The mission of Locks & Leaks is to promote the physical security red teaming profession, elevate the discipline, and develop a practitioner community to advance and mature red teaming tradecraft. Our core is red teaming - but our mission is ultimately to help our organizations (and blue team partners) make better security decisions and systems. To do this, we need effective and mature security risk management - a concept that frequently eludes even the best-staffed security organizations.
Below is an outline of the L&L structure. As new posts are published, the below text will turn to links.
Locks & Leaks Overview
Chapter 1: Physical Red Teaming Introduction
1.2 - What’s the Point? Why do organizations conduct physical red team assessments, and who should do it?
1.3 - Red Team Resources: Equipment, vendors, job descriptions, and training resources [Github - updated monthly]
1.4 - Types and Approaches
Cyber vs. Physical
Internal vs. External
1.5 - Ethical Considerations - An Introduction
1.6 - Legal Implications of Red Teaming
Chapter 2: Physical Red Teaming as a Profession
2.1 Breaking into the Profession
2.12 - PART 2: Fundamentals and Context of Physical Red Teams
2.13 - Part 3: Skills & Knowledge of Physical Red Team Operators
2.14 - Part 4: Getting a Job as a Physical Red Teamer (Employability & Leadership)
2.2 - Growth as a PhySec Red Teamer
You’re through the door and are now a red team professional, now what?
2.3 What does maturity look like?
Envisioning a robust and mature PhySec red team profession.
2.4 - Red Team Analysts
The secret weapon on a team full of secret weapons.
Perspectives: Analyst | Manager
2.5 - 12 Tradecraft Talents
The areas of expertise that can position you as a sought-after operator for red teams (or broader security teams).
2.6 - Building a Profession
What does it take to develop a standalone profession?
Gap Analysis: Where does physical red teaming fall on the profession maturity chart?
Chapter 3: Building a Red Team
Choose a Red Team Model
The Foundation
Red Teaming in Industry Standards
Key Partners for PhySec red teams
Internal: Within the PhySec Org
Internal: Across your Company
Internal: With other company red teams
External: Across the Industry (RT vendors, exploit vendors, other RTs)
Governance Documents (Red Team handbook, communications plan, etc.)
“That’s On Me”: Owning Red Team Mistakes and Misfires
Legal Eagles: When and how to work with your legal team
CMMI for Red Teaming: Certifying that you have de-risked your red team
12 Step Roadmap to Starting a Red Team
Chapter 4: How to Prioritize as a Red Team
Overview
BANPE: Brainstorm, analyze, narrow, prioritize, execute
Poison Circles
Threat Modeling
Tactics
Threat Actor Identification, TTP review, and complexity determination
Types of Tests
Scratching the Surface vs. Deep Dives
Threat-Focused Tests
Vulnerability Focused Tests
Asset & Impact Focused Tests
Prioritizing Frameworks and Templates
Using Planning to Promote Buy-In
Prioritization Factors
[Resource] Prioritization Template
Monthly Vendor Testing
Chapter 5: Red Team Types & Targets
A series on how to safety test non-traditional security teams.
Breaking into Buildings (BiB)
Executive Protection
Event Security
Mail Screening
Security Awareness (tailgating, unescorted visitor, etc.)
Crisis Management
Data Centers
Analytical Red Teaming
Countersurveillance Detection Teams
TSCM Program Testing
Training Staircase (Training, Workshop, Drill, Exercise, Red Team)
Chapter 6: Red Team Tradecraft
Tradecraft Overview
Red Team Tools
Surveillance
OSINT
Probing (TED - Try Every Door)
Door/Lock Bypass Options
Lockpicking
The state of RFID Hacking, badge cloning, and access control exploitation
Social Engineering
Ethics & Social Engineering
Cover Stories & Escape Plans
Destructive Entry
Chapter 7: Red Team Lifecycle
A step-by-step guide on how to carry out your red team
7.1 - Phase 1: Proposal
What is a proposal, and why write one? Learn how to proactively address detractors, gather buy-in, ensure safety, and get CYA approvals.
Scoping a Red Team Assessment
[Resource] Red Team Proposal Template
Safety & Security Considerations
[Resource] Template and Examples
Armed Security & Law Enforcement
7.2 - Phase 2: Planning
Resource Allocation, Timeline, & Budget
Communication Plan
Stakeholder Engagement planning, and creating the appropriate communication channels (internal within the team, external to various people, law enforcement notification, etc.)
Go/No-Go Decision
7.3 - Phase 3: Execution
Safety Briefing, Notifications, and Communication
STOPOP: Knowing When to Stop
7.4 - Phase 4: The Aftermath
Closeout: Ending the Operation (how to STOPOP)
Tagalong Tasks
Actions to take 1 minute, 1 hour, 1 day, and 1 week after STOPOP
7.5 - Phase 5: Reporting
Communicating Findings to Leadership
Writing a Red Team Report
[Resource] Red Team Report Sections (describing vulnerabilities, severity, complexity, and potential mitigation options)
7.6 - *Phase 6: Vulnerability & Risk Management
Who Tracks Red Team Findings?
Vulnerability & Risk Management Teams
The Red Team
Ways Tracking Red Team Findings
Convincing Leadership to Mitigate Risks
7.7 - *Phase 7: Trend Analysis
Identifying and Highlighting Trends in Red Team Findings
7.8 - Phase 8: Retesting
Retesting Overview
*Typically not completed by the red team.
Chapter 8: Red Team Lifecycle for Consultants
The lifecycle of conducting a red team assessment should largely follow the above lifecycle. Several additions are essential for third party consultants:
When to Red Team: More importantly, recognizing when a client is not ready for a physical penetration test.
Proposal: Drafting a business proposal and Statement of Work
Identifying which phases the client wants involvement with.
Chapter 9: Covert Chronicles
Sanctioned crime stories and lessons learned while (mostly) safely conducting red team assessments:
Long Guns & Lessons Learned
All It Takes is a Vest
My First Time
When the Red Team gets Red Teamed
“Please Stop Chasing me, over”
Hiding a Secret Safe
Low-Speed Chase
Scooter Surveillance
Chapter 10: Resources
We have a selection of resources available to our paid subscribers. These are the templates, graphics, reports, and other resources that are used by some of the largest physical red teams to-date. Our goal is to provide security professionals with the resources and tools to make physical red teaming easy, safe, effective, and commonplace. Check out our resources below:
Threat Assessment Template: Edit-ready graphics to visualize threat actors and their TTPs for red team reports and operational proposals.
Letter of Authorization: Also known as the ‘get-out-of-jail-free’ card. A standardized and edit-ready template that simply portrays the information and authorization that all red teamers should carry
NOTE: We strongly discourage the use of fake Letters of Authorization to “test” whether security personnel believe the letter or not. This harms trust and the red team industry in general. Please don’t do this.
Threat Modeling: Edit-ready graphics to visualize the full threat model for a red team operation. Good for red team reporting, operational proposals, or risk assessments in general.
Operational Risk Management Template: Prior to any red team assessment, the team lead should consider a variety of risks that could impact the assessment. From EH&S, armed personnel, the public, de-escalation, and more - there are a variety of sections used to identify and proactively mitigate risks associated with the assessment.
Red Team Proposal Template: For internal red teams who prepare proposals or Operational Plans prior to an assessment, this template outlines the key data points, language, approach, and graphics that aid a team in planning an assessment. Whether you need to seek approval, or simple want an Ops Plan to CYA prior to an assessment - the Proposal Template is covers it all.
Physical Red Team Report Template: Detailed report to outline findings of a red team assessment.
Red Team Findings Tracker: A vulnerability and risk tracker for red team findings.
Want to help Locks & Leaks?
If you have expertise, experience, insight, or interest and you can contribute, please email us. We are always looking for writers, different perspectives, resources, and more.
Great info! Where can I access the templates or items marked "resource"?