Penetration Testing vs. Red Teaming
December 14, 2020
Given the rising threat of cybercrime, especially resulting from a global event such as the COVID-19 pandemic, it’s clear that security is a never-ending journey, not a final destination. However, for the majority of organizations, it’s not always external security threats that they must be prepared for. Insider threat remains a prevalent vector through which internal cyber incidents occur.
Therefore, organizations must work to continuously test their security programs. In order to do so, there are two security assessments we recommend undertaking: network penetration testing and/or Red Team Operations.
The ultimate goal of both assessments is to test the security posture of the organization as well as their complete stack of security controls, specifically by using adversarial tactics. Both assessments, however, do differ in terms of the end goal as well as the techniques and methodologies used.
What is Penetration Testing?
A network penetration test aims to find weaknesses in the defense capabilities before an adversary can take advantage through a combination of security expertise and best-of-breed technology.
HG security consultants identify exploitable flaws in the security architecture, detective controls, and preventative controls to help build strategies that effectively secure and protect the environment from malicious actors.
With a Penetration Test, the security consultants work to gain maximum coverage of the client organization in a minimum amount of time. In order to do so, they have the support of the client’s IT team and senior leadership.
As a result, Penetration Tests are often more methodical in comparison to a red teaming exercise.
What are Red Team Operations?
In comparison to a Penetration Test, red team exercises are technically more complex, take more time, and are a more thorough exercise of testing the organization’s response capabilities and the security measures they have in place.
Unlike Penetration Tests, red team exercises also tend to be objective-oriented. The end goal is to gain access to a specific folder or set of data, as pre-determined by the client organization. Therefore, the engagement will be designed specifically around what the client wants the security consultants to test.
In order for any red team exercise to be successful, it is critical that only the key stakeholders at the client organization are aware of it. The rest of the IT and security teams must believe that the red team operation is a real adversary so that they can respond and defend their networks accordingly.
How Penetration Tests & Red Team Operations are Executed
At Herjavec Group, we employ four key steps in order to execute either Penetration Tests or Red Team Operations for our clients.
- Step 1: Gain an understanding of the client’s objectives, what their current threat model is, and their end goals. This determines how the security consultant will focus their testing efforts.
- Step 2: The security consultant will do some form of reconnaissance to get more information about the client’s environment for scoping purposes. For Penetration Tests, the consultant may receive support from the client in order to gather the open-source intelligence (OSINT) they need. However, for Red Team exercises, the consultant will gather the OSINT themselves (e.g. through building user profiles, research, etc.)
- Step 3: Execution of the engagement largely depends on the assessment.
- Penetration Tests: the consultant undertakes a thorough and systematic approach to identify an opportunity that allows them to gain significant privileged access and keep trying until they run out of time or have thoroughly gained access into the networks
- Red Team Operations: the execution becomes more fluid since the consultant has to get creative in how to gain access to the customer environment. They often rely on open source intelligence (e.g. physical recon of office location, branding materials posted online, spear phishing, etc.) to determine the best access point and may even involve a multi-stage campaign to build rapport with the target
- Step 4: Build an executive summary with an on-site briefing as well as a detailed technical report with remediation actions and a roadmap for remediation based on the core findings of the assessments.
Choosing Between a Penetration Test and Red Team Operations
For organizations deliberating between requesting a Penetration Test vs. Red Team Operations, it comes down to organizational maturity.
If you have just begun your security journey, the first step is to start with a vulnerability assessment. Our security consultants gather the necessary recommendations from the assessment and give you a 6-month strategy to implement the recommendations provided.
Once those basics are covered, the next step is to conduct a penetration test and provide remediation recommendations based on the findings. Once the Penetration Test is complete, the next step is a Red Team exercise so that you can test your internal capabilities against adversarial techniques.
“If the basics of patch management, detection, & response capabilities, etc. haven’t been covered by the client, they’re simply not going to get the full value out of any Red Team engagements,” Bobby Kuzma, HG’s Practice Director of Security Assessments & Testing, says. “We are our customers’ training partners. The job of a Red Team is to help ensure that the defensive apparatus at an organization is operating at peak efficiency and that they are able to adapt & respond to the threats being seen in the real world. That’s why we highly recommend against jumping straight to a Red Team Exercise.”
While a Penetration Test and a Red Teaming Operations have similarities when it comes to end deliverables, it is critical for organizations to consider where they are in their security journey and choose the appropriate assessment for the end goal. Ultimately, there is merit in engaging both types of assessments on a continual cadence.