Navigating the Ethics of Physical Red Teaming

Should you bribe employees, fire those who fail, or send out "you got fired" phishing emails... for the greater good?

Your job is to be unethical, but to do so ethically.

As a red teamer, you must have a clear understanding and solid grasp on the ethics of offensive security. More specifically, you must act ethically while pretending to be a bad guy who often acts unethically. It may seem simple, but to navigate the murky waters of red teaming with clarity and decisiveness, there are only two things you need to do. The ingredients to make you a better and more ethical red teamer are:

1. Have a Code of Ethics

   1. Each individual and company must establish an ethics code, whether formally as a policy, or informally by having principles that you abide by. These may be as simple as “do no harm”, or more nuanced and detailed. Our ethics (and our company’s authorization) is what sets us as red teamers apart from criminals.

2. Know how to Apply it to Complex Scenarios.

This article is about #2: How to apply a code of ethics in complex scenarios. We do this through real scenarios that we have - and you may - face while in the field. You can use these scenarios to hone, challenge, and apply an existing code of ethics. Or you may use one half of the scenarios to help develop your code of ethics and the second half to challenge and improve it.

There is a great deal of gray area in the field of red teaming in general, and physical red teaming specifically. Over many years, and hundreds of red team engagements, we have encountered some unexpected, dramatic, hilarious, sad, and all-around difficult ethical scenarios. You can find 25 of them below, summarized and packaged to use as thought exercises for red teamers.

If you manage a red team, we recommend having discussions with your team members using the following scenarios. If you are a current or future red teamer, we recommend reviewing each scenario and spending time to write down your thoughts, what you would do and why. Use these scenarios as conversation starters, journal prompts, or thought exercises. By considering ahead of time what you would do in difficult scenarios, you will be able to act decisively and ethically while in the field.

1. Under what conditions do you include specific names of security officers and employees in your report? If they performed poorly? If they performed well? If they did something unethical? If they did something dangerous? If they commit a crime?

2. If you are asked to do a red team assessment focused on a specific building, and it’s because the Security Director does not like the security manager at that building, will you accept the work? What are your ethical concerns?

3. You are attempting to social engineer your way into a client’s building, and you talk to a security officer on patrol. They express grave discontent with their job, and offer to bring you inside the building in exchange for a fake COVID-19 vaccine card. What do you do?

4. You find out after a job that a security officer who you successfully tricked into letting you in the building has been fired due to their performance. What do you do?

5. You are tasked with breaking into an oil refinery. You are at a bar across the street attempting to gather information, when an employee there says that he’ll sell you his badge for $200 since he was planning to quit anyway. Is it ethical to take him up on the deal? Do you report your findings to the company? What do you do in the moment, later in the day, and in your report?

6. You are conducting a physical penetration test of a large data center. After you scale the perimeter fence and use an under-door tool to breach the outside of the building, a security officer sees you from the other end of a long hallway and yells “stay there” as they begin to walk towards you. They are still very far away. Should you run, stay put, or take other action? What factors into your decision?

7. [Part 1] Your client works in cutting-edge quantum computing. You have obtained access to a highly secured building by tailgating through the first layer of security and by bypassing the lock and alarm on the second layer of security. You are now fully inside the office space with unfettered access. You open a large shred bin with lock-picks without detection and you pull out the un-shredded papers. Do you take photos of the documents in the shred bin? What do you do now that you have access?

8. [Part 2] Read this on day 2 only. Answer Part 1 without reading part 2. Your client states to take photos of documents you obtained, despite your objection that it is unnecessary to prove that their sensitive data was easily accessible. As you take snapshots of various documents you find clear evidence that an employee is applying for a Chinese Thousand Talents program. What are your next steps?

9. While attempting to break into a secure office, you find yourself walking down a hallway marked “RESTRICTED - EUROPEAN UNION (E.U.) BIOLOGICAL DEFENSE LAB PERSONNEL ONLY”. You were hired to break into the office of a large bank, but instead you have taken a wrong turn and found yourself in a secured government facility. What are your next steps?

10. After delivering a report, your manager asks you to remove the section about how the active shooter defense system (bullet proof glass, panic buttons, lockdown mode) are not working as intended, or at all.

    1. If the manager provides no reason, what would you do?

    2. If your manager states that the active shooter project belongs to a powerful security leader who we don’t want to anger, then what are your next steps?

11. You are now responsible for the company’s Phishing awareness testing program. Historically they have sent out phishing emails to groups of 1,000 employees at a time, at random, with various approaches such as: “You won a prize for high attendance”, “Your performance review is now available”, and “Your pay has changed, click to learn more”. The program has stagnated, and they have asked you to escalate the phishing emails to have higher click rates, so they can push more users to take the required awareness training if they fail the phishing tests. What is your approach?

12. You are hired by a client who asks you to send off phishing emails to employees in an email titled “Corporate Layoffs, You Are Affected” and “You Earned a Performance Bonus!”. How do you approach this project?

13. You manage a diverse team of physical red teamers who are tasked with testing highly secure government labs. Most engineers and researchers at the lab happen to be men. Historically you have frequently succeeded in gaining access by having one of your red team operators, a woman, social engineer her way into the building. A local security manager comes to you and mentions that she is having issues building trust with the engineers and researchers, and requests that you stop having women lie to them on a regular basis. What is your response? What are you taking into consideration when deciding what to do next?

14. You are the manager of a red team for a large technology company, and you have a diverse group of red team operators reporting to you. You notice that during social engineering engagements, one of your operators who is black tends to have less people question him when he impersonates other employees to gain entry. He asks if he’s allowed to ‘pull the race card’ when trying to social engineer his way past the front desk. What do you say, and what considerations do you take into account?

15. You are still the manager of the same red team. One of your employees, a woman, is often hit on or asked out while being friendly with security officers or company staff as she social engineers her way into the building. Is it fair to put her in this position? What steps, if any, do you take to safeguard her when in social engineering settings?

16. You are on a voice-phishing (vishing) call with a flustered facilities manager who is responsible for maintenance at a large bank building. He is busy and talking to you while also working to clean up after some HVAC contractors left. You have been going back and forth with him for 30 minutes attempting to gain access. You find that every time you are pushy, aggressive, or angry he backs down and gives in to your request. What level of stress are you comfortable putting this individual under to gain access?

17. You were hired by a security manager to break into their high-rise building and attempt to access the server rooms. After backstopping your identity with phone calls, uniforms, business cards, and more - you arrive at the site and let them know you are there to inspect their IDF/MDF rooms due to missing equipment at other sites after a specific technician was fired the previous week. You say that you need less than two minutes in each room and an escort is optional, and that no servers or equipment will go down. The front-desk calls the security manager who hired you and asks him to escort you throughout the building, explaining the situation and seriousness of the potential damage from the fired technician. Since you had not met before in person, the security manager who hired you starts to escort you throughout the building. It is 63 stories, and you expect visiting every IDF/MDF room will take approximately 3 hours. What are the ethical considerations of this project?

18. [Part 1] You are tasked with finding an opportunity to target a world-famous executive based on open-source intelligence (OSINT) gathering. The executive and their partner’s profiles are very well locked down, but you found cousins, and nieces and nephews with open profiles. From there, you find the executive’s children’s Instagram, Finstagram (fake Instagram), and Snapchat accounts. Should you continue digging into these accounts and to what extent?

19. [Part 2] You are on the same job as before. After finding the children’s profile, you click on their snapchat username and it begins playing a video of the child out partying, drinking, and later driving a vehicle. That child turned 15 years old the week prior. What do you do now that you have this information?

20. You are tasked with getting a listening device into a high-level board meeting held at an executive’s home. Surveillance indicates that you are unable to enter the home yourself. After watching those that enter/exit the home you see the dog-walker and the housecleaner as the two best targets to get a listening device into the home. What is an adversary considering for next steps, and ethically how can you approach moving the operation forward without breaking rules, laws, or causing undue stress or risk?

21. You are hired by a company to test their R&D labs where they are working on cutting-edge technology for optics, believed to be 2-3 years ahead of the competition. You are able to successfully get into their lab and photograph research and prototypes. This impresses them significantly and they begin asking what techniques and skills you have that could be used to glean information on their competitors. They say they don’t want to do anything illegal, but they are impressed and excited by what you can do and want to gain a competitive advantage. What are your ethical considerations, and what is your response?

    1. After making your point clear (whatever it is), they have a group of three security personnel that they ask you to train on your techniques and approaches. You suspect but cannot confirm that these individuals are contractors that they hired to do aggressive competitive intelligence gathering. What are your next steps?

22. You are approached by a vendor that you have been a fan of for many years. They provide high-quality turnstiles that are very difficult to circumvent. They offer you 8% of revenue from any referrals you send their way. Do you 1) take the offer and, if so, 2) do you disclose it to the client? What are your ethical considerations?

23. You are doing surveillance in a parking garage of a specific exit that you are hoping to tailgate through or circumvent at night. It’s evening-time and the garage is nearly empty when a woman emerges from the exit and spots you. You are now sitting in the closest vehicle to the door, and her vehicle is on the other side of your car. Having noticed you and seeming nervous as a result, she turns around and goes back into the building. You were hoping to breach the door in the next 30 minutes before the shift-change. What are your next steps and ethical considerations?

24. You are attempting to gain entry into a highly secure headquarters of a cryptocurrency company where you suspect they keep their digital keys. These are the crown-jewels they hired you to find and steal to ensure they are safe. You have been unsuccessful at gaining entry through traditional means and decided to try to lift (subtly steal) a security officer’s badge while they are distracted. Since most of them carry their badge on a retractable lanyard you decide to gently bump them in the parking lot and use a seatbelt cutter to cut the badge while they’re distracted. You do this successfully and use the badge to gain access to the secure building. Later in the debrief the security officer finds out his badge was stolen during a test and calls his employer (the security contractor hired to provide guards) stating that he was assaulted while on the job, and accusing those that took his badge of assaulting him. What are your next steps as the manager of this team, and what ethical considerations could have gone into the process to prepare for or prevent this outcome?

25. You are attempting to gain access physical access to a large venue. During surveillance you notice that when there’s a medical emergency, the EMTs run out of the perimeter doors and frequently hold them open for anyone coming inside. They also bring patients inside the venue to treat them where the first aid rooms are. You consider faking chest pain or a panic attack in order to gain entry yourself and have them hold the door open for your partner who printed a fake badge and will try to enter the building as they exit. What ethical concerns do you have about this situation?

We have faced each of these scenarios while in the field. Some details may have been changed for clarity, specificity, or anonymity. If you have questions or want to know how we tackled any one of these please let us know in the comments. We will publish our approach (and our red teaming ethics guidelines) in future posts. As always, stay safe, break things, be ethical, and have fun!