Legal Implications of PhySec Red Teaming: De-Risking the Red Team
Legal Implications of PhySec Red Teaming: De-Risking the Red Team
A "boring" prerequisite for successful operations.
De-Risking the Red Team
How can you move forward with confidence that your red team mitigates exponentially more risk than it creates? By taking the following steps, red team leaders and operators can proactively identify and manage the most significant legal risks while conducting operations.
Step 1: Scope the Engagement
A clear and detailed scope proactively addresses legal risks before the engagement begins. Whether you are an in-house red team or a third-party consultant, having clearly defined scope is your primary document providing authorization for the assessment. This may be in the form of a Statement of Work (SOW) for consultants or Red Team Proposal for in-house teams. Scope should include targets, actions, goals, points of contact, locations, systems, tactics, and more.
Step 2: Determine Attack Types
Actions create risk. Determine the actions you are permitted to and prohibited from taking during the assessment and document them. There will always be gray areas, yet over-structuring a red team engagement runs counter to the red team ethos. Initial conversations with red team operations and the end-user about tactics will create a mutual understanding of the approach. There must also be a clear and quick approval flow for operators seeking to use tactics that were not defined as approved/prohibited in the initial review. This may be as simple as a group chat or text chain; however, it should be in timestamped and in writing.
Step 3: Determine Property Ownership
The majority of red team assessments will fall into one of the below categories. Though this may seem complicated, the easiest way of addressing this risk is to review the relevant lease agreement for any language that would allow or prohibit your red team activities. If that is not possible (it often is not), then steps 1, 2, and 4 are especially relevant.
Fully Owned/Operated: The end-user owns and is the sole occupant of the building.
Action: This is the easiest and most ideal scenario. There is no special action needed.
Owned & Co-Leased: The end-user is the landlord and also one of multiple tenants of the building.
Action: Since the landlord is the owner and the end-user, you simply need to avoid any actions to disrupt or break the lease agreement with other tenants. Leases often include the process for which landlord employees (you) can enter tenant space, so make note that you avoid spaces leased to other organizations.
Sole-Lease: The end-user is the sole lessor of the site.
Action: Depending on the landlord’s day-to-day involvement, this is often a simple scenario where you only need to understand the delineation of responsibilities for security, locks, and more. If you break a window to a landlord space that it outside of your leased area, you may create additional liabilities. Be prepared to smooth things over with the landlord after the assessment, and to quickly pay for fixes of any damage. Make sure you are compliant with any damage clause language included in your agreement, as some may prohibit any intentional damage to their property.
Lease with Co-Tenants: The end-user leases part of a building or property with other organizations leasing other parts of the same site.
Action: The same as “sole lease” with two caveats. 1) Do not disrupt other co-tenants or access their spaces, and 2) take extra care to not destroy any co-tenant property. The end-user is a tenant paying the landlord so typically there is some good-will; however, this is not the case with co-tenants.
Subleasing: The end-user subleases part of a property.
Action: Find the correct situation above and follow instructions. Review the lease and sublease if possible.
Guest or Vendor: The end-user is not a legal tenant of the site to be assessed.
Action: This can be complicated and risky, if not approached correctly. Breaking into a space where the end-user is not the landlord or tenant requires additional authorization by the landlord, tenant, or both. This may occur if a security services company hires an outside consultant to test their personnel or systems.
Government Property: Government property will typically fall into one of the above categories, but may also have additional complications including various departments, which may be standalone entities, managing different aspects of maintenance, security, law enforcement, IT, and others.
Equipment Ownership: Review any equipment that you plan to manipulate, damage, disrupt, hack, circumvent, or otherwise impact during the assessment. Does the end-user have permission from the owner of this equipment to authorize these tests? For example, if Bank of America has an ATM in your end-user’s lobby, and your goal is to test the security in and around that lobby - you must determine whether you can open, hack, steal from, or place a skimmer on that ATM. Typically the answer is no; however, it’s important to review any significant leased equipment and what the scope of actions involve.
The red team is there for a week. The office is there indefinitely. Do not harm their relationship with the landlord or co-tenants.
Step 4: Safety & Risk Plan
Each red team assessment should have a Safety and Risk Plan. Creating, training to, and following this plan ensures that the operators remain safe, and that a wide array of risks is reviewed and addressed prior to the assessment beginning. The Safety & Risk Plan should include reviews of EH&S risks, armed responder risks, privacy risks, law enforcement risks, and more. Specific attention should be paid to any regulations the business operates under and any certifications it maintains, such as:
Regulatory Risk: Banks, casinos, hospitals, and other entities have specific information and physical security regulations that govern their approach to security, their actions during an incident, or the consequences of a breach. Understanding these regulations has two benefits:
Compliance: It allows you to understand their security goals and assess their compliance with the regulations, ensuring the end user has actionable and relevant information.
Non-Compliance Avoidance: It allows you to avoid taking action that would place the end-user out of compliance with the regulations.
Certifications: Some certifications, such as PCI (Payment Card Industry), define the actions to take and consequences of a breach. Understanding the specific certifications that the end-user has (or is pursuing) is important to providing them with relevant and actionable information. It also allows you to avoid actions that would put those certifications at risk. It is important to note that most organizations define a breach as unauthorized access of information. As we will see next, red team access of sensitive information must always be authorized.
The safety plan must clearly identify target spaces and any co-tenant or landlord spaces, along with defining what actions may be taken in each space. To avoid the potential for civil or privacy violations, any video recording should often be conducted without sound enabled and detailed discussions should take place as to what actions can be conducted with employees or the public present.
Step 5: Authorization
The red team must receive authorization, in writing, from a party authorized to authorize the engagement - or an Authorized Signatory (AS). In other words, if a nurse tells you that you can conduct a surgery, that doesn’t mean you are authorized to do so. Many steps need to be taken prior to you being authorized to conduct a red team assessment, the last of which is a Letter of Authorization from an Authorized Signatory. As the red teamers at Coalfire discovered, this should be from both the entities that control the space being tested and the organization that oversees security for that space. Often these are the same entity, so someone in leadership with security, operations, or finance can provide that authorization. However, for government buildings, sites with contract security, or leased sites, identifying the right AS and ensuring that they sign off on the operation is absolutely critical to mitigating your legal liabilities.
Step 6: Notifications
The most frequent cause of legal liabilities is miscommunication. The following proactive notifications should be considered as part of the red team engagement. Each should be balanced with the need for secrecy to maintain the integrity and authenticity of the operation:
Law Enforcement: For any action with a 5% or greater chance of law enforcement being present or called should likely have proactive notifications to law enforcement. Often, security teams or consultants will have a relationship with local law enforcement and can do this informally through their network. Typically, dispatch will notify a patrol Sargeant that security testing is taking place at a specific site and that is sufficient to help de-escalate most situations.
Landlord: Depending on the scope of the engagement, it is often worthwhile to notify landlord leadership that a test is being conducted. This may help head off any issues that arise during the engagement.
Co-Tenants: At times, it is relevant to notify co-tenant security that a test is taking place, especially if they are good at detecting and responding to suspicious behavior in shared spaces.
Step 7: STOPOP
The red team leader must monitor for any legal risks and be prepared to stop all operations (STOPOP) if they feel that the engagement is becoming too risky. All engagements have diminishing returns over time, and a good leader should determine when continuing an assessment may create more risk than it helps to mitigate. Having clear protocols for when and how to initiate, communicate, and follow-through on the STOPOP notification is essential. If the red team leader, analyst, or safety liaison identifies an armed law enforcement response, a real-world incident unfolding, operational disruptions, or inappropriate security response to the red team’s actions, they can quickly initiate a STOPOP and all activities will cease. I have used this many times as armed response officers respond to my operators climbing fences, or as co-tenant security begins to a significant response to a breach of their neighbor’s space, not knowing it was a test.
Perception vs. Reality
When law enforcement, security, or the public arrive, they may not understand or appreciate the nuance of the situation, and they may not care that you claim to be, or have a flimsy piece of paper that states you are authorized to be committing what appear to be crimes.