Physical Intrusion is an overlooked area in organisational security. Many organisations are single minded and believe that attackers will only use digital routes to compromise and thus, all of the emphasis and more importantly the security budget is used for logical protective measures.

If an attacker wants to access a network they may attempt to do so in several ways. One of these ways is commonly via phishing attacks. However, as email filtering and other email protections get better, physically walking into the business may be the path of least resistance and therefore, be the simplest way for the attacker to gain access to sensitive assets.

A Scenario

Picture this, an organisation is situated in a skyrise building with only one entrance. To gain entry you must walk through a reception area that has ID badge gates which sound an alarm if tailgating is detected. The gates are watched by physical security staff and on the other side of the gates is an elevator that will take you to various floors in the building.

Once out of the elevator there more ID badge doors and another smaller reception areas.

To someone without an attacker’s mindset or the correct knowledge this might sound secure, as the building has many steps to mitigate unauthorized access. In practice, this was not the case. In fact, it was possible to gain entry into this building because I did it using the following steps:

1) Understanding what you’re heading into and create a pretext

Performing reconnaissance before entering a building is vital. You can do this using Google street view and your own eyes by simply walking past the building a few times. It’s an important step for understanding the flow of a reception area but also what the employees are dressed like. Are they smart or casual? Do they have ID cards? What do the ID cards look like? How do employees enter reception? This is good to know so you can later act like you belong within the company walls.

A pretext is also important and should always be simple to remember at a nervous time. A pretext is a fabrication of why you are doing something. For example, in this case, it might be that you’re an IT support engineer from another office location and are here to check on the network.

This gives you an excuse to present unusual looking IT equipment if need be and also why you are plugging into different wall ports and such like. "I'm just checking the network connectivity". To boost your chances of successful access and stay undetected, you should find some high profile names in the business to name drop when asked "who sent you to do this work?".

Using LinkedIn or even the company website will give you these names. Employees that are likely to be busy are a great target, such as a Head of IT Infrastructure. These employees will hopefully be too busy to be disturbed and when you name them, others tend to know their position in the company and will often not argue as they are higher in the business hierarchy.

2) Creating an entry path and looking the part

Reconnaissance will have told you that employees enter through the reception gates using an ID card and then they will walk into the elevator. You will need to mirror this behavior and to start, try to copy the badge style. To do this, buy a similar lanyard, as well as a badge holder. You won't have a legitimate badge to put into it but often a blank ID card is effective. However, if possible, use a badge printer and copy the card style for max effectiveness, if someone was to challenge you.

Other than the ID card, ensure you dress in the appropriate clothing to match the employees style.

3) Wait for reception to have a large footfall

8am to 9.30am is normally a great time to enter a business. Their employees are usually getting into the office during this time and that allows the security staff to be busy with any guests signing in. This means less attention on those people entering via the gates which is perfect for you.

4) Know your pretext and be confident

Once you have rehearsed your pretext and you’re feeling confident, you are now ready to gain entry. Reconnaissance has shown you that physical ID badge gates are present and thus, it is likely that tailgating will have to be exercised.

Some gates will sound alarms when they detect tailgating and a simple way to counter that noise is to wear headphones. Yes, genuinely. If you hear alarms, keep walking like nothings happened and you’re just listening to music. Most people do not like confrontation and will not stop you or want to interrupt your music or phone conversation. If you time it right, the security staff should be busy with guests and won't stop you. But if you do get stopped, you’ve made a good replica badge to help your case when convincing them you’re legitimate.

To tailgate, you will need to time your walk into reception well. Once an employee has scanned their badge and walked through the gate, quickly pretend to scan your badge and walk behind them. Again, alarms might sound, but ignore it. More often, alarms won't sound.

5) People like to be helpful

At this point, you’re through the gates and are walking into the elevator. You should assume there will be more ID Badge doors coming up, so pick an employee and follow them until you are fully into the right building area. That means, once your target walks out of the elevator, follow them through the ID Badge doors and through the second reception area. If you are walking behind a recognised employee, reception is less likely to stop you as you will look like you're legitimately following them.

Most people want to be helpful and will hold doors for other people. Use this to your advantage.

At this point, you are in the organization. As you are wearing an ID badge it is unlikely that you will be challenged now unless you do something suspicious. However, you're likely going to want to do something suspicious to get what you need, so be prepared for conversation.

If you need network access, find a network port and plug into it. Meeting rooms are good for this as they usually have a VoIP phone to plug into. But if not, you may be able to find a good quiet space to sit and use a printers ethernet port. You may also look at stealing physical assets or even legitimate ID badges to allow for access to other floors or reentry much easier.

If you want to watch me talk about this, take a look at the video below: