First published by Grant Rayner on 22 Dec 2021
7 min readIntrusion Testing
This is the fourth essay in a series of essays where I’ll be sharing a few lessons learned relating to physical intrusion testing.
In the first essay, I provide some background and context, and discuss the importance of modelling a specific threat for an intrusion test. In the second essay, I focused on the value of testing multiple layers of security during an intrusion test. The third essay focused on reconnaissance and surveillance. This essay is about overwatch.
Not the “vibrant team-based shooter set on a near-future earth” overwatch, but a technique you can use during a physical intrusion test to reduce the risk of detection, and to provide an important layer of safety to the operation.
Overwatch guides the intruder and watches their back during the intrusion. You could think of overwatch as part lookout, part field medic, and part getaway driver. It’s an important role.
In this essay, I’ll discuss when to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion. I’ll also touch on using remote cameras and drones.
As you’ll learn, overwatch isn’t a particularly sophisticated technique, and it has huge benefits for intrusion testing.
Overwatch can be used for almost any intrusion. The technique has more utility for larger complexes that have their own perimeter and inner perimeter area. It’s less useful for a single office building in the central business district, as it can really only support the initial entry into the building.
One point to pay attention to is that you’ll need to determine whether the threat groups you’re modelling for the intrusion would use overwatch techniques to support their own intrusions. Read my earlier article on modelling threat groups to understand why this aspect is important. Assuming overwatch fits within the parameters of your planned intrusion, the next step is to work out how you’re going to communicate.
Overwatch and the intruder will typically communicate using mobile phone. While traditionally a hand-held radio would have been better in this application, these days it’s hard to justify not simply using your normal phone. The intruder and overwatch will need to have their hands free, so you’ll need to wear wireless or wired headphones (use wired headphones if the intrusion is going to take some time).
Once inside the facility, wearing headphones provides options for the intruder to pretend they are on a call, making them appear busy and less approachable.
As with all good planning and preparation, make sure your devices are charged and carry backup devices and power banks where needed. Losing communications just as you’re about to initiate a key activity isn’t great for your situational awareness or your confidence.
To communicate effectively during the intrusion, you’ll also need to develop a common language.
To enable the intruder to make sense of the information and instructions being provided by overwatch, and vice versa, you’ll need to establish a common language.
First, establish a language for orientation and direction. You could, for example, refer to the aspects of the facility (front, back, left, right). Alternatively, you can use cardinal directions (north, south, east and west). In my experience, the former approach is easier to understand.
Next, agree on names for each building. If you’re not sure what the buildings are, you can make up names or just give the buildings numbers. There’s no need for fancy code words, because no one will be listening in to your call.
Finally, establish names for major roads and specific locations, such as car parks. Again, you can use the actual names or just make up names.
During your planning, it’s good practice to develop a schematic of the facility that’s labelled with the agreed upon naming conventions.
You’ll typically want to position overwatch in a location from where they can view deep into the grounds of the facility. Overwatch could be positioned in a building overlooking the facility, or on higher ground. As you might already guess, finding an accessible elevated position can be problematic.
If it’s not possible to have overwatch in an elevated position, their utility will be reduced. From ground level, overwatch may only be able to provide support for the initial stage of the infiltration, when the intruder breaches the perimeter barrier. After that, they may not able able to provide any meaningful support (they will still have an important safety role, as I’ll discuss shortly).
Once the intruder is inside the facility and is moving between buildings, overwatch may need to move around the perimeter to open their angle of view in support of the intruder. It’s useful to consider how you might need to do this during planning and rehearsals. A good approach is to break the intrusion into stages or bounds. When the intruder reaches an agreed position, they can hold in place while overwatch repositions themselves to cover the next bound.
Of course, there are risks in having overwatch move around during the intrusion. Depending on the location and the nature of the outer perimeter area, movement in this area may result in additional attention and possibly detection and apprehension.
While you could move overwatch into the perimeter, perhaps for a very large property, typically you will want to keep them outside the perimeter. If the intruder is compromised during the initial stages of their infiltration, it’s best to have overwatch positioned so they are in a static and secure position and can guide the intruder to safely exfiltrate the facility. Providing warnings
The key role of overwatch is to warn the intruder of activity within the perimeter. Here are a few examples of such warnings:
Effective warnings provide peace of mind to the intruder. While the intruder will still need to be careful, having overwatch removes some of the stress of conducting an intrusion. Knowing the ‘coast is clear’ is invaluable, particularly in situations where line of sight is limited.
The topic of warnings leads nicely into the topic of commentary, which is an essential aspect of an effective intrusion.
The intruder and overwatch should maintain a continual two-way commentary during the intrusion. For the overwatch, this commentary lets them know what the intruder is doing, and confirms the intruder is okay (i.e., not impaled on a fence). If the commentary goes silent, overwatch should know that either the intruder is close to someone who may hear them, or has been involved with an incident. For the intruder, commentary keeps them updated on movement within the facility.
Here’s an example of commentary during the initial stages of an infiltration:
Intruder: Ready to go
Overwatch: Okay, no guards in sight
Intruder: Approaching the fence
Overwatch: No guards in sight
Intruder: At the fence
Overwatch: No guards in sight
Intruder: Equipment secured
Overwatch: No guards in sight
Intruder: Starting to climb
Overwatch: No guards in sight
Intruder: Crossing over
Overwatch: No guards in sight
Intruder: Cleared the fence
Overwatch: No guards in sight
Intruder: Removing equipment from the fence
And so on
Boring? Maybe. But believe me, there’s nothing more satisfying that continually hearing someone whisper “no guards in sight” into your ear while you’re infiltrating a facility. It’s a love language.
A point to make here is that negative information (“there’s nothing”) is just as important as positive information (“there’s something”). Negative information provides a green light for the next step in the plan. As noted earlier, you’re being told the coast is clear and you can continue.
Here’s another example of effective commentary, when the intruder is inside the grounds:
Intruder: Moving from the fence to Building 1
Overwatch: Hold, a patrol is moving your way
Overwatch: Okay, move now
Intruder: Okay, moving to Building 1
If the intruder is approached or apprehended, it’s good practice to leave the communication line open. As the intruder communicates with the individuals, overwatch will be able to hear one side of the conversation.
An interesting effect of commentary is that it instils confidence in the intruder. At least in my experience, I’ve found that the process of verbalising what I’m doing and I’m planning to do next has a calming effect. Particularly during pivotal moments, such as crossing the perimeter or entering a building. Knowing there is someone monitoring your activities also keeps you moving. It’s very easy to become paralysed in place during an intrusion, particularly when you’re about to breach an access point. Feeling as though you are ‘accountable’ to overwatch will help motivate you to keep pushing forward.
Overwatch should maintain a log of events during the intrusion. This log is essential to enable you to provide a chronology of events for the final report. Time passes in different ways during an intrusion, so don’t expect to be able to maintain an accurate estimation of how long you spend doing different activities.
There are several ways to maintain a log while not compromising the primary function of your overwatch. First, you can record the commentary between the intruder and overwatch either on the phone or using a digital recording device. If using a digital recording device, ensure that timestamps are used to you have a clear chronology of events. Second, you can have a pre-drafted log with the main events you know are likely to occur (e.g., at the fence, crossing the fence, at the first door etc). By having a pre-drafted log, the only information overwatch will need to write is the time that event occurs. Of course, you could also use both methods at the same time.
The other role of overwatch is to provide safety support. If the intrusion requires negotiating barriers, then there’s always a risk of an accident. There’s also the risk of the actions of an overzealous guard force.
If an accident occurs during the intrusion, the individual in overwatch could do one or more of the following:
In my experience, having overwatch available helps to ensure that dangerous activities, such as crossing barriers, can be completed in a calm and unhurried manner. Knowing you’re not going to be compromised by a guard patrol when crossing a barrier allows you to be careful and deliberate.
In addition to the support outlined above, overwatch can also support activities designed to distract or divert security forces. In this context, a distraction is an activity designed to draw the attention of the security officers to a specific area. Static guards may turn and observe this area, or security officers in a control room may focus on video surveillance feeds covering that area. A diversion, on the other hand, is an activity designed to make security forces displace and physically move to a specific area. Overwatch can place distractions and diversions around the perimeter. They can also be responsible for activating diversions.
I’m not going to get into specific techniques related to distraction and diversion here, because I don’t want to give away too many secrets (truth is, there aren’t that many techniques that are effective). At a high level, movement, noise and light will typically provide a distraction. A successful diversion, however, will require an incident that demands immediate attention.
If you need to complete an intrusion alone, that doesn’t mean you need to do without overwatch. Consider using remote video devices to provide a live feed of the grounds. Well-positioned and well-concealed cameras will enable you to check the position of guard patrols and other people as they move within the outer perimeter area. Even if you have a human for overwatch, remote cameras can still be useful for large facilities with an expansive perimeter.
Another approach — if you need to see what the overwatch sees — is to ask them to switch to a video call. Seeing the scene from the perspective of overwatch may provide additional context needed to make critical decisions.
In theory, drones provide a good option for overwatch. In practice, drones tend to be noisy and may compromise the infiltration (or at least make security officers alert to the possibility that something may be going on). Piloting the drone will also take the full attention of the operator, which may make them less responsive to the moment-by-moment needs of the intruder. Drones also have a limited flight time, which means they may not be able to remain airborne for the full duration of the infiltration and intrusion.
At least in my own experience, drones are useful for reconnaissance of large facilities, but don’t replace a human in an overwatch role. Not yet, at least.
Overwatch is a great technique that you can apply to lower the likelihood of detection during an intrusion. Overwatch replaces luck when it comes to getting through perimeter security.
Overwatch also has important safety benefits. It’s always comforting to know there’s someone close at hand to help when you get entangled in razor wire on top of a fence.
For my own physical intrusion tests, I will use someone in overwatch for every intrusion, if only to provide a safety net. Having overwatch doesn’t significantly add to the cost of the activity. Typically you’ll only need one person to be available for a few hours. Of course, the conditions of the assignment may vary.
If you haven’t used overwatch for physical intrusion tests before, give it a try. It may take a while to integrate the approach into your methodology, but once you get used to that calm voice whispering in your ear, you won’t want to go back to doing intrusions alone.
In the next article, I’ll focus on an important and often ignored aspect of physical intrusion testing: safety.
How to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
26 Jan 2022 · Read now
How you can integrate distractions and diversions into your physical intrusion tests to enable you to access the facility and achieve your objectives.
25 Jan 2022 · Read now
Exploring the different aspects of safety you should consider during your physical intrusion tests
27 Dec 2021 · Read now
How to integrate surveillance and reconnaissance into your physical intrusion tests.
06 Aug 2021 · Read now
Exploring the value of testing multiple layers of security during an intrusion test.
23 Jul 2021 · Read now
Why it's important to model a specific threat when conducting physical intrusion tests, and how to go about the process of establishing a valid threat model.
22 Jul 2021 · Read now