Ryan Edmondson will do anything to get in your building. And once he gets in, he gets busy.
“I’ll plug in USB drives,” said Edmondson, Technical Services Manager at 360 Advanced. “I’ll follow your employees around. I’ll clone their badges. I’ll pretend to work there. I’ll try to get hired there. I’ll do anything to get in—all I need is one lucky person to fall for it.”
Businesses in 2021 endured 50% more cyberattack attempts compared to the previous year. And in 93% of cases, hackers are successful in their efforts to breach an organization’s network perimeter, according to Forbes.
What is Penetration Testing?
Penetration testing—an authorized ethical hack on a computer system to discover security weaknesses—is a company’s effort to get ahead of and mitigate cyberattacks.
How Do Pentesters Do Their Job?
It all starts with the reconnaissance phase, said Bryan Martin, Pentesting Practice Manager at 360 Advanced, with the goal to observe and find the routes that would reveal the most information.
It’s like a scavenger hunt with the goal to cross “enemy lines.”
“You find anything you can identify, and you just start building a target package,” Martin said. “Can we gain access into their territory without being detected and without being caught?”
Martin trained in the US Navy as a Joint Cyber Analyst, leading a large team to monitor Intrusion Detection Systems and Intrusion Prevention Systems sensors across the Department of Defense Information Network.
Edmondson earned his degree in Network and System Administration from Strayer University after serving in the US Army for six years. As an Infantry solider, he conducted widescale reconnaissance and surveillance operations. Edmondson is also a skilled red teaming expert.
What is the Difference Between Penetration Testing and Red Teaming?
While penetration testing is a simulated attack against your computer system, red teaming tests everything: people, processes, and technology.
Red teaming is more complex and more comprehensive than a penetration test. It takes more time. It tests in various ways how a business would withstand a malicious actor who is trying to break into the systems.
Red teaming is appropriate for targets such as government buildings, nuclear power plants, banks, and others, which are uniquely positioned to cause major damage if hacked.
Edmondson frequently uses drones in the reconnaissance phase of red teaming. One successful flight over the rooftop of a 3-story data center led to a discovery of an open manhole next to a radar tower.
“It took me three hours and that company was mine all because they left one entrance unlocked,” he said. “I just crawled through the hole in the roof and plugged in.”
Edmondson often deploys cunning maneuvers to conduct red teaming exercises. In one scenario, he bums a cigarette off an employee entering a building for the chance to lift the credentials off their badge. He has walked into employees’ empty offices to see if the camera catches him. He’s called unsuspecting employees and pretended to be from a federal bureau to get personal information.
In one successful hack, he sent USB drives to employees in envelopes with an Amazon logo to see if they’d use them.
“We just sent them to people and people started plugging them in, and we started getting access to machines,” he said.
He’s even acted like a rogue employee with a score to settle because he knows insider threats are prevalent.
“I’ve seen it where people have cut cables and shut companies down for a day,” he said. “I’ve had to fix it, and it’s not fun.”
The industry you’re in determines if you’re a suitable candidate for penetration testing, red teaming, or somewhere in the middle, Martin said. Physical security assessments fall in the middle—they’re more complex than penetration testing but not as comprehensive as a full red teaming exercise.
Martin and Edmondson’s jobs are to put themselves in the mindset of real hackers and act on it. Yet, their creativity, agility, and skill are employed expressly for the purpose of keeping businesses safe.
“I’m going to execute the exact same chain of attacks that you would get in a real attack scenario without causing you real harm to your business or people or technology,” Edmondson said. “I don’t want to take you out of business trying to keep you in business.”