Penetration Testing and Red Teaming. Two terms that confuse companies today during their quest to find the best solution to protect their resources. In this article, we will analyze the two terms, explain them, compare them and suggest the best possible approach for your company or organization.
Let’s begin with penetration testing. This type of security assessment has been very popular in the industry for many years. Pentest as it is called is typically conducted after a vulnerability assessment which is the basic type of testing, usually automated. Pen tests are testing certain networks, assets, platforms, hardware, or applications, everything that is defined in the scope of the test. While in the vulnerability assessment the pen-testing team has the task to find the vulnerabilities within an Organization or company, during the penetration testing the team tries to exploit these vulnerabilities in order to prove that they actually pose a significant threat to the organisation.
During a penetration test, the involved team tries to simulate attacks on a network and its systems by using a set of procedures and tools designed to test and bypass the security controls of an infrastructure. The value of this type of testing is significant because the security professionals are using the same tools that a potentially malicious user could also utilize. Attackers today are clever and often sophisticated (don’t forget that the malware industry is extremely profitable), so penetration attacks must align with the latest hacking techniques. Also, the penetration testing teams try to test all the systems within the scope because a basic rule of security is that “Security is only as strong as its weakest link” (there is a known case when the compromise of a corporate network started from a printer!). The objective of the test is to determine the actual effectiveness of the company’s security measures.
The type of penetration test that fits your company is determined by its security objectives, and the management’s goals. Some corporations perform periodic penetration tests on themselves using different types of tools, or they use scanning devices that continually examine the environment for new vulnerabilities in an automated fashion. Other corporations request a third party to perform the vulnerability or penetration tests, in order to provide them with a more objective view.
During the test, all infrastructure components like Web Servers, network devices such as routers, workstation vulnerabilities, open ports, and available services that a real attacker might use to compromise the company’s security are being tested. The duration of the tests is agreed upon before so productivity is not affected and personnel can bring systems back online if necessary.
After the penetration test, the pen-testing team submits a report to the management of the organization with a description of the vulnerabilities and how they have been exploited, along with suggestions on how to deal with them properly (mitigation actions). The next time the penetration testing team will engage again with this company, it will try to exploit these vulnerabilities first to make sure that they have been properly patched. Unfortunately, many times the pentesters find out that some past attack vectors still exist despite of the delivered detailed reports.
Technically, the penetration test is a five-step process:
- Discovery: Footprinting and gathering information about the target
- Enumeration: Performing port scans and resource identification methods
- Vulnerability mapping: Identifying vulnerabilities in identified systems and resources
- Exploitation: Attempting to gain unauthorized access by exploiting vulnerabilities
- Report to management: Delivering to management documentation of test findings along with suggested countermeasures
The penetration testing team can have varying degrees of knowledge about the penetration target before the tests are actually carried out:
- Zero-knowledge (Black – Box Pen Test): The team does not have any knowledge of the target and must start from ground zero.
- Partial knowledge (Grey – Box Pen Test): The team has some information about the target.
- Full knowledge (White – Box Pen Test): The team has intimate knowledge of the target.
Red – Team Operations
Let’s move now to the next and more advanced security assessment method, the red teaming. Red teaming is considered a broader approach than penetration testing because it uses the methods of real-life attackers to test if an attack is possible and combines also defensive mechanisms such as the incident response plan. And depending on the security maturity of the organization, the red teamers, as they called, are not limited to the digital domain only but they extend their activity to physical security as well, by using social engineering for example to enter a building. The value of this type of engagement can be derived from a better understanding of how an organization detects and responds to real-world attacks.
Red teamers can be designated staff from the internal security team or (preferably) external offensive security experts who have no prior knowledge of the organization. Their job is to breach defenses, avoid detection, perform an attack, and provide sensitive data as proof. Red teaming projects differ in that they are heavily focused on emulating an advanced threat actor using stealth, subverting established defensive controls, and identifying gaps in the organization’s defensive strategy.
The phases of a red team operations assessment are:
Establishing Foothold and Maintaining Presence
Red teaming is typically carried out without a company’s security personnel knowing in advance that it is being conducted. This is done to fully emulate a real-world scenario. For example, if a red team’s activity is detected on a compromised system that’s being used to access the target’s internal network, the defenders will likely respond and remove that access, by engaging the incident response procedures.
What’s the difference?
Penetration Testing and Red Team Operations are not the same things. Many companies are used to conduct Penetration Tests but they still get hacked, resulting in loss of valuables resources. That’s why they want a more advanced approach in this field.
Red teaming assessment is usually performed in companies and corporations where security measures, plans, control, and defenders (the so-called blue team) have been already established. To conduct a red team assessment and get the maximum benefit out of it, the company needs to have security measures already in place and be well prepared to confront a variety of threat actors.
In other words, red teaming is the preferred test from companies who believe that their cybersecurity is mature enough and not in the initial implementation steps. We use red teaming inside the concept of operations, where we have the attackers (red teamers) and defenders (blue teamers).
Also, during red teaming, we are allowed to use any provided attack vector like a physical breach, just like the real world. That’s why we consider red teaming more close to reality. After a successful read team assessment, a company can be confident that its security posture and resilience are good enough to conduct real-world operations.
Logstail is happy to offer read team operations for any kind of organisations that want to test their defenses.
On the other hand, our experts can also provide consultation for both offensive and defensive operations or incident response training the blue teams on how to effectively detect and respond to security incidents.
And to complete the spectrum of services we offer to our customers in the field of Cybersecurity, we urge you to try our new platform!
Our cloud-hosted solution with advanced features brings the functionality of centralised monitoring to your hands. Convert your data into actionable insights and maximize the performance of your infrastructure or be notified of potential problems and take the appropriate actions. Sign-up for a free demo in order to realize the power of Logstail!