Peter, Toro's Founder and CEO has led or supported on over 100 penetration tests, he also helped create the UK’s first Red Team penetration testing methodology blending ethical hacking, physical intrusion, and social engineering.
We sat down with Peter to find out how he first got into penetration testing, some of his most memorable pen test experiences and why he believes Toro's approach is different.
How did you first get into pen testing?
Following a career in the military, I worked for a security company that specialised in physical penetration testing (pen testing) and social engineering (persuading people). This involved leading teams to simulate ‘professional burglaries’ to find security gaps on clients' sites.
It was during this time that I was approached by Europe's largest cyber pen testing, who wanted to try something new, they wanted to attack businesses in the same way that serious and organised criminals were. To achieve this, they wanted to combine cyber and physical pen testing, something that hadn't been done before outside of government. We called this Red Team.
Where did this idea stem from?
Around the same time they approached me, a hacker at anonymous revealed that “99% of the most successful hacks were the result of social engineering.” Why attack the IT system, when you can just trick the human who accesses the system? I believe this opened the eyes of security specialists as they started to see that pen testing needed to be more than just about hacking systems, they needed to also be about hacking the human firewall. Therefore, to truly understand an organisation's vulnerabilities people were starting to see that cyber and physical needed to be tested and defended in a joined-up way.
What are some of the most memorable pen tests you’ve done?
There are so many that come to mind, but some of the most memorable pen tests I've conducted involved a rural site scenario. Picture this: it's nighttime, and we're dropped off near the site, dressed head to toe in black, with heavy bags in hand, like a gang of terrorists. We navigated through fields, avoiding detection, to begin our surveillance of the rural site, complete with CCTV cameras and a fenced perimeter.
Whilst we are observing the site, we looked for patterns and vulnerabilities, testing different entry points to find a way in. We distracted the lone CCTV operator and security officer by sending a decoy courier vehicle to the front gate at the same time our balaclava-clad team used telescopic ladders to scale the fence at a CCTV blind spot. Once inside, we gained access to the locked server room using a copy of a real RfID access badge we cloned from an IT engineer several days earlier. After that our ethical hacker worked his magic installing devices that provided backdoor access to the network and the customers critical data and systems.
What I find makes rural pen test interesting is the covert nature of them. Unlike urban tests that often require overt methods like blagging entry, rural settings allow us to blend into the surroundings and operate under the radar. You also must work as a team.
However, not all pen tests go smoothly, and one test in particular sticks in my mind. We were tasked with breaking into a hedge fund’s corporate office in the City to access sensitive commercial data. We watched the office for days (hostile reconnaissance) and noted that every evening around 7pm the office manager would check all staff had left then manually lock the doors. I infiltrated reception by tailgating an exiting member of staff at around 5pm, then locked myself in an empty storeroom until the office manager finished her checks.
Unfortunately, the office manager decided to set the intruder alarm before leaving the building. I heard the alarm countdown then activate. The only way of exiting the building was through the fire door on the lower ground level but I was camped out on the 4th floor. We anticipated that the nearby private security company would lock down the building within 2 minutes of the alarm being set off. Face covered, I tentatively stepped from the storeroom into the adjoining office – all good so far. I searched that office finding passwords in notebooks, photographing confidential waste, and copying data from USB sticks. I installed some hardware into the port of a printer and key loggers into computers. I then cracked the office door to inspect the stairwell for motion detectors. And then I was spotted. The alarm went off and I had no choice but to sprint down five levels exiting onto the street through the fire door and walking quickly into the night as security officers sprinted towards the building. At a safe distance I observed the security response and called our client to explain what had happened.
I recall another test where I stumbled on a treasure trove of information thus preventing the client from having a real data breach. One of the security vulnerabilities was caused because our client, around 150 staff, shared the building with a small company of 30 people who refused to wear visible ID or challenge strangers in the building.
I befriended one of the client’s smokers and then ‘piggybacked’ him into the building through the propped-open fire door claiming I was from the ‘other’ company in the building.
The offices on each floor were small with only around 15 staff in each. They would likely spot a stranger hanging around in their office! So, I loitered in the stairwell between different levels pretending to be making personal phone calls whilst looking for security weaknesses and eavesdropping conversations.
I decided that the only way to gain long-term access to the target offices was to wait for staff to leave and whilst posing as an employee convinced the cleaners to let me in. A tried and tested technique but I needed to kill around 2 hours somewhere less obvious than the stairwell. I worked my way towards the roof and found a maintenance area above the lift shaft where I sat in the dark. I passed the time on my laptop and Pineapple attacking the client’s Wi-Fi. I leant back onto a cardboard box of junk and felt a sharp metal edge in my back. The old boxes were packed with IT parts marked for destruction. I discovered 5 hard drive RAID partitions which I took back to our forensics lab for inspection. It took 24 hours to decrypt the devices and we discovered they contained backups of the clients entire Cloud storage. We returned them directly to the CISO recommending they were properly erased before he threw them out with the rubbish!
Another memorable test involved a data centre in a rural industrial park. We left cameras in parked cars watching the main entrances and spent our evenings in the nearby woods observing their strict security regime. There was a permanent security patrol whilst another officer manned the desk in reception.
We phoned reception posing as employees and couriers to understand their visitor's process. We couldn't find a physical security weakness and the cyber security in the data centre was top notch. However, we discovered that the computers in the reception were on a local network connected to a weak Wi-Fi router. We hacked the Wi-Fi, managed to gain access to the network, gained remote access to the reception computer. We and registered ourselves as employees visiting from another site and were greeted with full access badges. Determined to find a physical attack vector we waited until the client held a planned fire drill. When the alarm activated the doors to the data centre failed open and our team entered the building posing as staff. We hid in various places until staff returned and we could blend in.
How important is it that pen tests be under the radar?
It’s so important to not let the security team know they are being tested.
We were tasked to infiltrate a government building. We were impressed that security officers were so vigilant during our first few days of hostile reconnaissance but then their standards strangely started to deteriorate.
The client had a planned fire drill after which all staff were forced by security to tap back into building. Around 10% of staff didn't have their ID badges and were filtered to the side in a naughty queue to be processed by security. We blended into the group and started chatting with staff. Whilst some had left their badges at their desks, most hadn't brought their badges to work but had tailgated colleagues into the building. One of the security officers came over and apologised for being so strict but they had been tipped off by the head of facilities management about a secret penetration test happening that week. What we had observed was a heightened state for two days then the security officers reverting to normal when they thought the test had passed.
Why is Toro’s approach different?
Most Red Team testers, have one goal; get in, prove they are inside, maybe access a computer and then leave.
Where Toro is different is that we’ll do all the above… then we’ll do it again and again and again and again. Each time we test another the attack vector, often increasing the risk of being caught each time. I’ve pushed the boundaries so far once without being challenged that I walked into someone's office claiming to be from IT, asked them to save their work, unplugged their desktop computer and walked off with it!
We want to make sure our customers get the most value from the engagement, so we spend time understanding their business risks and critical assets, the attack pathways to compromise those assets, then we replicate the modus operandi of their assessed threats groups. We find the gaps and make pragmatic recommendations to help the security team manage those risks.
What happens next?
A pen test provides hard-hitting evidence of failures within their security system. Technical evidence from our hackers, supplemented with covert video footage taken onsite, is impactful and a real opportunity to affect behavioural change.
I find that mature organisations use it as an opportunity to learn from their mistakes, and better focus existing resources for business leaders to drive security improvement.
However, whilst penetration tests are hugely valuable, they are too laser focused to identify all the organisation’s security vulnerabilities.
Therefore, for a comprehensive security assessment I recommend a Black Box (with no prior information to aid the attackers) Red Team test is followed by a ‘White Box’ traditional security review or audit. The output is a comprehensive blended security (cyber, physical and personnel) blueprint for remediation that considers all factors and enables a business to prioritise security improvements strategically.
By integrating findings from both the test and the review, organisations can develop a holistic understanding of their risks and implement targeted security enhancement programmes. This strategic approach elevates businesses to a higher level of security readiness, effectively mitigating potential threats and vulnerabilities.