Locks and Leaks

Locks and Leaks is a comprehensive resource dedicated to fostering the Physical Red Teaming profession. It features insights on physical security, risk management, red team operations, legal considerations, and career guidance, alongside tutorials and stories aimed at enhancing system testing and improving organizational resilience against security breaches.

Physical Security Red Teaming Security Risk Management Legal Considerations for Security Professionals Career Development in Security Physical and Cybersecurity Integration Security Tools and Techniques

The hottest Substack posts of Locks and Leaks

And their main takeaways

Laws that Red Teamers Should Know

19 implied HN points 15 Feb 24
🚌 Education Laws Red-Teaming Security Ethics
  1. Red teamers should be familiar with laws related to activities like burglary, trespassing, burglary tools, hacking, theft, wiretapping, and impersonation.
  2. Understanding the difference between something being illegal and prosecutable is crucial. Aligning goals with the protection of the public and prevention of harm is key for authorized assessments.
  3. Having knowledge of relevant laws can enhance a red teamer's career and ensure that steps are taken to avoid violating rules, laws, regulations, or ethical considerations while uncovering security vulnerabilities.

Taxonomy of Red Teams

39 implied HN points 19 Dec 23
🕹 Technology Cybersecurity AI Hardware Collaboration
  1. Red Teams exist to test and improve important systems, often related to cybersecurity, physical security, and decision-making.
  2. Red Teaming can be categorized into Critical Systems Testing (CST) and Applied Critical Thinking (ACT), with multiple types of red teams within each category.
  3. Collaboration among red teams is crucial, with various ways to work together such as conducting joint trainings, attending conferences, and sharing knowledge.

In House vs. Outsourced Red Teams (Part 1)

19 implied HN points 27 Dec 23
🕹 Technology Cybersecurity Red-Teaming Consulting
  1. Different organizations may benefit from various approaches to red teaming based on their needs, budgets, and internal capabilities.
  2. There are more nuanced red teaming models than just in-house or outsourced, such as hybrid operator model, learning model, and hybrid mitigation model.
  3. Some discouraged red teaming models include relying solely on part-time teams or contingent workers due to trust, loyalty, and capability concerns.

Breaking into Red Teaming: Phase 1

19 implied HN points 05 Dec 23
🕹 Technology Cybersecurity Red-Teaming Skills Training
  1. Breaking into red teaming involves a phased approach with fundamental, technical, and employment skills.
  2. Phase 1 focuses on understanding red teaming fundamentals like what red teaming is and diving into analytical and cybersecurity elements.
  3. To succeed as a physical red teamer, it's essential to gain knowledge in analytical red teaming, learn about cybersecurity, and understand the partnership between physical and cyber red teams.

Breaking into Red Teaming: Phase 2

1 HN point 27 Feb 24
🕹 Technology Cybersecurity Social Engineering
  1. Become proficient at lockpicking as a physical red teamer to develop valuable skills and connect with relevant communities.
  2. Master social engineering techniques by knowing yourself and using your personality traits to your advantage in engagements.
  3. Enhance your Open-Source Intelligence (OSINT) skills, understand PACS attacks, and learn bypass techniques to excel as a physical red teamer.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

Breaking Into Red Teaming (Overview)

0 implied HN points 21 Nov 23
🕹 Technology Cybersecurity Skills Red-Teaming
  1. Physical red teaming is not a common standalone profession but rather a sub-role within cybersecurity or security consulting.
  2. There are various entry points to becoming a physical red teamer, including direct employment, part-time roles, and consulting firms.
  3. Networking, gaining experience, and tailoring your skills early on are essential to breaking into the field of physical red teaming.

Physical Security Red Teaming Overview

0 implied HN points 09 Jul 23
🕹 Technology Security Red-Teaming Resources Consulting
  1. Organizations use internal physical security red teams to protect valuable assets from potential breaches.
  2. The global Physical Security market is expected to grow, reaching $215 billion by 2030 - the effectiveness of these security measures is tested through red team assessments to prevent costly incidents.
  3. There's a lack of substantial resources for businesses looking to establish or enhance their physical security red teams, highlighting a need for more support and knowledge sharing in this area.

Resource: Red Team Job Descriptions

0 implied HN points 10 Jul 23
💼 Business Career Security Recruitment Resources
  1. Companies like UBS, Meta, and Amazon are offering physical red team positions, which are significant for job seekers in the field.
  2. The collection of job descriptions serves as a resource for job seekers, security managers, and the public interested in the field of red teaming.
  3. Physical red teaming is a growing field, and resources like Locks & Leaks are working to elevate the profession by identifying and sharing industry resources.

Start Here: Locks & Leaks Teaser

0 implied HN points 14 Oct 23
🕹 Technology Security Red-Teaming Risk management
  1. Locks & Leaks promotes the physical security red teaming profession to help organizations make better security decisions.
  2. The site offers an outline of the Locks & Leaks structure, including resources for physical red teaming and profession growth.
  3. Different sections on red team types and targets, red team tradecraft, and building a red team provide detailed insights and guidance.

The Why of Security Red Teams

0 implied HN points 29 Jun 23
🕹 Technology Security Red-Teaming Vulnerabilities Budgeting
  1. Red Teaming is essential for organizations with high-value assets, significant threats, or discovered vulnerabilities to test and strengthen their security measures proactively.
  2. Red Teams assess threat actors tactics, uncover vulnerabilities, address organizational hubris, challenge security assumptions, and protect business and assets through rigorous testing.
  3. Red Teaming is not just a tool but a philosophy that promotes critical thinking to improve security measures, ensure defense readiness, and make informed decisions to safeguard organizations and valuable resources.

Red Team Resources

0 implied HN points 12 Jul 23
🕹 Technology Security
  1. The post shares links to valuable resources for red teamers and beginners.
  2. Some of the best red team physical security resources include Red Team Tools, U.S. Army Red Team Handbook, and Hak5.
  3. Various tools and alliances like TOOOL, Sparrows Picks, and Red Team Alliance are highlighted for red team operations.

In House vs. Outsourced Red Teams (Part 2)

0 implied HN points 03 Jan 24
🕹 Technology Security Consulting Vendors Red-Teaming
  1. Consider factors like trust in vendors, needed skills, cost, and bureaucracy when deciding between in-house and outsourced red teams.
  2. Experiment with different approaches to find the best model for conducting red team assessments.
  3. When establishing red team capabilities, seek guidance from others who have experience and be prepared to invest time and attention to detail.

The Proposal: Will you Red Team Me?

0 implied HN points 13 Mar 24
💼 Business Management Risk Assessment Operations Leadership Communication
  1. The Red Team Proposal is crucial for gaining buy-in, being prepared, and protecting against potential issues during assessments.
  2. Including legal safeguards and seeking approvals help in showcasing professionalism and increasing the likelihood of approval from leadership.
  3. A well-prepared Red Team Proposal should contain components like introduction, prioritization, context, intelligence & analysis, timeline, TTPs, safety plan, and more, making it a vital document for a successful red team operation.