Every large information security firm in the market offers physical pentesting, and most large in-house security teams do semi-regular physical pentesting. I was hoping this would be a story about the complications of doing physical pentesting on sites where the use of deadly force is authorized, but instead it's an article of the type you'd have expected to read in the late 1990s, when this stuff was exotic.
Amusingly, we did this at the Army Reconnaissance Course. I was in one of the last courses still based out of Fort Knox before the Armor School relocated to Benning and our capstone field event was basically a survivor pool where we split into teams starting at the perimeter of the installation and gradually move inward surveilling all of the facilities while the school staff tries to find us. Whoever is the last to get caught wins.
The MPs and US Mint Police were, of course, told we were doing this so they wouldn't shoot us. I do recall an incident from a bit more than a decade back, I think at Fort Bragg, where a soldier going through the special forces Q Course was shot by a police officer.
I remember reading about that last. I believe that was a case where the Army runs the course in an area where local law enforcement and citizens role-play nationals of a fake foreign country, and the guy tried to bribe an LEO with fake "money" as if he was in character as a third-world cop. But the LEO wasn't part of the exercise, tried to arrest the guy, who resisted because he thought it was in-character, and things escalated from there.
Years ago I was one of those grumpy-looking guys with a rifle standing next to those "USE OF DEADLY FORCE AUTHORIZED" signs, or directed the responses of said grumpy-looking guys.
This is all anecdotal and will vary wildly by org and era. So if you were to compare, say, a NATO WSA during the Cold War against a modern colocation facility that occasionally trots out crew-served weapons for marketing photoshoots...while both are secure facilities featuring some degree of lethal response capability, these will have very different liability profiles and rules of engagement. But in both cases there will need to be procedures in place for evaluating on-duty armed guards in a manner that doesn't get anyone hurt.
For routine training during shifts, a training exercise is openly declared. This can be done ahead of time, or an evaluator may do so by surprise - it all depends on what procedures and scenarios are being evaluated. Once the evaluator/actor is detected or challenged by guards (or some other threshold is passed during a scenario), an exercise is declared out loud. Normally, this will happen before anyone in that scenario might reasonably need to use force.
Upon exercise declaration this is accompanied by a quick "safety briefing" over the radio to response forces with routine reminders on what to do if an unsafe act occurs, so guard forces know to appropriately pretend (shout "bang", blink flashlight, etc) instead of actually firing upon intruders. There's a degree of make-believe roleplay once the exercise is active, since discharging duty weapons in real life comes with mountains of paperwork that I don't want to think about even decades later. Of course, less harmful forms of force may still be permissible (and expected!), such as various restraint techniques or handcuffing/zip-tying resistant bad guys.
For any competent org, this sort of training happens constantly and with enough variation to keep everyone on their toes. The role of "bad guy" is rotated between different guards, so everyone has a chance to attempt breaking in to various restricted areas and enjoy tasting the various flavors of pavement around base as we tackle each other. An exercise of one type can snowball into another, if I manage to catch some unsuspecting lazy troop unawares and "kill" them (usually with a "Surprise! This is an exercise, you're dead, do not answer your radio."), then while they're tagged out (and chewed on by their sergeants about situational awareness), a quick response force is scrambled from available troops on shift to stop us. By this point everyone on shift will know the situation has escalated from a failed pentest into a nasty wargame and should act accordingly.
Bear in mind that these sorts of live exercises are meant to evaluate procedures and test readiness in situ - the forces involved may suddenly be interrupted by real-world duties and time constraints. Live force-on-force training conducted with blanks, MILES gear, airsoft or whatever less-lethal weapons they have these days would be during designated training time and not on shift.
> He prefers his own “escalatory approach”, working through a system via an administrator’s access and searching for a “confluence”, a collection of information shared in one place, such as a workplace intranet.
Was this a mistaken transcription for Confluence, the Atlassian app?
It sounds like the journalist didn't know what Confluence is and thought it was a term of art for any generic intranet.
edit: to those saying the word makes sense without referring to the Atlassian product, I'm not buying it. The journalist put it in quote marks, which to me suggests he thought it was a term of art — if he instead meant it metaphorically, I don't think he would have phrased it like that. It's also just an odd word to use to describe the idea.
The dictionary meaning of "confluence", namely an aggregation or coming together of disparate sources of stuff (information, in this case) into a single place, makes perfect sense here. And searching for places that lots of information gathers seems like a sensible approach to me. The fact that one product happens to have the same name didn't even cross my mind.
Confluence literally means the junction of two rivers, genericized it's where two or more things join or occur together ("a confluence of events"), so it could be either. But naming Confluence (the web application) is very specific, not everyone uses it.
Confluence, n.: a collection of semirandom characters emitted by employees trying to look busy, interned in a series of secure silos, with stringent access controls, to hide the evidence.
This is what happens when people 'sanitize' their writing with an AI. It doesn't often understand trademarks or context, so we get stuff like this.
I imagine the real human written sentence was "Trying to get admin access via a Confluence exploit," which there are many and an app that IT groups take their time updating.
As I wrote in the sibling comment to yours, it really could go either way. A confluence, a place where you find a lot of information like an intranet shared drive, is a reasonable interpretation without the original quote in place. But so is Confluence the application as an example of a confluence which also exists on an intranet, and the writer misunderstood and (being a writer) used their familiarity with English to infer more than was said.
We don't need AI for either interpretation, just familiarity with English.
Ok, so, assuming these facilities are indeed "top secret bases" that have armed security, military or otherwise, how do red teamers not get shot? Do they get right up to but not complete the intrusion? Do they inform security of the intrusion attempt and, if so, how do they defend against the hilarious possibility of actual baddies working at the same time?
These questions might have obvious answers. This isn't my line of work. I'm honestly interested in how they accommodate the need to (a) not kill the vendor and (b) still protect the facility.
What is terrifying is the US 'justice' system. It is set up to get people locked up, whoever the Sheriff wants locked up. What a tragic story about a supposedly civilised country.
Interesting but it ended so.. abruptly! I was hoping for a LOT more. I think if you're interested in this subject area you must get a copy of Ghost In The Wires, and The Art of Intrusion by Kevin Mitnick.
A more accurate modern depiction would probably be incredibly boring, at least the actual physical part, because it's mostly people tailgating, walking into the nearest empty office, and plugging a small box into the network port.
Readit News
The MPs and US Mint Police were, of course, told we were doing this so they wouldn't shoot us. I do recall an incident from a bit more than a decade back, I think at Fort Bragg, where a soldier going through the special forces Q Course was shot by a police officer.
This is all anecdotal and will vary wildly by org and era. So if you were to compare, say, a NATO WSA during the Cold War against a modern colocation facility that occasionally trots out crew-served weapons for marketing photoshoots...while both are secure facilities featuring some degree of lethal response capability, these will have very different liability profiles and rules of engagement. But in both cases there will need to be procedures in place for evaluating on-duty armed guards in a manner that doesn't get anyone hurt.
For routine training during shifts, a training exercise is openly declared. This can be done ahead of time, or an evaluator may do so by surprise - it all depends on what procedures and scenarios are being evaluated. Once the evaluator/actor is detected or challenged by guards (or some other threshold is passed during a scenario), an exercise is declared out loud. Normally, this will happen before anyone in that scenario might reasonably need to use force.
Upon exercise declaration this is accompanied by a quick "safety briefing" over the radio to response forces with routine reminders on what to do if an unsafe act occurs, so guard forces know to appropriately pretend (shout "bang", blink flashlight, etc) instead of actually firing upon intruders. There's a degree of make-believe roleplay once the exercise is active, since discharging duty weapons in real life comes with mountains of paperwork that I don't want to think about even decades later. Of course, less harmful forms of force may still be permissible (and expected!), such as various restraint techniques or handcuffing/zip-tying resistant bad guys.
For any competent org, this sort of training happens constantly and with enough variation to keep everyone on their toes. The role of "bad guy" is rotated between different guards, so everyone has a chance to attempt breaking in to various restricted areas and enjoy tasting the various flavors of pavement around base as we tackle each other. An exercise of one type can snowball into another, if I manage to catch some unsuspecting lazy troop unawares and "kill" them (usually with a "Surprise! This is an exercise, you're dead, do not answer your radio."), then while they're tagged out (and chewed on by their sergeants about situational awareness), a quick response force is scrambled from available troops on shift to stop us. By this point everyone on shift will know the situation has escalated from a failed pentest into a nasty wargame and should act accordingly.
Bear in mind that these sorts of live exercises are meant to evaluate procedures and test readiness in situ - the forces involved may suddenly be interrupted by real-world duties and time constraints. Live force-on-force training conducted with blanks, MILES gear, airsoft or whatever less-lethal weapons they have these days would be during designated training time and not on shift.
Was this a mistaken transcription for Confluence, the Atlassian app?
edit: to those saying the word makes sense without referring to the Atlassian product, I'm not buying it. The journalist put it in quote marks, which to me suggests he thought it was a term of art — if he instead meant it metaphorically, I don't think he would have phrased it like that. It's also just an odd word to use to describe the idea.
In tech we usually assume "confluence" means the Atlassian product, not "a merging of several items".
I imagine the real human written sentence was "Trying to get admin access via a Confluence exploit," which there are many and an app that IT groups take their time updating.
We don't need AI for either interpretation, just familiarity with English.
These questions might have obvious answers. This isn't my line of work. I'm honestly interested in how they accommodate the need to (a) not kill the vendor and (b) still protect the facility.
One of my favourite episodes is the account of two people breaking into a US courthouse[1], it's both exhilarating and terrifying.
[1] https://darknetdiaries.com/transcript/59/
How I rob banks
https://www.amazon.com/How-Rob-Banks-Other-Places/dp/1119911...
Anyone have any movie recommendations for a more modern version of Sneakers (great movie)?