Xavier Johnson, president of Enterprise Offensive Security, twice entered a European-based data center by pretending to be someone else.
Johnson first disguised himself as an employee of a shredding company to gain entry, and left. Then he returned as an employee of the data center itself after cloning a real employee's badge. He copied sensitive documents and installed a Raspberry Pi onto the network.
Johnson had been hired by the data center to perform a physical penetration audit. His job was to test the security of the data center to identify possible ways intruders and thieves may use to break in.
Red teaming is a process of offensive steps to show which parts of a system are insecure, Johnson explains. Despite the inherent dangers, physical audits are much easier than people would like to think, he says.
"[Cybersecurity professionals] need to know if your customers want to be vulnerable to something that a criminal would do," Johnson says. "You have to simulate a criminal, and simulating crime is risky."
Being Mistaken for a Criminal
As a Black man with a red beard, Johnson stands out. This 10-week daytime operation against the data center succeeded because of the intricate planning that went into it beforehand, he says. Cultural differences between Europe and the United States also came into play.
You can't send Black cybersecurity professionals into a law enforcement agency on a quiet night in Iowa, Johnson says, referring to the 2019 incident where two white cybersecurity professionals were arrested on burglary charges while carrying out a security contract for Coalfire Labs.
Gary De Mercurio and Justin Wynn, the two Coalfire contractors arrested, say this was probably a first in cybersecurity history, especially since being charged with burglary means there was intent to commit a felony, which obviously there wasn't. Most of the time, their experiences with law enforcement came out more smoothly.
"We have permanent records now, which affects not only our professional lives but our personal lives as well," Wynn says. The two men are now suing the Dallas County Sheriff's Department for false arrest.
Even though these two contractors got into a world of trouble, they came out of the situation with their lives.
"We weren’t fearful for our lives and did our best to position ourselves in a safe location where we could establish verbal contact and begin de-escalation before a face-to-face confrontation," Wynn says. "No weapons were drawn throughout the incident. Our freedoms, on the other hand, were very much threatened, as the case dragged out and we were facing seven years of prison time and bail set 10 times higher than normal, due in part to the sheriff withholding facts from the magistrate who set our bail."
De Mercurio says the sheriff was intent on making a political statement with their arrest.
Difference Between Life and Death
If those had been two Black men, they might have been shot, especially given the current climate regarding race in America, Johnson says.
"That's about as transparent as I could get," he says.
Multiple studies show Black and brown people are routinely targeted by law enforcement. People of color are more susceptible to arrests and abuse than white people, studies show. De Mercurio says he can’t imagine what would happen if their team had been Black. He acknowledges many colleagues of color simply don't do physical testing in small towns.
The job of a law enforcement officer is about establishing trust, De Mercurio says. Two of the officers made homophobic comments after their arrest.
"If an officer has any kind of bias, that trust is instantly eroded," De Mercurio says. "In the case of an entire team of Black pentesters having been in our place, again simply a guess, I would have been surprised if it turned out as 'well' as it did for us."
De Mercurio and Wynn have since made adjustments to how they perform penetration tests because of this incident.
"We have adapted some policies and are adamant about notifying law enforcement before engagements where there’s a chance they could respond," Wynn says.
Planning and Preparation Key to Safer Audits
Nico Smith, director of red team operations for the nonprofit Blacks in Cybersecurity, says being a tall Black man could make you stand out and make the police more suspicious. This danger presents a barrier for Black people wanting to enter the cybersecurity profession as a red teamer. However, these barriers can be navigated.
"It’s about properly articulating to future Black and brown people who want to be a red teamer what that looks like," Smith said.
Unfortunately, just as Black and brown people code switch - change their behaviors, clothing, and speech to be more palatable to white-dominated environments - when working in traditional jobs, they may have to do the same on red team exercises, Smith says. For that situation to change, more Black people need to be recruited into these teams, he says. Once they've been hired, learning de-escalation techniques could be useful.
Careful planning is essential. Johnson's team plans out the engagement beforehand, taking into consideration the client’s preferences. His team of ethical hackers monitor the culture and atmosphere of the audit environment before sending a red team, whether it's for a physical or digital audit.
Smith, who recommends looking into indemnity insurance, says there are also advantages to being different. People of different sizes and races could fit in some situations better than others, he says.
For example, when Johnson performs audits in Detroit, where he was born and raised, he knows exactly how to blend in. One of his team members, an older white man, wouldn't necessarily fit into situations within a large city.
Areas of Success
Smith says he doesn't elevate one team over another and that every team member should be equally valued. This is a crucial recruiting point when talking with Black and brown candidates.
There is a "sexiness factor" associated with red team operations as they are shown in television shows and movies, but there are other areas of red teaming where Black and brown people can also excel. The documentation side of the audit is an option, Smith suggests. Johnson estimates that 75% to 80% of the operation is detailed planning, and Black cybersecurity professionals can be involved in this side of the process.
Digital audits that don't require in-person visits can be less dangerous, but they aren't completely safe, either.
"In the event that I make a mistake or something goes wrong, my simulation can then be interpreted as a legitimate crime," Johnson says. "And it's really hard to defend."
Cybersecurity companies know and understand that planning and safety are two of the most important areas of focus when conducting physical or digital audits. Until systemic barriers stemming from racism are removed from the criminal justice system, the onus is on the company to ensure the physical safety of its employees, particularly of its Black and brown staff.