3

This question was primarily inspired by this (related) question, but is about the other side of the equation.

I'm a security engineer at Medium Sized Company, Inc. We recently hired John for a penetration test (unbeknownst to me). John successfully got into our building and made it all the way up to our floor. He got someone to let him in and gained access to a relatively secure area.

Unfortunately for John, his presence in the secure area triggered an alarm which dispatched me to investigate. I found John in our server room, where he was about to plug something in to one of our network switches.

I managed to stop him before he connected his computer to our switch, and demanded to know what he was doing there in a secure area. He presented me with a Permission to Attack slip which did not check out, followed by a real Permission to Attack slip that was confirmed with the relevant party.

Right now, I have a hacker sitting handcuffed to a chair in the server room, not allowed to leave my sight until I know what to do with them.

So, what do I do with them? There are a few options I can think of:

  • Escort them out of the building,
  • Just politely tell them to leave the premises as the penetration test has concluded,
  • Let them keep doing whatever it was they're doing and hope our NOC catches them too

My company doesn't have any policy guidelines I should follow and the person on the PtA form doesn't know either, so I'd like to know what's considered the best-practice in a situation like this.

Kaz Wolfe
  • 372
  • 3
  • 11
  • That depends on what your role is in the company. Are you a regular worker? Are you security personnel? –  Dec 05 '19 at 19:13
  • @MechMK1 I'm the cybersecurity engineer/IT Manager for the company, but I'm somewhat responsible for physical security of the office too. I'm not hired as a security guard or anything of the sort. – Kaz Wolfe Dec 05 '19 at 19:16
  • Option 3 is out: Their identity is already compromised, so unless the work contract says to continue to test additional systems even when detected, this person's job on your premises has come to a successful conclusion; the physical security has been tested and verified. – Ghedipunk Dec 05 '19 at 19:24
  • Keeping them in the most sensitive and critical room in your business is probably not a great idea. – schroeder Dec 05 '19 at 19:41
  • 1
    This should have been covered in the prelim engagement meeting. – schroeder Dec 05 '19 at 19:43
  • @schroeder s/server room/janitorial closet/g. I'll be sure that if this ever happens that they get moved somewhere more appropriate. We haven't had this situation (yet), but I'd like to be a bit more prepared to know what to do, especially if I'm not aware of a pentest happening until I catch someone. Could have probably structured the question better. – Kaz Wolfe Dec 05 '19 at 20:15
  • I think then that you have created an unrealistic scenario. What you should do would be defined in the rules of engagement, just like it was outlined in the question you linked.... – schroeder Dec 05 '19 at 20:34
  • @schroeder Alright, it being an unrealistic scenario is actually a good thing I'd think. I've never been in a pentest (nor in planning), so if this is typically covered in the preliminary engagement meeting and someone _should_ know then I think all will be good. Thanks for marking the question of a dupe and I'm sorry for the bad question. – Kaz Wolfe Dec 05 '19 at 21:06

1 Answers1

1

Start by releasing him from those handcuffs. If the permission to attack slip did truly checkout, then John is not a criminal. He is simply a poor guy hired by your company trying to do his job, and has now found himself handcuffed to a chair. As such, I have my doubts he would try to run or attack anyone, so it should be safe to release him.

As mentioned in the comments, John's cover is blown. Unless the rules of engagement state that he should continue with his pentest, there is nothing left for him to do there. I would escort him out of the building instead of asking him politely to leave, as trusting him to leave the premises seems like a poor security control and this is a test of your organization's security, after all.

The fact that he was caught is a good sign. Even though he was able to enter the server room, the organization's security has held up well in this instance by stopping John from planting what is probably a backdoor device. So if anyone finds themselves here, good job. After this incident, I would get things worked out on how fix this lapse of information in the future. I would think the person on the PtA form should know what to do, given that he is listed on the PtA form, and as schroeder mentioned, this should have also been covered in the preliminary engagement meeting for those who were in attendance. Someone should know the answer to this question, and it should be straightforward to contact them. If it isn't, I would get in contact with the head of security and ask them this same question.

ExecutionByFork
  • 437
  • 3
  • 7
  • You really should NOT just let him go out unsupervised. I've heard/read some stories of people who say "I'll just go out and get my papers and I'll show you the proof" after getting caught then just escape. The point is that they were left unsupervised. If a pentester or a criminal is caught and left alone, they can continue with the test/crime while you're not looking. From what I've heard, that's also part of the test. You have to continuously monitor them and not allow them out of sight until everything is confirmed and they're escorted out of the facility. – ChocolateOverflow Dec 06 '19 at 04:33
  • 1
    Finally you should probably do a sweep of the building, a pentester may not work alone, there may be a whole team in there in various guises doing various things. Also look for anything he touched getting to the room and anything he touched in the room between the alarm and you getting in. Excort out, sweep the premises, check CCTV and such. The response is as important as the detection. – ewanm89 Mar 11 '21 at 12:57