Physical cyber threats: What do criminals leave when they break in? 

Many organizations have maintained heavy investment in cybersecurity over the last year, even in an unpredictable time when other spending has faltered. Gartner estimates that IT security and risk management spending still grew 2.6 percent even as IT spending as a whole fell by 8 percent.

However, while businesses have continued to fortify their networks against remote invaders, most have overlooked the potential for cyber threats from physical intruders. With very few exceptions such as government facilities, organizations tend to be extremely vulnerable to cyberattacks that involve a threat actor gaining direct access to the infrastructure.

While such attacks are extremely rare in comparison to the endless virtual attacks launched every day, physical security gaps can allow threat actors to circumvent otherwise strong defenses to inflict serious damage. Unlike an ordinary burglary, the threat is not what is stolen by the intruder, but what they leave behind – anything from keyloggers to backdoor malware. It’s especially important that organizations that are in high-risk sectors such as finance be prepared for such attacks.

Fortunately, however, with the right precautions it is possible to minimize the risk of a physical intruder, and spot incursions based on digital and physical evidence left behind.

How do intruders breach the building?

The first part of any physical cyberattack is gaining access to the building, and our red teaming exercises have found this is often shockingly easy to do. While you might forgive a business for being caught out by an elaborate Ocean’s Eleven style heist, all too often it is easy enough to simply walk in.

We have often found that even in industries that have good cause to take their physical security seriously, the focus tends to be on specific valuable assets rather than the building as a whole. Banks, for example, will obviously have their defenses focused on secure vaults and strongrooms to protect cash and other valuable items, but the office portion of the building will be lightly secured.

One of the most straightforward tactics is to simply tailgate an employee through the doors. People tend to instinctively hold doors open for others coming in behind them and are unlikely to question it. Or perhaps, if the building has a back entrance where smokers congregate, the imposter can simply join them for a quick smoke and then drift inside with the crowd.

Invaders rely on the fact that most people want to avoid directly challenging others, even if they don’t recognize them. This is particularly true in a shared office environment or at a location that receives a lot of visits from guests and contractors. With many buildings standing largely empty due to social distancing, it can be even easier to go about unnoticed at larger locations.

Even if there are dedicated security checks, these can be quite easily bypassed in most cases. In one red teaming exercise we conducted at a bank, for example, our operative wore a mock-up of the firm’s door passes. The pass contained an RFID chip so it triggered a reaction from the scanner, and the guard was happy enough to wave them through with the excuse that the card must be faulty.

Physical cyber threats What damage can you expect?

As mentioned, the risk here is less about what attackers steal, and more about what they leave behind. One of the most effective techniques is to leave a small drop box device attached to the network. These are inconspicuous and can be easily hidden under desks or on other devices such (e.g., the office printer). Such devices can be used for a number of purposes, such as monitoring and exfiltrating data or serving to facilitate command and control (C2). Drop box devices can be set up relatively quickly, making them ideal for covert intruders on a time limit.

Given enough time, attackers can pull off any number of malicious activities. Installing C2 or key logging malware via a USB are obvious choices, but they could even go so far as to take out hard drives and image them. Furthermore, if the server room is accessible, they can wreak havoc even more directly. In some of our red teaming exercises, operatives have been able to remain in the office alone for hours after close of business, which would give an attacker ample time to execute more complex activity.

Because security defenses tend to be geared around detecting external threats targeting the network from afar, they are often easily circumvented by direct access. Further, tracing such an attack back to a physical incursion is no easy task, reducing the chances that investigators will find and close the source of the breach.

Preventing a physical cyberattack

As with any cyber threat, prevention is better than cure. Just like with phishing and other social engineering attacks, employee awareness is particularly important. Organizations should consider holding training sessions to highlight the risks and the importance of following building security procedures – including overcoming a natural aversion to confrontation and questioning unknown visitors.

If the building has security or other front desk staff, they must always ensure people are met by a representative of the company rather than being left to move freely. This is particularly important in a post-COVID world where an office might be sparsely populated and running an irregular staff rota. Similarly, the mask mandate means that it is now perfectly expected for people to move about with their faces obscured.

In addition, the building needs to be equipped with security measures, including alarms and CCTV. Alarms will assist when an intruder stays behind afterhours, and CCTV can be used to trace an attacker’s movements to find out where they went and what they did. Any hardware they were near to should then be checked for signs of tampering or unknown devices.

Without CCTV to fall back on, finding drop boxes and other devices can be like looking for a needle in a haystack – particularly in large offices with hundreds of workstations. Server rooms should be secured in the same fashion as any other asset.

Devices that have been left behind can also potentially be located through virtual means, although this is not certain. It may be possible to find their MAC address, but these can be easily spoofed to match a genuine and expected device. Scanning and pen testing likewise may succeed but will not be able to find a device if all its ports are closed off.

One of the more reliable options is to use MDR and real-time traffic monitoring as the device will typically be connecting back to another location and this will allow it to be located in the same way as a normal remotely executed breach.

While physical cyberattacks are rare, they can be devastating for those organizations that criminals view as worth the additional effort. A lack of consideration for physical cybersecurity means that any attacker who dares such a move will likely have a straight path to the company’s most valuable assets. By treating cyber and physical security as two sides of the same coin, would-be intruders will find their plans foiled just as a virtual attacker will be detected and blocked by the best security solutions.