you’re modelling.
Aside from supporting the planning of the intrusion, the other key benefit of surveillance activities is that they provide valuable insights to your client. Such insights can include the following:
This feedback provides useful inputs for security planning.
Aside from surveillance, the other intelligence gathering activity you may conduct during a physical intrusion test is reconnaissance.
Reconnaissance is another technique you can employ to gather information on a target facility. Reconnaissance differs from surveillance, in that it’s a short duration task designed to collect specific pieces of information. You’re likely to remain mobile during reconnaissance, and will get close to the facility.
Reconnaissance fills any information gaps that you weren’t able to collect at a distance through surveillance. As such, there will typically be a period of surveillance before reconnaissance. As with surveillance, each reconnaissance task should have one or more specific objectives and associated information requirements. Here are a few examples of reconnaissance activities and their associated objectives:
When looking at this list of reconnaissance activities, you’ll note that it’s difficult to loiter in such situations. You’ll typically need to keep moving so that you don’t attract attention. This mobile and short-term nature of reconnaissance is what differentiates this activity from surveillance.
Reconnaissance tasks will typically bring you within the physical space a facility can control. For that reason, you’ll need to use them sparingly. There’s a high probability that you’ll be recorded on video surveillance during a reconnaissance task. There’s also the possibility that you may be observed by security officers. You may even be approached by security officers if they assess your behaviour to be suspicious. From the perspective of testing security, these events are positive, as they provide an opportunity to detect a potential intrusion during the planning stages.
Most reconnaissance tasks don’t involve actually breaching security. They’re typically conducted in the outer perimeter area or within public areas of the facility, such as lobbies. That said, there may be occasions where you may need to breach the outer perimeter of a large facility in order to explore inner perimeter security measures. While still technically a reconnaissance task, you’re breaching security and — if caught — are likely to be detained.
Every reconnaissance task requires some form of pretext or cover story to explain who you are and why you’re there, doing what you’re doing. When developing this pretext, always refer back to the threat group you’re modelling. Is the threat group willing and able to come up with elaborate cover stories, or will they simply walk away if someone approaches them? As noted in my earlier article, don’t fall into the trap of blending the techniques of different threat groups to create an unfair and unrealistic advantage. When planning your physical intrusion test, allocate at least half a day for reconnaissance tasks. Most intrusion tasks will require at least two and probably up to five different reconnaissance activities, conducted over several days. If realistic based on your threat model, you can use different people for different reconnaissance tasks. The person conducting the reconnaissance may not necessarily be the person that’s conducting the intrusion.
Another type of activity that you may conduct as part of your planning and information collection efforts in the prelude to an intrusion is probing.
Probing is different from reconnaissance, in that you’re actually going to be testing specific security measures. (That said, you may conduct probing activities as part of a reconnaissance task — there are no hard and fast rules here).
Probing activities provide another activity that can be detected by the facility, giving the facility the opportunity to detect the intrusion during the planning stages. Here are a few examples of probing:
Because probing requires you to interface with the facility and its security measures, there’s a higher likelihood that your activities may be detected. If you’re not careful, you may be stopped and could even be detained. As with surveillance and reconnaissance activities, a good pretext or cover story is essential. If your threat model allows for it, use different people for probing activities. As with reconnaissance, the person conducting the probing may not necessarily be the person that’s conducting the intrusion.
One interesting point with probing (and sometimes reconnaissance) is that it may provide the opportunity for an intrusion. If you test an external door and find that it’s unlocked, should you enter? To answer this question, you’ll need to put yourself in the mind of the threat group you’re modelling. Would they take advantage of such a lapse in security? If so, go for it. If you’re likely to want to take advantage of such situations, be sure to carry any essential equipment you may need for subsequent stages of the intrusion.
A final point on probing (and reconnaissance) is that these activities should not involve any site preparation work (unless you believe you’ve been presented a unique opportunity). Therefore, any activities to interfere with perimeter barriers, security cameras, intrusion sensors or locking hardware designed specifically to support the intrusion should be conducted as a separate activity.
If it fits with the activities likely to be undertaken by the threat group you’re modelling for the intrusion, consider recording video and taking still photos of access points and security routines during reconnaissance and surveillance. Such activities may be detected and reported by observant staff, which is good because it means that procedures and awareness programs are working. These images and video are also useful for the debriefing. Again, an ‘intruder’s perspective’ always provides useful insights.
Including information in the report on good vantage points for photography or good observation posts for longer-term surveillance also provides excellent feedback to the client. The facility may choose to monitor these locations or could even deploy technology to enable them to detect people loitering in specific areas. Some facilities may also deploy security officers outside the perimeter to act as a deterrence, or use counter-surveillance teams to identify people in vantage points paying too much attention to their facility. Some hotels in higher-risk locations use these techniques.
To wrap up, there is a lot of value in conducting surveillance, reconnaissance and probing techniques as part of a physical intrusion test. These intelligence gathering techniques are essential aspects of planning for the intruder. At the same time, these activities provide opportunities for the facility to detect the intrusion in the planning stages. Good lessons can be learned by sharing how surveillance and reconnaissance activities were conducted, which can be used to help build security awareness among employees and security officers.
When preparing your report, and when briefing the client, discuss the challenges you faced when conducting surveillance and reconnaissance. At what points were you worried about being detected? What security measures were you most concerned about? Which security measures forced you to change your plans? This information can yield valuable insights into the effectiveness of existing security measures to create deterrence for an intruder during the planning stages of an intrusion. Deterring attempts at intrusion is a good security objective and can often be achieved through effective deployment of cost-effective measures, such as lighting. In the next article, I’ll focus on another important aspect of intelligence gathering to support an intrusion — gathering information from human sources. While surveillance and reconnaissance are typically straight-forward activities, engaging with people raises a host of ethical questions.
How to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
26 Jan 2022 · Read now
How you can integrate distractions and diversions into your physical intrusion tests to enable you to access the facility and achieve your objectives.
25 Jan 2022 · Read now
Exploring the different aspects of safety you should consider during your physical intrusion tests
27 Dec 2021 · Read now
When to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion.
22 Dec 2021 · Read now
Exploring the value of testing multiple layers of security during an intrusion test.
23 Jul 2021 · Read now
Why it's important to model a specific threat when conducting physical intrusion tests, and how to go about the process of establishing a valid threat model.
22 Jul 2021 · Read now