Red teaming and social engineering to sound the alarm: An interview with Sean A. Ahrens
The concept of red teams and blue teams comes from the military. The red team is the ‘attacking’ team, which is trying to break through the defense of the blue team, thus exposing weaknesses in the protective measures. The same concept is used in information security when hired professionals trying to get access to files or data that are restricted. And red teaming is of course also used in physical security. Physical penetration testing or red teaming is used to test the security measures that are in place to protect assets, buildings or people. Sean A. Ahrens of Affiliated Engineers is one of those professionals that is trying to break into buildings to expose weaknesses in the security of that building. We had the privilege to speak to him about his profession.
Thank you for taking the time to do this interview Sean. Can you briefly introduce yourself, your organization and your occupation?
Sure, my name is Sean A. Ahrens, and I am a security consultant with over 22 years of thought leadership surrounding security and resilience. I presently am employed with Affiliated Engineers, the industry’s leading technical consulting firm for uniquely complex large-scale building, energy, and utility projects.
Red teaming is a well-known activity and service in information technology. In physical security it may be less known. Can you tell us what it basically is and what your role is in the process?
Red team/blue team exercises have been around way before cyber security adopted and overtook the terminology. My role? Security does not receive the visibility within the organization because the outcome of the event is not continually realized. It is like the philosophical statement – “If a tree falls in the forest, and no one is there to hear it: Does it make a sound?” Comparably, how do we know the effectiveness of a security program without an actual occurrence? Red-team/blue team exercises answer that question.
I ‘sound’ the alarm, making the unbelievable, believable and thus justify to executives the need for the expense or resources to mitigate the vulnerability.
Do you think red team/blue team exercises should be part of any security assessment? Why is that?
A comprehensive overall security assessment involves a process where client concerns and requirements are validated and other issues unknown to the client are uncovered. The security assessment begins with the outermost perimeter of the building and proceeds inward to the actual assets to be protected. Most assessments deal with hypotheses, but the overall assessment process can be strengthened by demonstrating the vulnerability.
For instance; during one corporate building assessment, I uncovered there was a lack of compartmentalization for the lobby that led to executive offices. The executives desired an open, inviting environment for the corporate facility without the obtrusiveness of security. Therefore, the only security between the lobby and executives was a 65-year-old woman, Grace, who had worked at the company for 25 years. Grace had no duress button and no training, and she indicated that the only step she could take to control an aggressor would be to say “Stop.” I inquisitively retorted what if the aggressor did not stop? “Well, I guess I would say ‘Stop’ again,” she said. The risk assessment also uncovered tensions with the union workforces, tensions that appeared to be escalating. The report suggested that Grace receive training and the implementation of multiple methods of communicating a hostile situation (i.e., the duress button/phone), detection of aggressors, de-escalation, and personal safety training and a way to control access to the executive area (e.g., access-controlled door, barrier-type turnstile). The assessment was very well received and the document landed on someone’s desk for implementation. But for cost reasons, the organization elected not to proceed with recommended improvements in the main lobby.
As predicted, one day, multiple union representatives rolled up in buses, walked by Grace as she repeatedly yelled “Stop!” and entered two executives’ offices while chanting on bullhorns.
The access-controlled doors, compartmentalization, training, and duress buttons were added the following week at 160 percent of the original price, due to the urgent need. When I asked the executive why they did not heed the warning, they indicated that they did not recognize the risk. Red team testing does that – it validates the vulnerability and risk of exploitation.
What are typical vulnerabilities that you encounter in your daily practice?
So many. Certainly, I have magnets, door openers, shims (credit cards), lock picks, coat hangers and related to validate the effectiveness of physical barriers. But the most common tool I apply is social engineering. In this video I am interviewed by SecurityGuyTV.com and I speak about the importance of engineering.
One example I mention in the interview is how I use social engineering to bypass a well-trained and highly motivated security guard to get access to a restricted are in the building. Recently I also released this article on our corporate website about how people are the biggest security vulnerability.
What would be the best way to make red teaming part of a security management program?
This is something that is being done more readily within organizations. Red teams constantly are testing security to make it better. How do we get better at anything? We need to make mistakes. Red/blue team affords us an opportunity to make the mistake on paper.
Including it in your security management program requires a multi-disciplinary communication process that involved Information Technology, executives, risk management, legal and a willingness to improve and moreover prepare for tomorrow’s vulnerabilities.
Would you say the majority of your work involves social engineering or rather technical engineering?
So, if we look at the risk to building access, we have to consider the aggressors motive, capability (tools, resources) and knowledge. From a risk analysis perspective, one could argue that social engineering requires no tools, just knowledge of the human psyche that can be learned over time. Thus, from a risk perspective, social engineering is the most likely tactic to be used. Most of my assessments use social engineering to some degree to either gain access or validate presence.
Social engineering has been around for decades. It’s not new, its trade craft used by spies, magicians and con-artists. It’s a vulnerability in plain sight that is becoming more pervasive. Some people are doing social engineering without realizing they’re doing it. Learning about the human psyche is the “special sauce” that make this vulnerability more real.
Is there something else you would like to share with the security industry?
While technology catches up, we really need to start establishing training around recognizing, detecting and documenting possible social engineering attacks. Nobody is doing this training, and in my work I am actually exploiting their “happy bubble”. The move towards mobile technologies and access control will make this vulnerability even more real in the future. Finally, for those professionals that are considering jumping into red teaming: Make sure you know your local laws, do your due diligence on “hold harmless agreements” and do not forget the coordination of resources and law enforcement on-site. For instance, in California (united States), just having specific tools in your possession is considered a crime!
Thank you very much for your insights Shaun. Good luck sounding the alarm!