14 minute read
PENETRATING A CLOSE PROTECTION TEAM
By Hayley Elvins Penetrating a Close Protection Team What is Physical Penetration Testing? Physical Penetration Testing is a series of carefully orchestrated attack scenarios from the perspective of relevant threat actors.
Our methodology combines client consultation, research, reconnaissance, infiltration, assessment, and subsequent recommendations. This provides our clients with both an effective service and realistic results.
Why would a client request that a CP team be tested
Our usual requests involve corporate offices, high value residences and even yachts. A typical project would involve set objectives such as determining the online social media accounts of executives, identifying corporate emails used for private purposes and infiltrating certain points within a building such as particular offices, the server room or gaining network access.
However, we are occasionally employed for more unusual tasks including a recent request to test the capabilities and online profiles
of an entire close protection team. In this instance, the test was instigated by an incoming team leader, who very proactively wanted to establish if there were any gaps in the client’s defences.
We have previously been instructed to test a team because the client was considering changing providers and required evidence to justify the decision, or in one instance because the client simply thought they were not effective enough. These tasks have involved more obvious objectives such as making physical contact with the principal.
In this instance our objectives were twofold:
We were required to identify who each executive protection / close protection team member was, and to present any identifying information about them which could be used by an adversary in order to threaten, bribe or blackmail them.
What about the privacy and rights of the staff and team?
It should be noted at this point, that the team and household staff provided their consent for us to conduct the operation, we wanted to replicate the methods that a genuine threat actor would use and had to tread the balance of meeting our legal requirements and not tipping off the team to our exact methodology or timescale. We did not provide details of our specific intentions, but staff were told that their movements and activity might be monitored, and it was made very clear that this was a learning exercise rather than an attempt to discredit anyone’s capability.
This is the one instance where Covid worked in our favour, as we intended to operate slowly over a long period of time and the lockdown came into effect shortly after we were engaged, we were not at the forefront of people’s minds.
We were also tasked with gaining access to the residence without detection, specifically targeting the principal’s office and master bedroom where we would deploy mock listening devices and covert cameras.
Is the methodology the same?
The stages of the project followed the same principles as a regular physical penetration test but was conducted in a different order. Our project was a “black box” test, this meant that we knew nothing
about the people we would be investigating and had to identify the close protection team, their numbers and who they wereThis would typically be achieved through OSINT sources including social media, news articles and linked-in, however as the nature of CP work usually avoids anyone discussing who their principal is, we had to start with surveillance and work our way back to OSINT.
The Reconnaissance Stage
Our client’s residence was well fortified with high perimeter walls, complete external CCTV coverage with motion alerts and window sensors. However, its rural location in a slight valley enabled us to easily create an OP from which we could establish the pattern of life of the staff, visitors, and family. We established that whilst the residential security team operated 24 hours, both the RST and CP team all lived off-site, some in a hotel nearby and some within a 30-minute drive. We conducted a surveillance operation over the course of a month and identified the houses, hotel rooms and vehicles of the 8-man team. This surveillance period also enabled
us to identify the staff including the housekeeper, gardeners, nannies, and chefs. We noted their routine, days off and events that occurred at the residence.
The Information Gathering Stage
Once we had established where the CP team were located, we started to identify who they were. This involved some basic enquiries such as reverse searching the electoral roll and using data bases which we would expect a serious threat actor to gain access to. We aimed to identify their weak points such as addresses, family members and any activity which could be considered compromising, such as gambling.
The team leader who we had had limited contact with, told us to use all of our resources against the team and not to hold back. We found that he usually car shared with one of his operatives. He drove very carefully and appeared to be really surveillance aware. We had to be very cautious in our surveillance and planned to follow just parts of his route over a series of days. He did exactly what he should and varied his route almost every day, we eventually managed to follow him to a petrol station and took a dynamic decision to place a tracker on his vehicle. We drove a van alongside his car and one of
Took a dynamic decision to place a tracker on his vehicle. We drove a van alongside his car and one of our operators fitted it in about 5 seconds.
our operators fitted it in about 5 seconds. All we had to do then was sit back and monitor his route which led us to his home and that of his team member. We followed his colleague to a local gym and were able to shoulder surf to watch him enter his email address to sign into Netflix on a cardio machine. This gave us his full name and email, he had a surname that was not common which helped us considerably, as we were then able to search for online accounts and breach data. We found a historic password which did not match his current email; however, it did give us access to a hotel frequent user account. From which we were able to identify all of his historic stays. This identified a routine in one destination, which we later identified was a hotel where his principal also stayed. Great intelligence if we represented a genuine threat to his principal.
We identified other team members through a variety of techniques, including, one through a reverse image search and one by retrieving a prescription receipt which had been discarded in his hotel bin and left outside the door for rubbish collection. One finally succumbed to a honey trap style date, and one finally went to visit his parents during some down time which led us to his previous address from which we were able to identify his family name and subsequently him.
We viewed partners social media where accounts were open, one comment was made by a girlfriend who mentioned that she would be visiting her family soon as her boyfriend was going to be working away. We assumed that he may be travelling with the principal but needed to confirm this.
The entire team had excellent social media discipline; however, some had been let down by posts made by their friends and family or through small mistakes which they would not have attributed to providing information about their client.
This information we gained about the team was important to help us plan our pretexts, ways to obtain further information and ways of infiltrating the residence, but we needed more information to build the whole intelligence picture.
One of our top priorities was removing the rubbish from the property. To do this we used an operator to pose as a bin man who was walking along the road prior to the arrival of the bin
lorry to ensure that the bins were facing the right way for the lorry to empty. We planned this on a day that the sun was at a low angle and was shining brightly towards the security camera covering the bin area. In some ways we wanted to act mildly suspicious to test the reactions of the team. As he passed our target address, he pulled out the top two bin bags and kept walking with them. We later found out that our estimation that the sun would affect the camera was accurate and he had not been seen. The bin bags were emptied, and we obtained a packing slip which had arrived with some designer paint samples, it contained a contact name of someone we then identified as the housekeeper, her email, the residence address, and phone number. We also had the intelligence that some sort of renovation was underway. Other
important information included an envelope from an electrical goods distributor who specialise in kitchenware and a newsletter containing the school details of the principals children.
The Infiltration
Optimal conditions for our infiltration against the residence were when the on-site staff was at its smallest. We assumed that when the principal travelled with his family, a minimal RS presence would remain. As we had identified when one of the team was expected to be away, which coincided with the holiday days advertised on the school website, we started planning to attack over this period, but we still wanted confirmation.
Our previous housing of one of the team had identified a vehicle on his driveway with a for sale sign in it. We phoned to arranging a viewing but said we lived in the village where the residence was, he took the bait and said that he worked near there and would take the vehicle to work, meeting us when he had finished. We arranged a meeting and told him we would buy the car; however, we could not collect it until the following week. He said that he was due to be away, but we could collect it from his house. This confirmed our suspicions that the principal would be travelling, but we wanted to ensure that his family and some additional staff such as the nannies would also be away from the residence.
We took a gamble and used the landline number we had obtained for the residence to make a call pretending to be from a nearby private dentist confirming an appointment for the family the following week. From this we established that the whole family would be away. Which we regarded as enough or us to proceed with our infiltration planning.
We made some additional social engineering calls and were near certain that the family would be away for a two week period, we believed that just a skeleton staff would remain but had no way of knowing for sure. We identified that the housekeeper attended a chiropody appointment every week and was away from the property for 90 minutes, and that one of the RST fuelled the vehicles each afternoon, this provided us with a window in which to gain access to the residence.
The family were observed leaving with suitcases as expected, once
the housekeeper was in her appointment, we phoned the landline which was picked up by the remaining RST. We stated that we were on our way with the fridge delivery and were confirming that there would be someone home to sign for it.
We drove a delivery van containing a huge American style fridge box to the residence, knowing that the RST were unlikely to reach the housekeeper to confirm the order. The operators conducting the delivery had paperwork with the housekeeps details on and wore a uniform similar to that of a known delivery company. The delivery people instructed the RST that they had been asked to place the fridge in the utility area where it should be left still for 24 hours to allow the refrigerant gasses to settle, a fitter was due the following day.
We believed that once the housekeeper returned, we would have a very limited opportunity as she would either open the box or demand that it was collected. We provided a delivery note with an authentic looking phone number if she did ring. The fridge that we delivered had been fitted with a false back, one of our operators was inside ready to cut himself out, leaving the front of the packaging intact enough to hopefully avoid a quick glance. We had a second operator in the back of the van ready for any opportunistic access as we did not know how much observation we would be under once we were inside the perimeter.
As we were unloading one of the team phoned the residence number, the RST took the call but walked away from the delivery who were conveniently making as much noise as possible. The operator from the rear of the vehicle took the opportunity to hide in an outbuilding.
We had previously flown a drone over the property and established that most of the cameras were positioned to cover the outer perimeter. There was one covering the main entrance and parking area, but the inner perimeter area appeared not to be covered, this indicated that the clients were possibly quite privacy conscious and were unlikely to have internal cameras.
As we now had the bonus of a second operator within the property, our fridge operator was under less pressure and maintained his position. As luck would have it, the housekeeper did not come back to the residence after the appointment.
The operators needed to get inside the house before the residence was locked down for the night. The team outside were able to communicate with them and tell them when the staff started to leave, we wanted to gain access just before the last person went home and the doors were all locked by security, and we presumed the alarm system would be set.
The fridge operator let himself out and let the 2nd operator in through a staff door, they then needed to get to the front of the house which was the client area without being detected by the RST or the chef. They waited until the second the chef exited and had a small window of opportunity to reach the upper floor where we did not expect the RST to visit, unless they were conducting a patrol or were alerted to our presence.
At this point our operators were in and the task involved evidencing any personal or security information which could be used against the principal. The remaining objectives were accessing the clients master bedroom and office and planting the bugging devices. The office was locked but the lock was bypassed with little difficulty and the bedroom was unlocked. The devices were installed, and additional information relating to the WIFI network was gained.
Exiting without detection
Once this was complete, we had reached our objectives, but we ideally wanted to exit the property without detection. Various methods had been pre-empted such as causing a distraction, jamming the window sensors, or cutting the electrical supply to briefly turn off the alarms and cameras, however our operators believed that the residence alarm had been set, the alarm box was situated in the ops room and could not be accessed, and the electrical system was thought to have
backup battery power, so breaking the electrical circuit was not an option. We were contemplating remaining in the residence overnight but as we were not convinced that the morning staff would arrive with the family away we implemented plan D.
At 0500 hrs before first light, four of our team drove a large van fitted with amber flashing lights and magnetic replica gas company signs to the residence. Our operators dressed accordingly, pressed the gate intercom with the pretext that there was a bad gas leak in the area, and they needed to cut off the local supply which may affect the residence for some time. They then stated that they needed to take some gas measurements from both outside and inside the property to ensure that it was safe, and the building would not have to be evacuated. The RST obliged and allowed the supposed gasmen into the grounds, unlocking the staff door to meet them. Our operators walked around and pretended to be conducting various checks. This provided the perfect opportunity for the team to distract the RST, allowing the two pen testers to exit the building and hide inside the van.
The area was declared safe, and it was decided that the residence would not be affected by the gas works, and the team all exited the area. Mission accomplished.
The Conclusion
Usually, a very thorough report would be provided to the client, in this instance a team debrief was requested to allow the close protection team and household staff to understand how the operation had been conducted and what had been achieved. The results were taken very well, the team had very high standards, however they were surprised at how easily we had been able to trace their homes and families. The TL has requested that we go back at a later date to assess if our recommendations have been implemented accordingly and to identify any new vulnerabilities.
Hayley Elvins started her security pathway in the Royal Military Police, Close Protection Unit. She was then recruited as an Operational Officer in the MOD before setting up Sloane Risk Group, a bespoke security consultancy specialising in counter- espionage solutions and physical penetration testing.
