Lessons from Physical Intrusion Testing: Using Overwatch

Photo by Matteo Catanese on Unsplash

This is the fourth article in a series of articles where I’ll be sharing a few lessons learned relating to physical intrusion testing.

In the first article, I provide some background and context, and discuss the importance of modelling a specific threat for an intrusion test. In the second article, I focused on the value of testing multiple layers of security during an intrusion test. The third article focused on reconnaissance and surveillance.

This article is about overwatch.

Not the “vibrant team-based shooter set on a near-future earth” overwatch, but a technique you can use during a physical intrusion test to reduce the risk of detection, and to provide an important layer of safety to the operation.

Overwatch guides the intruder and watches their back during the intrusion. You could think of overwatch as part lookout, part field medic, and part getaway driver. It’s an important role.

In this article, I’ll discuss when to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion. I’ll also touch on using remote cameras and drones.

As you’ll learn, overwatch isn’t a particularly sophisticated technique, and it has huge benefits for intrusion testing.

When to use overwatch

Overwatch can be used for almost any intrusion. The technique has more utility for larger complexes that have their own perimeter and inner perimeter area. It’s less useful for a single office building in the central business district, as it can really only support the initial entry into the building.

One point to pay attention to is that you’ll need to determine whether the threat groups you’re modelling for the intrusion would use overwatch techniques to support their own intrusions. Read my earlier article on modelling threat groups to understand why this aspect is important.

Assuming overwatch fits within the parameters of your planned intrusion, the next step is to work out how you’re going to communicate.

Setting up communications

Overwatch and the intruder will typically communicate using mobile phone. While traditionally a hand-held radio would have been better in this application, these days it’s hard to justify not simply using your normal phone. The intruder and overwatch will need to have their hands free, so you’ll need to wear wireless or wired headphones (use wired headphones if the intrusion is going to take some time).

Once inside the facility, wearing headphones provides options for the intruder to pretend they are on a call, making them appear busy and less approachable.

As with all good planning and preparation, make sure your devices are charged and carry backup devices and power banks where needed. Losing communications just as you’re about to initiate a key activity isn’t great for your situational awareness or your confidence.

To communicate effectively during the intrusion, you’ll also need to develop a common language.

Using a common language

To enable the intruder to make sense of the information and instructions being provided by overwatch, and vice versa, you’ll need to establish a common language.

First, establish a language for orientation and direction. You could, for example, refer to the aspects of the facility (front, back, left, right). Alternatively, you can use cardinal directions (north, south, east and west). In my experience, the former approach is easier to understand.

Next, agree on names for each building. If you’re not sure what the buildings are, you can make up names or just give the buildings numbers. There’s no need for fancy code words, because no one will be listening in to your call.

Finally, establish names for major roads and specific locations, such as car parks. Again, you can use the actual names or just make up names.

During your planning, it’s good practice to develop a schematic of the facility that’s labelled with the agreed upon naming conventions.

Positioning overwatch

You’ll typically want to position overwatch in a location from where they can view deep into the grounds of the facility. Overwatch could be positioned in a building overlooking the facility, or on higher ground. As you might already guess, finding an accessible elevated position can be problematic.

If it’s not possible to have overwatch in an elevated position, their utility will be reduced. From ground level, overwatch may only be able to provide support for the initial stage of the infiltration, when the intruder breaches the perimeter barrier. After that, they may not able able to provide any meaningful support (they will still have an important safety role, as I’ll discuss shortly).

Once the intruder is inside the facility and is moving between buildings, overwatch may need to move around the perimeter to open their angle of view in support of the intruder. It’s useful to consider how you might need to do this during planning and rehearsals. A good approach is to break the intrusion into stages or bounds. When the intruder reaches an agreed position, they can hold in place while overwatch repositions themselves to cover the next bound.

Of course, there are risks in having overwatch move around during the intrusion. Depending on the location and the nature of the outer perimeter area, movement in this area may result in additional attention and possibly detection and apprehension.

While you could move overwatch into the perimeter, perhaps for a very large property, typically you will want to keep them outside the perimeter. If the intruder is compromised during the initial stages of their infiltration, it’s best to have overwatch positioned so they are in a static and secure position and can guide the intruder to safely exfiltrate the facility.

Providing warnings

The key role of overwatch is to warn the intruder of activity within the perimeter. Here are a few examples of such warnings:

  • Let the intruder know the coast is clear before the intruder moves around a corner or into a space.
  • Let the intruder know when someone is approaching their position.
  • Let the intruder know when a security response has been activated, and provide updates on the location, heading, and disposition of the security team responding to the intrusion.

Effective warnings provide peace of mind to the intruder. While the intruder will still need to be careful, having overwatch removes some of the stress of conducting an intrusion. Knowing the ‘coast is clear’ is invaluable, particularly in situations where line of sight is limited.

The topic of warnings leads nicely into the topic of commentary, which is an essential aspect of an effective intrusion.

Providing commentary

The intruder and overwatch should maintain a continual two-way commentary during the intrusion. For the overwatch, this commentary lets them know what the intruder is doing, and confirms the intruder is okay (i.e., not impaled on a fence). If the commentary goes silent, overwatch should know that either the intruder is close to someone who may hear them, or has been involved with an incident. For the intruder, commentary keeps them updated on movement within the facility.

Here’s an example of commentary during the initial stages of an infiltration:

Intruder: Ready to go

Overwatch: Okay, no guards in sight

Intruder: Approaching the fence

Overwatch: No guards in sight

Intruder: At the fence

Overwatch: No guards in sight

Intruder: Equipment secured

Overwatch: No guards in sight

Intruder: Starting to climb

Overwatch: No guards in sight

Intruder: Crossing over

Overwatch: No guards in sight

Intruder: Cleared the fence

Overwatch: No guards in sight

Intruder: Removing equipment from the fence

And so on

Boring? Maybe. But believe me, there’s nothing more satisfying that continually hearing someone whisper “no guards in sight” into your ear while you’re infiltrating a facility. It’s a love language.

A point to make here is that negative information (“there’s nothing”) is just as important as positive information (“there’s something”). Negative information provides a green light for the next step in the plan. As noted earlier, you’re being told the coast is clear and you can continue.

Here’s another example of effective commentary, when the intruder is inside the grounds:

Intruder: Moving from the fence to Building 1

Overwatch: Hold, a patrol is moving your way

Intruder: Okay

Overwatch: Hold…

Overwatch: Hold…

Overwatch: Hold…

Overwatch: Okay, move now

Intruder: Okay, moving to Building 1

If the intruder is approached or apprehended, it’s good practice to leave the communication line open. As the intruder communicates with the individuals, overwatch will be able to hear one side of the conversation.

An interesting effect of commentary is that it instils confidence in the intruder. At least in my experience, I’ve found that the process of verbalising what I’m doing and I’m planning to do next has a calming effect. Particularly during pivotal moments, such as crossing the perimeter or entering a building.

Knowing there is someone monitoring your activities also keeps you moving. It’s very easy to become paralysed in place during an intrusion, particularly when you’re about to breach an access point. Feeling as though you are ‘accountable’ to overwatch will help motivate you to keep pushing forward.

Maintaining a log of events

Overwatch should maintain a log of events during the intrusion. This log is essential to enable you to provide a chronology of events for the final report. Time passes in different ways during an intrusion, so don’t expect to be able to maintain an accurate estimation of how long you spend doing different activities.

There are several ways to maintain a log while not compromising the primary function of your overwatch. First, you can record the commentary between the intruder and overwatch either on the phone or using a digital recording device. If using a digital recording device, ensure that timestamps are used to you have a clear chronology of events. Second, you can have a pre-drafted log with the main events you know are likely to occur (e.g., at the fence, crossing the fence, at the first door etc). By having a pre-drafted log, the only information overwatch will need to write is the time that event occurs. Of course, you could also use both methods at the same time.

Assuring safety

The other role of overwatch is to provide safety support. If the intrusion requires negotiating barriers, then there’s always a risk of an accident. There’s also the risk of the actions of an overzealous guard force.

If an accident occurs during the intrusion, the individual in overwatch could do one or more of the following:

  • Provide first aid
  • Call an ambulance
  • Notify the client and seek local support

In my experience, having overwatch available helps to ensure that dangerous activities, such as crossing barriers, can be completed in a calm and unhurried manner. Knowing you’re not going to be compromised by a guard patrol when crossing a barrier allows you to be careful and deliberate.

Employing distraction and diversion

In addition to the support outlined above, overwatch can also support activities designed to distract or divert security forces. In this context, a distraction is an activity designed to draw the attention of the security officers to a specific area. Static guards may turn and observe this area, or security officers in a control room may focus on video surveillance feeds covering that area. A diversion, on the other hand, is an activity designed to make security forces displace and physically move to a specific area.

Overwatch can place distractions and diversions around the perimeter. They can also be responsible for activating diversions.

I’m not going to get into specific techniques related to distraction and diversion here, because I don’t want to give away too many secrets (truth is, there aren’t that many techniques that are effective). At a high level, movement, noise and light will typically provide a distraction. A successful diversion, however, will require an incident that demands immediate attention.

Using remote devices for overwatch

If you need to complete an intrusion alone, that doesn’t mean you need to do without overwatch. Consider using remote video devices to provide a live feed of the grounds. Well-positioned and well-concealed cameras will enable you to check the position of guard patrols and other people as they move within the outer perimeter area. Even if you have a human for overwatch, remote cameras can still be useful for large facilities with an expansive perimeter.

Another approach — if you need to see what the overwatch sees — is to ask them to switch to a video call. Seeing the scene from the perspective of overwatch may provide additional context needed to make critical decisions.

Using drones

In theory, drones provide a good option for overwatch. In practice, drones tend to be noisy and may compromise the infiltration (or at least make security officers alert to the possibility that something may be going on). Piloting the drone will also take the full attention of the operator, which may make them less responsive to the moment-by-moment needs of the intruder. Drones also have a limited flight time, which means they may not be able to remain airborne for the full duration of the infiltration and intrusion.

At least in my own experience, drones are useful for reconnaissance of large facilities, but don’t replace a human in an overwatch role. Not yet, at least.

Wrap up

Overwatch is a great technique that you can apply to lower the likelihood of detection during an intrusion. Overwatch replaces luck when it comes to getting through perimeter security.

Overwatch also has important safety benefits. It’s always comforting to know there’s someone close at hand to help when you get entangled in razor wire on top of a fence.

For my own physical intrusion tests, I will use someone in overwatch for every intrusion, if only to provide a safety net. Having overwatch doesn’t significantly add to the cost of the activity. Typically you’ll only need one person to be available for a few hours. Of course, the conditions of the assignment may vary.

If you haven’t used overwatch for physical intrusion tests before, give it a try. It may take a while to integrate the approach into your methodology, but once you get used to that calm voice whispering in your ear, you won’t want to go back to doing intrusions alone.

In the next article, I’ll focus on an important and often ignored aspect of physical intrusion testing: safety.

--

--

--

Founder, Spartan9.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AWS internal metadata accessed through SSRF by Chaining an Open Redirect bug

ALPHA PROTOCOL SHILLING CONTEST

GateChain’s First-Ever Governance Voting Result&Bonus Announcement

Flash Stock Firmware on Samsung Galaxy J2 SM-J200H

Flash Stock Rom on Samsung Galaxy

The Future Of Security

{UPDATE} 3D Car Maker Hack Free Resources Generator

RialtoTrade.com FAQ

gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Grant Rayner

Grant Rayner

Founder, Spartan9.

More from Medium

TLS Session Resumption in IoT device connections

Log4j: Cyber’s Most Dangerous Vulnerability

Tri-Mesh Subdivision Based on Specific Triangle Criteria

How do hackers use your information for identity theft?