Meet the team paid to break into top-secret bases
A crack team assembles and breaks into a top secret military base or corporate headquarters - you've probably seen it in a film or on TV a dozen times.
But such teams exist in the real world and can be hired to test the tightest security.
Plenty of firms offer to test computer systems by attempting to remotely hack into them. That's called White Hat Hacking.
But the skills involved in breaching physical security, known as Red Teaming, are rare.
Companies that offer the Red Team service have to assemble staff with very particular skills.
Often using former military and intelligence personnel, Red Teams are asked one question.
“How can you break into this top-secret project?”
Leonardo, the giant defence company, offers such a service.
It says hostile states seeking disruption and chaos are a real threat and sells its Red Team capability to government, critical infrastructure, and defence sector clients.
Its Red Team agreed to speak to the BBC under pseudonyms.
Greg, the team leader, served in the engineering and intelligence arms of the British Army, studying the digital capabilities of potential enemies.
“I spent a decade learning how to exploit enemy communications,” he says of his background.
Now he co-ordinates the five-strong team.
The attack is about gaining access. The objective might be to stop a process from working, such as the core of a nuclear power plant.
The first step for Greg and his team is called passive reconnaissance.
Using an anonymous device, perhaps a smartphone only identifiable by its sim card, the team build a picture of the target.
“We must avoid raising suspicions, so the target doesn’t know we’re looking at them,” Greg says.
Any technology they employ is not linked to a business by its internet address and is bought with cash.
Charlie spent 12 years in military intelligence, his techniques include studying commercial satellite imagery of a site, and scanning job ads to work out what type of people work there.
“We start from the edges of the target, staying away. Then we start to move into the target area, even looking at how people who work there dress.”
This is known as hostile reconnaissance. They are getting close to the site, but keeping their exposure low, wearing different clothes every time they show up, and swapping out team members, so security people don’t spot the same person walking past the gates.
Technology is devised by people and the human factor is the weakest point in any security set-up. This is where Emma, who served in the RAF, comes in.
With a background in psychology Emma happily calls herself “a bit of a nosy people watcher”.
“People take shortcuts past security protocols. So, we look for disgruntled people at the site.”
She listens in to conversations at adjacent cafes and pubs to hear where dissatisfaction with an employer surfaces.
“Every organisation has its quirks. We see what the likelihood of people falling for a suspicious email due to workload and fatigue is.”
An unhappy security guard may get lazy at work. “We’re looking at access, slipping in with a delivery for instance.”
A high turnover rate evidenced by frequently advertised vacancies also flags up dissatisfaction and a lack of engagement with security responsibilities. Tailgating, spotting people who are likely to hold an access door open for a follower, is another technique.
Using that intelligence, plus a little subterfuge, security passes can be copied, and the Red Team can enter the premises posing as an employee.
Once inside the site Dan knows how to open doors, filing cabinets and desk drawers. He’s armed with lock pick keys known as jigglers, with multiple contours that can spring a lock open.
He’s searching for passwords written down, or will use a plug-in smart USB adaptor to simulate a computer keyboard, breaking into a network.
The final step in the so-called kill chain, is in the hands of Stanley.
A cyber security expert, Stanley knows how to penetrate the most secure computer systems, working on the reconnaissance report from his colleagues.
“In the movies it takes a hacker seconds to break into a system, but the reality is different.”
He prefers his own “escalatory approach”, working through a system via an administrator’s access and searching for a “confluence”, a collection of information shared in one place, such as a workplace intranet.
He can roam through files and data using the administrator’s access. One way a kill chain concludes is when Stanley sends an email impersonating the chief executive of the business via the internal, hence trusted, network.
Even though they operate with the approval of the target customer they are breaking into a site as complete strangers. How does this feel?
“If you’ve gained access to a server room that is quite nerve-wracking,” says Dan, “but it gets easier the more times you do it.”
There is someone at the target site who knows what’s going on. “We stay in touch with them, so they can issue an instruction ‘don’t shoot these people,’” Charlie adds.