Conducting a security risk assessment in the mind of an adversary

Red Team Services, a Case Study

A prominent global AI technology company faced a growing concern that their sites and business critical assets were easily accessible to potential threat actors. These assets were out of the ordinary — they were exceptionally high in value and directly tied to the client’s strategic objectives. Just one misstep and the entire organization’s business operations and their reputation as a leading innovator within their industry could be damaged. 

Amidst recent credible threats that confirmed their adversaries were intending to gain access, the client turned to Rozin Security Consulting to address this concern, leveraging their cutting-edge Red Team Service which provides a comprehensive assessment from the adversary’s standpoint. The assessment also drives proactive change in security operations, helping create a partnership between departments and the Red Team and pinpointing exploitable vulnerabilities — thereby reducing the likelihood of a catastrophic security incident. 

The client was left with not only a detailed report that identified weaknesses, but also several actionable recommendations for the continued development of their program and investment in future solutions. 

The Challenges

Recognizing the vulnerability posed by threats from adversaries, the client was determined to ensure that intellectual properties and critical assets at each of their four California sites were securely protected. The materials under development at these locations were indispensable to the client’s current and future success in their industry. Any compromise to these materials could have far-reaching consequences, potentially affecting their operational capabilities, financial stability, and the integrity of their reputation. 

Challenges Before Rozin Security: 

• Insufficient Research to Assess Threats — Restricted data available to evaluate threats in the competitor landscape, lacking the ability to conduct due diligence to identify publicly available information that could be leveraged by a threat actor 

• Effective Assessment Policies — Pressure from compliance to conduct a thorough security assessment of this asset — only a standard security assessment had been performed in the past using internal set compliance standards 
• Change Management — Internal frustration within departments, as a previous assessment that was unsuccessfully conducted created a lot of tension 

Our Solution

To assess the full scope of vulnerabilities the client faced, Rozin Security simulated attempts by malicious actors to breach the sites to determine their ability to deter, detect, respond, and preemptively intercept potential threats.  

A team of specialists were assigned to holistically test the client’s security operations, simulating the attack cycle of a sophisticated threat actor. This included: 

• Pre-attack planning over the span of five days (Planning uncovered the site layouts and blueprints of each location, current projects, security posts and patrol patterns, persons assigned to the site and associated attire, potential unsecured points of entry and door hardware, access control technology, and video surveillance camera capabilities.) 
• Conducting open-source research to identify publicly available information that could be leveraged by a threat actor.  
• Performing surveillance (by Rozin’s field operators) on each site’s physical, technological, and operational security measures, and developing a plan to overcome them. 

The Red Team operators then developed a bespoke plan to breach each site. The pre-attack research and planning allowed operators to test the security apparatus at each site, bypassing many of the physical, technological, and operational security measures. The Team replicated the below potential methods of action to test the sites’ security measures: 

• Security guard and vendor impersonation to gain site access  

• Diversions to redirect security personnel from breach points 
• Theft of physical access control keycards/employee IDs and two-way radios from site security personnel 
• Advanced phishing techniques to illicit information and assistance from site staff  
• Bypass physical door hardware using commercially available tools 
• Challenging security policies, including tailgating and the issuance of temporary badges 

All in all, significant vulnerabilities were identified in existing operational, physical, and technological security measures. Rozin Security achieved all assigned objectives described above — most notably, simulating the exfiltration of sensitive information/devices, demonstrating the capability of planting malicious software onto vulnerable workstations, and accessing key secured rooms. The team was able to gain access to the client’s secure buildings and navigate within them, remove prototype devices and sensitive information, and simulate the placement of covert technical surveillance devices. 

The Results

Security is a team sport, and placing the entire burden solely on one team creates vulnerabilities that can be easily exploited. However, delivering that message to other areas of an organization and ensuring they understand the consequences of keeping security measures status quo is extremely difficult without the right data and concrete examples. 

At the conclusion of the Red Team Service, the client was left with: 

• A hyper-realistic understanding of their vulnerabilities — empowering them to share specific instances of what could be capitalized on and the potential for misuse   

• NEW: Now the client had examples and data (I.e., it took 7 minutes to breach access point 12 on site 2) to support budget requests. 

• Policy changes that could be easily implemented 

• NEW: An internal security standard was set for organizational assets that require a high level of protection. Instead of simply assessing security by internally set compliance standards, their assessment matched the capabilities of a more sophisticated threat actor. 

• An invaluable sense of trust among internal teams 

• NEW: The Red Team Services engaged areas beyond just security so multiple departments were aligned with redesigning their physical security measures and enhancing the level of technological solutions used. The client commissioned additional Red Teaming Services for a multitude of additional highly critical organizational assets moving forward. 

Today’s threats are growing increasingly more and more complex and cannot afford to be met with yesterday’s standards of protection. Leveraging Rozin Security’s adversary-minded approach to identifying vulnerabilities, the client was able to assemble a comprehensive strategy for heightened protection – putting concrete, realistic examples of threats gone awry in the hands of senior leaders.  

This information helped secure an immediate and significant investment in security measures for this business-critical asset, setting a precedent for future Red Team engagements.