OSINT of Facilities by Physical Reconnaissance
8:56PM Jul 27, 2020
All right, we're welcoming back to hold 2020 at our conference now we're going to have a session with OS n facilities, by physical reconnaissance with built for it in of ggR security Hi Bill. How's everything going. So we're going to go right to the movie right now. Thank you. And stay tuned.
Hello everyone, I'm gonna be talking to you about open source intelligence of physical facilities by physical reconnaissance so walking around looking at the outside of the facility but not ever actually going in, until the very end. So how much we can tell just by looking at the outside. What is inside of a facility. To start off, we'll introduce some very basic intelligence doctrine, this is what's known as the intelligence cycle that you see on your screen here, and we start out with the entire world, we identify what our needs are, which produces our operational environments, from which we collect data, process it into information and then analyze it into intelligence. Once we have this intelligence, sometimes it identifies something else that we need, and the cycle starts over, and it ends when we take action based on that. There's a number of different disciplines within collection. In terms of where this data actually comes from the ones, we'll be focusing on today is imagery. So taking pictures which traditionally means satellites tactical imagery, or imagery intelligence, or I meant, which is reconnaissance that that we'll be talking about a lot, and public sources so open source intelligence. Open Source Intelligence is sort of a buzzword in the hacker community so that's why I'm focusing on that a talk title here, and I'll just make a quick note as well that reconnaissance in American circles is often shortened to the word recon in Canada where I'm from, from the US. So if I say the word Iraqi that is what I mean. The bulk of this talk is going to focus on the analysis phase. So taking these images that we've got from these various sources and turning them into something usable for an operation within the facility. So before we actually get into the analysis we need to talk about collection just a little bit. And first, before we look at the facility itself, we're going to look at the neighborhood of this facility, both physical and political. So the area. What is nearby utilities into the facility nearby shops transportation infrastructure, etc. as well as politically, If that organization has other facilities. What are they like, and that will give us an indication what we'll find within the facility. Finally, it's important to observe at different times. So day night weekend, and most importantly normal operation and during an anomaly, so we can get a sense of what's actually normal. We also want to rescue the people see who enters, and generally what type of person they are, what they're wearing when they enter and leave, and we can actually, if we're very diligent, keep track of the numbers and get a sense of occupation within the facility at any given time. What entrances and exits are used and where they go when off site. And then on the security side we can look at the individuals for if they have keys or badges we might be able to photograph or clone those if they do some sort of security task entering like putting in a code or signing in, and if we see site security, we can see what they do during an incident and if it's in scope, potentially trigger an alarm ourselves. So in scope here, meaning that the client has actually authorized us to do that on a penetration test. What we'll be talking about for the bulk of this talk, though, is what's inside the facility itself. And we'll be looking fairly heavily at floor plans to do that, which are generally we can kind of categorize them as assignable space so that'll be offices and other usable spaces circulations of hallways and stairs, as well as building support space like mechanical rooms elevator, or not, like, elevators sorry washrooms custodial, etc. what our floorplan is useful for, well we can take them and get a general topology of the space, which will give us the best path to get from A to B. We can take that and determine the time to get from A to B, which is very important for planning both red team operations and blue team defenses. We can look at what camera replacements are possible. What can replacements we know, might exist what's visible from where we can analyze the acoustics likewise, and tell what can be heard. Where can I be heard, where can I hear other people and how much noise can I get away with making. And finally, if we plan to social engineer our way into this facility, it really helps to know where we're going. So sometimes you can get these floor plans from the fire safety plan box. These are often easy to bypass non destructively, and they're almost always destructively enjoyable because they're designed to be for the fire departments. We can also often get floor plans online. By using a number of different search keywords that work well. So look for PDFs or most floor plans are. And on the site that is interesting to us, as well as a couple other good keywords that are very frequently found on floor plan files. When we're inferring floor plans so if we don't have that,
then we're not going to get a very high level of accuracy, but we will get something that's topologically good enough for whatever operation we have plans to actually perform that inference. We're going to start with what architects call massing. So that is the mass in three dimensional space the shape of that building. And that's comprised of both primary masses, so the large shape, as well as anything smaller sticking out of it is a secondary mass. The building envelope is another term that envelops the massing, and it's the surface area so to speak on it. It contains doors and windows and we'll use throughout the presentation the architectural term for windows which is fenestration. It might have mechanical equipment like vents and lubes, as well as external structural members. All of these things are clues to the internal layout, which we will talk about in depth, where to get this imagery and massing. We can look at Google Maps which for some cities has a really wonderful 3d view. Google Street View as well to get the street level imagery, Bing Maps I actually find to be very very good for satellite views, your local government open data will often often publish aerial photos including historical ones and 3d massing data in computer readable formats that contain very very useful information and measurements, and of course visiting in person, taking pictures observing stats your tactical imagery intelligence better. Beyond the massing to determine what's inside of a building the usage is incredibly important. So, if it's an industrial building commercial institutional multi unit residential and high rise office. All of these have different usages which we'll look at throughout this presentation, and the layout depends on that, and the massing. So warehouses, for instance, tend to be large and flat, of course, and most of the inside is large open space, but of course they will be racking within the warehouses, how is that racking arranged well it's hard to tell, but you can look for the loading dock. And from that loading dock you can infer that the main aisle will come out from it. It'll give you some sense, there's also often an office space on one side of the warehouse and you can tell where that is, by the fenestration for commercial facilities, so storefronts. The frontage is what's valuable bear so they tend to be very long and deep, without a large frontage. And within them that floorplan is now very linearly constrained, and we tend to see, usually a single barrier between the front where customers go, and the back. For larger retail spaces, you see that as well, because the back tends to be like a warehouse so it's an open floor plan and the front as well, to encourage customer circulation for institutional buildings. We'll start by looking at hospitals. This is a very very typical turn of the century hospital architecture. We can look at the fenestration, and it indicates the room size quantization, so most of these will be individual patient treatment rooms, but some of them might be two or three windows. It gives us that quantization so how large incrementally they can be. And so most rooms do have windows in older architecture because heating ventilation, and air conditioning or H back was in its infancy at the time. And so this will make the circulation and room plan readily inferable. So in this particular case, if we look at the massing, we can see, it's very long, very thin, with a number of branching wings to give everybody a window. But with this, we can tell, quite well, where that hallway is going to be in the middle with rooms on the side that follow the quantization of both Windows and true at the overall space of this large facility that holds true as well.
Where within this mass or the hallways. Well, usually we can assume it's halfway in the middle, but sometimes fenestration or massing tells us, so we can see this hallway here. And that tells us exactly where the hall is in this particular way. Here's one case where it's not in the middle. But this bridge will give us a sense that it's on the edge so we can tell that from that piece of information prisons tend to be out lot or tend to be laid out in very long forms as well within which we have the cell blocks. Once you've seen one you've seen them all in terms of what the cell blocks look like as the insides floorplan of prisons. An interesting aside about that in terms of prison escapes, you often hear of escapes involving tunneling out of your cell etc. Well, every cell needs a toilet and every toilet needs plumbing and that plumbing by its very function must connect to somewhere external, and so many prisons particularly old ones have crawl spaces, or even tunnels that the toilet plumbing goes directly out to. This is a little bit more applicable for those of us who aren't trying to break out of a prison when identifying the washroom location in a building that we are recreating. So washrooms also need plumbing in in a multi storey building that plumbing tends to be put in pipe riser shafts, and those pipe riser shafts tend to end in mechanical penthouses on the top of the building where there is various mechanical equipment using other pipes and that shaft. So in this case we see this penthouse and we can infer that the washrooms are very likely below it. For a monolithic institutional so a much larger massing space, a newer building tends to be. We can start to get a sense of what the internal floor plan is going to look like by identifying the entrances and exits. In this case we can see this large glass atrium, and there is also an exit on this side here so we can infer that all the way up the building is split down the middle. And we can then have effectively two small buildings that we now have to determine the internal massing for the internal floorplan for in the basement. However, it's going to be below the atrium. So how do we tell what's there for that. Well, we're going to identify where the stairwells are likely to be. So for instance, this juts elements, off to the side here is very likely a stairwell is too big to be an H back element that's been added on after the fact. It's not really the right dimension for an elevator if you compare it to a car here. Most elevators aren't that shape, but it's perfectly dimensioned for a stairway, so that's almost certainly what that is. They also tend to be below the entrances, of course as well. And, and so we can get a sense of where the entrances to the basement level are going to be within that we can generally identify a ring, some sort of equal distance from the edge of the building. And there's going to be a hallway following that ring pattern. And then, appropriate hallways, in the middle. And so we see that in this particular case, it's a somewhat t shaped building in the basement, and we have a T shaped ring with a hallway in middle where it makes sense. And here's one going out to that stairwell that we identified. In this particular case, we have a T shaped mass. And so we can infer that very likely there's going to be a T shaped hallway on the inside. Also notice that these, these tall windows on the front here that indicates that there's going to be some larger common area, occupying these rooms on each floor. If we look at the floorplan for this site. The first thing we'll notice is that we were actually wrong about the hallways. There are two of them along each wing of the team. And we could have been for that if we did a bit more research and determined that this site is actually a long term care home. So based on a typical room sizes there, we can see that that ring shaped floorplan following the outer perimeter is more likely what we're going to see with hallways in the middle where it makes sense. And then this dining room is exactly what we expected to find given those large windows there.
Here's an interesting case where we have 45 degree angles that would be visible in the exterior massing which generally means that we have two different orientations of halls and rooms on the inside. Where do they actually make that transition, well we can tell, based on circulation requirements. So in this case here this green boundary, so to speak, between the 90 and the 45 degree angles. It can't really continue on. Over here, because it's hugely interrupt circulation so we can infer that very likely this hallway is in fact, where we can see it is on a map, just by looking at the outside of this facility. Also to note we have three different wings here, and we can tell where this large hallway is in this middle wing here because of where it connects to the other wing. And so that gives us this larger hallway, and then these smaller ones in the, in the remainder of this monolithic wing. Follow this ring pattern, a certain distance from the perimeter. Let's talk a little bit about high rises. There's a lot of things that are often stacked in high rises, so elevators obviously do structural columns and stairwells washrooms as I mentioned, they have that pipe space behind the toilets in this case the pipe spaces right here. telecom closets electrical closets, all these different risers tend to be vertically stacked, as well as mechanical rooms and events to allow for easy flow up and down the building. What that generally translates to in newer high rise construction is a central core that contains all of these elements. So your elevators stairwells washrooms mechanical rooms, and for office buildings, most new construction is built as an open layout around that, which then the tenants can partition as they see fit. hierarchy rises also tend to have entire floors dedicated to mechanical equipments. So, often there's going to be one or more mechanical penthouses in high rises, you can see one on this building to the rear here. The fenestration only extends so far up that above that to the roof is likely a mechanical penthouse and low rises would have that h back bear on the roof, which we'll look at later mechanical floors can exist perfectly up the building as well so this tells us that there's not generally going to be occupiable space on this floor, and many buildings have mechanical basements, as well. In terms of those mechanical penthouses now that you know what they are you'll start seeing them everywhere, anywhere the fenestration doesn't go all the way up, you can infer that's what's happening. They're also often very cleverly integrated into the architecture, so this triangular element here. And these windows that are not fenestration glass going up to the top of each of these buildings in terms of what high rise residential floor plans tend to look like they're going to be a central core as well with your stairwell elevator and building support systems, and often a ring shaped corridor tightly surrounding that, or sometimes a U shape that gives access to each of the units in that building. For older buildings where we can't infer that the stairwell is likely at the core, how do we tell where that's going to be well in older buildings the stairwells do tend to be on the outside of the building part of that is for fire egress reasons, and so you also see doors at the bottom of many stairwells. We can also look and see that we have lit stairwells and unlit windows around it so if you see a lit up column of Windows all the way up, is a very good indication that that is a stairwell. And of course, in these cases you can actually see the stairwell in the Windows as well, that helps. So in this particular case, we can see very very well lit up column of windows so that's likely a stairwell. The building's likely symmetrical so it's probably one on the other side. To get another a better sense of the internal layout. We can note that there's two balconies on each side with the partition so likely four units per side or eight on each floor, and the elevator is likely Of course in the center. We can see this mechanical penthouse in the center as well which would have was that elevator equipments. So in this case, where is the stairwell. We can see dark dark dark but a lit up column of windows and you can even see the stairwell within it. In this particular case we see to lit up column of Windows columns of Windows.
It's unlikely to have two stairwells that close together and in fact one, we can see through the windows as a hallway, the other is a stairwell. We can see that that hallway extends deep into the building, and we can see washroom signs on each floor, out of that hallway, so it makes sense that those are stacked, and between the external building massing and that whole direction, we now have a very good idea of the total internal layout of this building. We can also look at fenestration to identify stairwells even in the daytime. So if we see windows all aligned at a particular floor heights. But then one part of the building where the windows are at half floor heights. That's a very good a good indication that that's landing landings from a stairwell in that location. In this particular case here we see windows zigzagging all the way up, which tells us that it's likely a staircase zigzagging all the way up along back. We can also see this secondary math sticking out of the building here, that houses just that stairwell. When the stairwell is normal to the building on our evelope so it's extending perpendicularly inwards. We see here this half height window as well you might also see a column of glazing unbroken all the way up. And that's only really possible in a stairwell normal to the building envelope. When you see a fire escape of course that's a good indication that there's no stairwell there. Not a whole lot else you can infer from these because they are retrofits. If we have multiple doors so I mentioned that a door at the bottom of a building is a good indication that there might be a staircase on that column of Windows above it. If there's multiple, we can identify which one is likely the primary exit from the building, by looking at safety features. So safety lighting up here, as well as this is a parking lot, and we have vehicle bollards to protect against vehicles ramming into someone exiting this primary exit. This is a very good indication that there's a staircase, or at least a hallway behind this door. These two are likely mechanical spaces and effects, they are a transformer room we can tell by these holes here, as well as this vent loop there. So here's a good test is this building likely office or residential. Well, looking at it we see that all the windows are lit on the bottom, and none of them are on the upper half, that's very atypical for a residential setting, so it is likely an office building is clearly a newer construction that was built, incorporating an older facade, or older structure. And so because of that, the stairwell. There might be staircases on the outside of the older structure but we don't see any lit columns of windows in this newer structure, because of the fire code there have to be emergency lighting there so we can infer that they are on the inside, and this being an office building it's likely an open layout that might be partitioned by the tenants. We can spot elevators within the building, as well as potentially more stairwells by looking at the roof of a building that does not have a mechanical penthouse. So we have three secondary masses coming out of that roof. This one in the center, makes sense to be an elevator. An elevator machine penthouse, and the sizing makes sense for that as well. If we compare to these vehicles down here. This is likely the top of two staircases opening up this would not fit an elevator there. And it also makes sense in the context of the main entrance to the building down here so we can infer that the floor plan here is going to be an S shape terminating in two staircases, and with an elevator lobby in the middle, and on the ground floor and exit out the front likely and exit out the back as well. And units surrounding it. In this case, we see on the left, an elevator penthouse the fenestration goes right to the top so we can tell that there is no mechanical penthouse of the elevator must be here. If the building has an elevator. Unless it's a hydraulic. But that's unlikely for a building of this height. And in this case we can see the elevator freight elevator opening right out back. In the case of an attic. We can get a sense of whether it's occupied mechanical or dead space by looking for both skylights on the roof, as well as windows in the gable so this flat section on the edge of the attic. And we can also potentially do thermal imaging to tell if it might be occupied at room temperature at outside ambient temperature or if it's very hot it's probably a gerwalk utilities are also very very useful for determining the internal layout.
So we can locate them by looking for cues like this fire standpipe here, as well as seeing a mechanical room through the window. In this particular case, can we spot the Mac rooms. Well we notice, there's a fire standpipe there. We can see pipes in this window, and these two loops here. So there's like a large mechanical room there on the second floor we can see this continuous fenestration, and we can see everything within it. Also note that the walls are actually visible so we can start building up the internal layer to that second floor. But we can see there's no mechanical room there on the third floor we have this loop and a large area without windows. So that is likely mechanical room as well. Given these two, there's almost certainly a riser shaft of some sort, connecting these recessed into the building, you know it's not on the edge of course because of this fenestration, we can estimate occupancy of the building using utilities as well. Sometimes it's just given to us, like with a enter phone directory. But sometimes we can look at utility capacity. So in this case on this building we'd see a telephone line coming out of an underground conduit. This is likely a 50 pair line from the radius of it. And so this picture here is of a 25 pair telephone line, which supports 25 separate lines within the building. And so we can tell that when this was built was being planned for by the telecom company. They usually conservatively guessed that well the absolute maximum we'd ever see here would be 50 phone lines, it gives you a sense of the occupancy. There are loads of other utilities that buildings require ones that are internal to the building entirely ones that come from an upstream source and ones that are entirely external and looking at the incoming utilities for other things we can also tell. So for each fact that's heating ventilation and air conditioning. In this case, all of our air conditioner units are visible on the outside and we can look up the capacity of those sense to get a sense of what the occupancy inside the building is, if you ever see a large, a box like this on the roof of a building. This is a cooling tower. And those boxes before I erroneously called air conditioners they're actually just the cooling tower as well. And this will feed a chiller that looks like this, and is usually going to be in the mechanical penthouse below it. And by the capacity of these cooling towers you can estimate what the cooling requirements for that building are, which gives a sense of occupancy and activity level. We can also spot, the incoming transformer room so this is a grade level transformer volt. It has the power companies blocks on it as well as decades. We might have a pad mounted transformer exposed to the elements outside and we can read directly off of that what it is and what its capacity is. We also might see these below ground transformer vaults here. They universally look like this. So now that you've seen this talk, you're going to start seeing these everywhere, based on the size of a one or a two transformer volts, we can get a sense of what the capacity is going to be. And based on the position we can get a sense of where the building's mechanical room will be. So this is a fun picture of how they actually maintain the Transformers here they're going to crane lift off these concrete slabs and crane lift in new one. And on the inside of them we have power coming from upstream of these conduits, which then gets sent to conduit conduit to the customer building. So again, my placements of these transformer bolts we can get a sense of where the electrical room in the building is. And of course we have overhead lines as well. And they're going to come from the power poles to pipes or conduits along the building, and we get a sense of where within the building their electrical room as well for that. Buildings might have standby generators as well. They look like this We can't usually see them from the outside, but what we can observe is the diesel refueling stations which looks something like this. This indicates that it has a standby generator within it, as well as where it likely is so that'll give us a sense of what the general criticality level is of this particular building. We can also observe the water shutoffs to get a sense of where the incoming water mechanical macroom is going to be, as well as gas shutoff and meters.
We can look for a sewer cleanouts to get a sense of where the sewage runs out of the building. We can also look for security features that were deliberately engineered into the building to get a sense of what's inside of it. So in this particular case, the two most salient items are this very bright glare lighting here, as well as vehicle protective bollards. So these bollards are to protect against vehicle impact attacks as well as truck mounted bombs, any building that has that in its threat model is likely something fairly serious, like, in this case, an American flag in Toronto was like the slit. it is. So that was public knowledge anyway, of course. But, for obvious reasons I can't give you an example that is not public knowledge, and as an extra bonus we have these half height windows here indicating a stairwell. So let's look at a few case studies, we have here a event space is first floors commercial tenants we can tell by looking at it, and it was built in the 1850s. So to determine where the main event space is going to be, we can look at the fenestration and the massing, we can see from this fenestration that there's likely not any large event spaces and the wings are in the lower half of this central mass, but in the upper half we have this artificially elevated aspect here so the event space is likely in the middle where the stairwells within this well there's likely one as well as an elevator coming in from the main entrance, as well as, because this is a very old construction building the stairwells are likely on the exterior of the building. If we looked at this at night we wouldn't see any lit columns, which indicates that the stairwells are likely not fenestrated. So here's a large area on fenestrated with an E restore at the bottom, that's likely a stairwell. And as it turns out, it is. And looking at this floorplan we can also see the space below the event space wide open here, as well as the commercial areas to the side which are not even connected on the ground floor, and of course the main public entrance at the base, leading to the main stairwell and an elevator. This is a really, really great case study. There's a lot we can tell from this particular set of pictures. So looking at this building. The first thing we'll observe is this large chimney stack here which indicates that the furnace is somewhere below it, the furnace could be in a mechanical penthouse but we see that there are none of this building by fenestration, it could be below ground and buildings like this You tend not to see complete basements, but we also notice this break in the windows here. So this is likely where the boiler room is. It's interesting to note that is two storeys because most boilers are taller than the average floor. So, if they're interstitial in the building, they'll likely be two storeys spanning if they're in a penthouse that's part of the reason why mechanical penthouses are taller than most occupiable floors, and if they're in a basement they're likely downstairs. From the regular basement level. We can also note, this penthouse over here. And looking at the aerial view we can see that there's nothing else that could be an elevator penthouse so if there's an elevator in the building. It is either here or a hydraulic elevator. And in general, all of this H back and mechanical equipment around it indicates that this is where the central core of the building is supporting most mechanical space. Very, very interesting to note as well. Are these this structure here. So this used to hold some sort of H fac heavy track equipments, we don't know what, but we do know that it is supported right above the structural columns of this building. And it's not visible in the pictures here but those structural columns actually line up with the brakes in the fenestration. So from that we can infer that there's four columns here, that they're likely matching up with the brakes in the fenestration along the building which makes sense, and columns tend to be in a consistent grid throughout. So we can deduce the entire structural diagram of this building by these two pictures. We can notice a main entrance in the bottom left so we can infer a hallway here, leading to the elevator. And in terms of the use of this building this is a very typical layout that you might see of a multi tenant medical building, based on this fenestration though that's unlikely to be the case, since this is not consistent with patient rooms, so if it is a medical building. It was a retrofit for that purpose. The washrooms are likely going to be in the central core as well, along with all of the other
mechanical equipments. And so all of that put together, we can get a very good sense of what this building is going to look like on the inside. Of course we don't know much about what's in the wings. But if it's rentable office spaces most likely is probably going to be an open floor plan with the columns in the middle we know where those are, that'll be partitioned by the tenants, and those partitions very often follow the column grid. If we have an irregularly shaped building. How do we tell what's inside of that. Well in this case the building's triangular, and we kind of have two options as a residential unit residential building. It might be a linear. Excuse me. When you're hallway, through the building or it might be triangular using that ring inside the perimeter of the building that I mentioned before. And as it turns out, that's exactly what it is, as expected, we see in the central core of the building staircases building service and elevators. So, that was a lot about how to tell what the floor plan is of a building, just looking at the outside. What do we do when we actually enter. So we want to always maintain situational awareness, this is true for red teamers, as well as first responders, which a lot of this information is applicable to, as well as blue teamers like security guards that might be going in to protect facility. And they could be facing a real trash. So you want to look for corrections to your inferred internal floorplan any room you want to identify all the access to it in case you need to exit quickly identify the windows potential hiding places that either you could use or someone could be hiding waiting for you, as well as items that could be used as weapons, and the various life safety and security equipment that might be present within that particular room. You also want to be situationally aware about individuals and crowds that you encounter with crowds you want to look for the destination and the rate of flow, the average and abrasion level of that crowd, as well as try to identify persons that are not fitting in with the crowd normally. So, an armed person you can identify them by security paths. So if you are ever wondering oh crap did I forget, I fell into my wallet at home, pack your pocket and see okay it's there. That's true as well for an armed person, especially one that's planning to do something with his concealed weapon so if you see someone repeatedly padding, where a hip or shoulder holster might be. That's a very bad sign and you should watch that person plainclothes security as well they're going to be have that level of vigilance, they're going to be watching the crowd in an abnormal way you can pick that out very easily. And you can also get a sense for each person what their likely familiarity with the area is. So I've talked a lot about protection. Sorry, I've talked a lot about not protection the opposite but the red team's needs. That's what I focused on is a little bit that we can talk about for protection as well. So, the blue team what they can do. Your floorplan is difficult to obscure. What you can obscure though is your high value targets within the floor plan. You should assume though perfect knowledge by the red team of both your layout and the location of your high value targets. And that is what you should be protecting against based on the information that would be available to a red team or to a real threat you can anticipate their actions based on what they might do with that information. And you can also set up your facility to capitalize their actions to force them to take a single path that you can then more heavily protect you want to duplicate critical assets as well. And your overall goal as a blue team or protecting against these techniques, is to turn their open source and imagery intelligence into mere information that might be interesting but it will be ultimately irrelevant to their goal of an attack against you.
so a couple takeaways that I'm hoping, everyone will get from this talk is generally the more situationally aware in your everyday life. So, I imagine most of you likely don't make any of those observations, when in a crowd in a room or looking at the outside of a building. Now you're able to hopefully this will let you look at built infrastructure, a little bit differently. And when you enter a new and unfamiliar space, hopefully this will give you a sense, or the ability to actually know where you're going, even though you've never set foot in that space before. I'd like to extend a huge thank you to Karen Bobby Josh and Eric, some of my amazing co workers for their, their immense assistance and putting this talk together. And if anyone has any questions if you're watching this later on YouTube. I encourage you to reach out to me I'd be happy to answer any questions you have later. And for those that are watching the livestream right now as hope attendees. I'm happy to answer your questions right now. So with that, thank you very much, folks, and I will turn it over to our lovely emcee.
Oh and welcome back to our talk with Bill Raiden of ggR securities, who just presented an incredible discussion about Open Source Intelligence by physical reconnaissance. Thank you. Well, that was really a great show. You know, is there anything else that you'd like to add to why the video before we start taking questions.
I guess I'm one small thing that I realized after the fact that I'd forgotten to properly explain was the, the significance of elevator penthouses in terms of hydraulic versus traction elevators so there's those two main types hydraulic elevators are driven by a big rain in the bottom and their penthouse, well it's not a penthouse their machine room is in the basement usually, but because that ram has to extend an equal distance into the ground, you don't see that in high rises at all. They tend to be lower, two or three storey elevators. And as well very old buildings that technology didn't exist, every other elevator needs mechanical penthouse above it, with the exception of some very modern ones that generally are terrible. But, that way you can tell if there's no mechanical penthouse expanding on the entire buildings floor plan. You can tell where the elevators are basing that stick out so I thought that deserved a little bit of an added explanation of that though I'm going to start fielding questions.
Great. Thank you, we'll get right into it. Our first question is are there recommendations for methods to fake external building layout with fake external egress and elevator slash roof layout slash access. I was thinking about hotel Penn would be entertaining.
That's a great question.
So the answer is there are methods. And it's, you know, I could probably go on for hours about different case studies and ways that you might do it. It is highly case specific so the best way is to, you know, you can obscure something so admit windows where they might otherwise be and without that fenestration cue there's a lot less that can be determined. And then based the massing say it's a look like something else and what's actually inside of it. And so what you do is get people who are experts in reading buildings and the type of way that I've, I've talked about so firefighters and military tend to be very good at that. You get them to look at the plan and say what do you think would be in here and if they think it's something totally off then you're doing a good job with that in general for non military installations like that's where you want to be focusing on sort of the deception elements for anything other than that, it's usually not a significant enough problem within your threat model to warrant such drastic changes. It's often easier to obscure what's actually inside the building so for instance with, with the H HVAC exposed on the outside that gives you a very good sense of what's going on inside enclosing your mechanical space and closing that h fac in some sort of facade is a good way to secure that and as well. It gets a buy in from the architect of the bill because usually the architects and the security engineers are really at each other's throats about that. So that's one way. Um, but yeah so securing for a civilian building buildings is usually best as I mentioned, though, you're generally better off obscuring what you're actually protecting inside rather than the layout itself. And the last thing to consider is that there are life safety implications and trade offs so if you're securing an egress obviously you cannot do that inside people have to know how to exit. If you have what looks like false exits on the outside that has implications as well because if there is a fire call, you're building, you know, firefighters are going to go potentially to the wrong exit waiting for victims to come out or to force entry and. And so it could create a massive problem better so there's a lot of things to consider. And usually, this stuff is very interesting for physical red teamers to get information about the building but it's not a big enough part of your threat model usually to warrant that massive changes like that.
Thank you. Is there any public repository, building plans like a kind of Wikipedia for buildings that people can contribute to anonymous.
Not that I know of, um, so in that slide I presented the very beginning about actual online Oh sense of you know googling for, for those PDFs. Generally you will find them on either the website of whatever organization owns the building. The closest thing to that public repository would actually be government tender websites. So any government contract has to go to a public tender and that public tender includes all sorts of details about what it's going to entail including architectural flirt for floor plans usually a bunch. Related to that like h fac, and structural plans as well. So those have its construction major construction firms often have those files up on there as well. Or if that's not intended for that purpose but it's a good place to find them. To my knowledge, there's nothing that's intended for that specific purpose so maybe I'll make one that that could be a cool thing to do. So, I guess, keep tabs on on my online activity, and I'll let you know if that ever comes to fruition.
Okay, thank you. The next question is, any comment on movies that get physical security really right or hilariously wrong.
Great question. So I mean I mentioned in the, in the live chat that I could have talked about this but I was constrained to a 45 minute video and that would take days and days and days to go through all the things they get wrong there. I mean, not just physical security, in terms of stuff like what I talked about but you know I talked about, for instance, how you match the external envelope of the building to whatever's inside of it. That's something that security considerations aside, most movies get wrong their external setting their internal set often have a lot of discrepancies in order to look for.
So just about everything I talked about today, in a movie does not apply at all.
But there's, I mean there's loads of examples where physical security is, you know, they might do something that's not really possible. The biggest thing that I see with movies that, that gives people the wrong impression of physical security is not necessarily that something is wrong or impossible, but it's just so far out of your threat model that you're you know if you're worrying about stuff that's cool enough to show into a movie.
You're probably worrying about the wrong things.
All right. Thank you. All right, we've got time for a couple more questions. The next question is, are there any sorts of buildings that are naturally hard to infer the floor plans of, even without any deliberate attempt at ossification.
That's a great question. I guess the two that best fits that description is, you know, I talked a bit about monolithic buildings which tend to be institutional or industrial. And so a monolithic institutional that has, you know your fenestration on the, on the outside that gives you room quantization and that's about it, but you know if it's a giant 100 meter by hundred meter, excuse me, by a couple of stories tall box with an enclosed mechanical penthouse at the top, you really have no idea what's going on inside of that box. And so, you know, if it's got some architectural. You know landscaping and whatnot to obscure the incoming utilities on the inside, which wouldn't be intentional usually for security purposes, that's just for making it look nice. It's very difficult to tell what's going on inside of there without doing a little bit more reki so you know you can look around and see which entrances people use see when they enter get a sense of what the function of that building is. And so then you're obscuring or you're inferring that based on just the function effectively. The other type that is often very difficult to tell which is large industrial buildings because now we have a very large mass, in addition to very little fenestration. So, in that case, it's entirely down to the usage. So you look at what what's actually being done in this industrial building you look at similar buildings, you can usually get a very good sense from that but not always depending on what proprietary stuff might be going on at that company.
Got it. All right, thank you for last question. Um, are there, external cooling elements for things like server rooms visibly different from cooling elements for occupancy.
The answer is in general No, they're, they're the same type of equipment. In particular, the things that are visible on the outside, such as the cooling towers are all the same, because that technology works with the cooling towers are going to lower the temperature of your water glycol mixture to the limit of evaporative cooling. And then below that you need to use chillers that tend not to be exposed or visible. So whatever temperature is a final ultimate temperature is hard to infer what you can get some sense from though is the capacity. So for instance, data centers tend to be very obscured they'll usually not have anything indicating but they are or the title of the company that owns them on their street side for instance. People like to not tell not advertise where their millions of dollars of equipment data centers are, but you can look at the cooling capacity on the roof of it usually or sometimes mechanical space of the side. And if you can see that this building is getting cooled down with such extreme vigor that you know whatever happens in there, it must be like this gym operating 24 seven with 1000 person capacity. Now that doesn't make sense so you can infer that as probably a data center, based on both the layout of the building and of course you can look at the incoming utilities it'll be very well served by communications lines.
Sorry JP you were muted.
There you go. All right, thank you very much, though, that was Bill Graden from ggR security, providing us with his perspective on physical reconnaissance thank you on behalf of all the attendees and the volunteers and the staff thank you very much for sharing that with us.
Okay. And we're going to get her down to our regular bumps and enjoy. We'll see you in just a few minutes.