Physical intrusion as a method in cyberattacks - Case

Seconds after I am done hiding the device, a person enters the room. He gets something from the shelves behind me. How can he not hear my pulse pounding? How come he does not question what I am doing there?

Physical intrusions are real

Today’s hackers do not wear hoodies and hide in basements. They look just like you and me. Threat actors of today utilizes all means necessary to be able to succeed with their cyberattacks. They may walk straight into your office.

The reasons for a threat actor to use physical intrusion as a method in cyberattacks are several. One reason is to plant a physical device and connect it to the organizations network. The device listens to and logs all network traffic and the threat actor is able to connect to the device remotely. The information being gathered can be used in several ways, one being stealing passwords and usernames.

Other reasons are to find internal and confidential information, learning how to navigate the premises and photographing information of interest, such as confidential documents.

All information the threat actor is able to gather may be crucial for later phases in the cyberattack. Two more reasons may be for the threat actor to tie acquaintances with employees and find out information just by talking to them or to steal equipment, such as computers or other hardware.

How to get physical access

Threat actors use the fact that humans are helpful by nature and usually want to avoid conflict. One way to get passed the locked office doors is to tailgate one of the employees who has access, such as yourself. You might even unlock and hold up the door for the threat actor even without a word being said between you two. Especially if the threat actor looks stressed, carrying a takeaway coffee and are on the phone talking, both hands being occupied.

Dress the part

Another method used is to dress the part. A threat actor may disguise themselves as an electrician, cleaning staff or as the janitor. This way the threat actor deceives you in to believing that they have a legitimate reason to be there.

A threat actor can potentially get an employment at your company. This way they have a legitimate reason to walk around the premises and the possibilities of what they can do almost becomes endless. Another possible way is to use a third party to gain physical access, such as getting an employment at the cleaning service provider.

Preparations are crucial

Before attempting to plant a device, time is spent to gather information about which facility is the most suitable one to target (if there are more than one). Factors such as types of entry systems, video surveillance, the presence of physical guards and intrusion alarms are taken into account. Once a facility has been identified as the primary target, time is spent to map staff movement patterns and what exits they use. The reason for this is to find the appropriate time during the day to carry out the physical intrusion. The scenario, of which the intrusion are based on, in combination with appropriate time, is what determines when the attack shall take place.

Methods of planting a device – Cases

Methods I have used when successfully planting a device at a customer’s site include walking straight up to a staff member and ask to get access to a conference room. I have walked in as any other staff member by pretending to belong there. Another time I attended an event at one of the customers sites. That gave me a legitimate reason to get internal physical access inside of the facility.

Physical intrusions are a real threat

You can be the one to stop a cyberattack. You can do this by stopping a person by the office entrance trying to tailgate you. Physical intrusions are a real threat and you have to be aware of it to be able to do anything about it.

Organizations have to raise awareness among their users about this method used in cyberattacks. There has to be a culture of security, were you are able to stop a person at the door without the fear of creating a conflict. Even if it is a colleague of yours that you have had lunch with for the past five years. With a culture of security that specific colleague will understand why you will not let them in by using your access badge. With the culture of security, it is easier for you to act and make safer decisions.

Here is a question for you - how many times a day do you hold up a locked door for the person behind you?

I am a criminologist, a behavioral scientist and a cyber security advisor. I help companies with organizational and strategic questions and challenges regarding cyber security. I specialize in the human factor, physical intrusions and awareness education.

In the upcoming article, the last one in this series of articles, you will be able to read about the exploitation of psychological factors used in cyberattacks.

#socialengineering #manipulation #cyberthreat #cybercrime #cyberattack #awareness #userawareness #awarenesstraining #cybercriminology #criminology #cyberpsychology #psychology #cybersecurity #itsecurity #cyber #security #cultureofsecurity #physicalintrusion #physicalsecurity