132

I've seen a lot of people talk about how to pentest and how NOT to get caught during engagements but have a hard time finding "How to behave when caught during a Red Team engagement".

Red Teams are to simulate adversaries attacking systems. Many actions can't be done (or at least very hard to) with just some computers and Red Teams often have to go on-site and break in (legally). What I've seen so far is people succeeding in not getting caught. However, I haven't seen anyone talk about what to do when caught. It may just be some suspicion or even being chased by security (possibly armed).

In cases where a Red Teamer is caught during an engagement, what should he/she do?

  • Say "I'm a security tester. You've caught me so I'll just leave."
  • Run away like a criminal with their stolen data (which sounds fun but dangerous) to be more like an actual criminal attacker
  • Contact the employer to report it and get a "just continue" pass
  • Quietly come along for some possible interrogation (I think this would be the safest)

Update: I've made another question here which covers the 3rd parties not discussed in this question.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • 111
    You should have proof that your actions are authorized. – Overmind Nov 11 '19 at 11:59
  • 112
    This should have been defined in the engagement scope ... – schroeder Nov 11 '19 at 12:16
  • 5
    I'm only a student with no real experience in real life Pentesting and have not seen examples of real engagements so I don't know what may be stated in the scope regarding this – ChocolateOverflow Nov 11 '19 at 13:06
  • 3
    Without a doubt, the Pentest company would have very specific rules and training on what to do in this situation. As a side note, the most likely thing a criminal that is caught would do would be none of those things, but to talk himself out of the situation. Hell, a criminal might even say they are doing a pentest, praise the person for their correct action to get them on their side! – Issel Nov 11 '19 at 22:56
  • 9
    [Tinkersec](https://mobile.twitter.com/TinkerSec) likes to tell some good stories about this. [Here's one](https://threader.app/thread/1063423110513418240). There are other, but I'll let readers go down this rabbit hole themselves. – kojiro Nov 11 '19 at 23:50
  • 16
    Worth listing the recent Coalfire Security incident which has the pen testers facing misdemeanor charges. https://assets.documentcloud.org/documents/6540700/Coalfire-Statement.pdf So make sure the people hiring sort out jurisdictional issues first. – Gary Nov 12 '19 at 02:15
  • @Gary this clearly illustrates the need to - not only have a written engagement contract - but also be part of a team (ideally a well established company with a legal department) capable of sorting things out if you end up in custody. An independant contractor would have been @#&!ed in the Coalfire situation. – zakinster Nov 12 '19 at 11:24

2 Answers2

193

Always have your slip with you!

This is the golden rule of Red Teaming! If you don't have your Permission to Attack with you, it's like driving without a driver's license. That said, if you are caught during an engagement, I recommend the following:

  1. Present a forged Permission to Attack. This way, you can see if criminals could possibly trick a security guard to letting them do their thing with a fake Permission to Attack.

  2. Present the real Permission to Attack. If a guard has not bought your fake slip, then it's time to hand in the real slip. If the guard believes you, it's time to pick up and leave the perimeter. A real attacker would have been stopped at this point. If the guard did not believe you, ask them kindly to talk to their supervisor. If they insist on not believing you and calling the police, so be it. You're not a criminal, so don't worry about it.

  3. Follow the police's orders. They'll take you with them to the station, where you can explain to the police that you are part of a Red Team Engagement, and that you have a permission to break into the company. They will double-check that, calling whoever is listed as the person who signed your Permission to Attack. In the happy case, they'll pick up the phone, explain that you are really hired to do that, and you'll be free to go.

    In the not-so-happy case, they won't pick up because it's 4 in the morning and their phone has no battery. Should this happen, you will probably spend the night in the police station. Worse things have happened. Call your employer in the morning, and they will reach the contact at the customer's company for you.

What about the other options?

Saying "I'm a security researcher. You've caught me so I'll just leave"

will not be very helpful. In the eyes of a security guard, you're a criminal, caught in the middle of a crime. You will not have the choice of "just leaving".

Run away like a criminal.

A very bad idea. Probably the worst you could do. If the guard calls the police (they likely will), the costs could rise quite a lot and it would not make the customer happy to know they now have to pay the police for an unnecessary manhunt as well. However, you should absolutely include in your report if getting away from the perimeter after getting caught would have been a trivial effort or not.

Contact the employer to get a "Just continue pass".

That would miss the point of a Red Team Engagement. Once you have a "Just continue"-pass, you are not simulating how a real attacker would act. You would just go through the stuff of the company with their permission.

Community
  • 1
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/101116/discussion-on-answer-by-mechmk1-what-to-do-if-caught-in-a-physical-pentest). – Rory Alsop Nov 16 '19 at 14:29
52

There's a flip side: what to do if you discover a physical pentester. When I was working at a bank, I happened to notice the iconic metasploit cli welcome banner flash up for a second on a desktop in the middle of a cube farm.

Physical pentesters are a part of life at a bank, and the rules of engagement are very clear beforehand. There are rules and procedures for both parties if someone notices a pentester. This keeps everyone safe.

Because imagine the situation: if metasploit is running, all it would take would be the attacker running a pre-made script and it could be "game over" for the bank. If you see the banner, it is likely already too late. That means that that person's fingers need to be off that keyboard and the network cord pulled/wifi turned off as soon as possible. Like, immediately. That means rough physical interaction. Not waiting for security to arrive. And that's a safety problem.

It turns out that in this case, the pentester messed up by exposing himself like that and the engagement would have been prematurely ended, but by following protocols, the engagement continued under the defined scope and everyone was safe. The test was not about being able to get in, but to simulate a malicious insider.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • "rough physical interaction" - As in tackling the guy to the ground? –  Nov 11 '19 at 14:54
  • 5
    @MechMK1 or at least getting your body in between the device and the other person. – schroeder Nov 11 '19 at 14:56
  • I'd find it interesting how much physical force the pentester is allowed to exert in order to simulate a "motivated" attacker. –  Nov 11 '19 at 14:58
  • 11
    @MechMK1 probably no force at all, since the company can only authorize activities that it itself is allowed to do - e.g. the company can authorize a pentester to access its servers; the company can delegate a pentester *as much authority as it itself has* for security tests of third-party cloud systems and buildings rented from third parties (which may likely have some restrictions) and it can't authorize the pentester to use force against its employees or hack their home computers or gmail accounts since the company itself isn't authorized to do that. – Peteris Nov 11 '19 at 20:17
  • 32
    @schroeder standard procedures in most companies would *not* expect (or even allow) office employees to physically assault suspected intruders, they'd be expected to just call security even if it means that the attacker will complete some activity or get away. I mean, bank tellers usually are under strict orders to not resist robbers claiming to be armed, as the robbery loss is considered lower than the risk of costly injuries. A policy of rough physical interaction from employees who see what they think is metasploit on a screen of some person would be quite risky from liability perspective. – Peteris Nov 11 '19 at 20:21
  • @Peteris there's "assault" and then there is impediment... – schroeder Nov 11 '19 at 20:42
  • 6
    @schroeder sure, my point probably is that if I was the HR manager approving policies, then I wouldn't trust random untrained office employees to not cross the line between assault and not assault, and the liability risk of some physical altercation happening "according to company policy, doing what the company asked of us" because of some misunderstanding (probably with no relation to a pentest) can easily be a carreer-limiting move for anyone signing off on that policy, so the default CYA measure is to prohibit it. – Peteris Nov 11 '19 at 20:54
  • 1
    @Peteris I was talking more akin to "trying to reach behind a person to reach a keyboard", and less like "trying to subdue security personnel" –  Nov 11 '19 at 21:18
  • 1
    I think the word "physical" is somehow taken too literally here :) I would certainly never assault someone in my company because I *think* that they are an intruder. We have trained staff for that. This includes taking their fingers off the keyboard. I can imagine I could disconnect the computer, and yell like crazy to attract security if I was really motivated. – WoJ Nov 12 '19 at 15:01
  • 28
    Some of y'all must have _really_ liked your employers. There is no office I've worked at where I would have considered it worth it to physically insert my body between an assumed attacker and his target. If they hire me to be a security guard, then I'll do security. If they're hiring me as a programmer, I'll call security _and that's it, *period*_. – GrandOpener Nov 12 '19 at 19:08
  • Peripheral only: Some decades ago I chased an intruder through an office and down a stairwell (on a boxing day evening when all sane employess were absent). . I'm in NZ and the chances of an intruder having a firearm small - but it didn't occur to me at the time that this was a foolhardy move :-). At that stage of life I prided myself on my 'stair descending capability.' I used to see how fast I could descend many floors. (Also stupid). I was annoyed that this guy escaped me. (Stupid again). – Russell McMahon Nov 14 '19 at 04:17
  • It turned out that he was a security guard (who I knew and got on well with but did not recognise in the glimpse I got of him) having a browse through places he didn't belong and the security system allowed him to be caught. He left the stairwell during the pursuit with an access card - a stupid move on his part - although other options were limited. He was subsequently dismissed - and asked to be allowed to come and apologise to me - which he did, under security escort. – Russell McMahon Nov 14 '19 at 04:18
  • 1
    I agree, most jobs you would be terminated for having a physical altercation with an intruder. They don't want the *sky's-the-limit* liability if you get maimed. Knowing you would take a bullet for the company *instantly disqualifies you from working there*. – Harper - Reinstate Monica Nov 14 '19 at 15:57