A common debate in cyber security is the difference between red teaming vs penetration testing and which security assessment is better.
Penetration testing and red teaming are two valuable security assessment methodologies that share many similarities and some key differences. It is important to understand the nuances of each assessment so that you can choose the one that best suits your needs.
This article will explore penetration testing and red teaming in detail. It will explore the types of tests which fall under each security assessment, the objectives of each assessment, their security testing methodology, and the scope of each. These vital details will allow you to make an informed decision aout the most appropriate security assessment to invest in when testing your organization's security posture.
Let's start by clearly defining penetration testing and red teaming.
What Are Penetration Tests and Red Team Engagements?
To understand the differences between a penetration test and a red team engagement, it is important to clearly define each security test and its main objectives.
A penetration test is a simulated cyber attack designed to identify vulnerabilities within a computer network, system, or application that an attacker can exploit to gain unauthorized access.
The main goal of a penetration test is to provide a comprehensive assessment of a select group of systems to uncover exploitable vulnerabilities or poor security controls that need to be remediated by the blue team. This assessment includes the impact on an organization if these systems are compromised and recommendations for mitigating vulnerabilities.
Regular penetration tests are often a compliance requirement set by regulatory bodies. They are a common practice for healthcare, finance, and data protection organizations.
The main objectives of a penetration test include:
- Identify as many vulnerabilities as possible that an attacker can exploit.
- Use a systematic approach to provide a comprehensive security assessment of select systems.
- Validate if security controls work as expected.
- Determine the potential impact of a vulnerability that is successfully exploited.
- Provide recommendations on how to mitigate vulnerabilities.
- Fulfill compliance and regulation requirements.
Red Team Engagement
A red team engagement is an immersive security assessment of the people, processes, and technology an organization has implemented to prevent, detect, and respond to a real-world cyber attack (such as from competitors, enemy nations, or “hacktivists,” to name a few). It involves a team of skilled security professionals emulating the tactics/techniques/procedures (TTPs) a real-world threat actor would use when targeting an organization.
An engagement usually consists of the client organization setting a goal for the red team to achieve. This is usually gaining access to certain information or a specific machine they consider high value. The red team then will use the TTPs of a threat actor who will likely target the organization to identify a path to achieve their objective, known as an attack path.
The main objectives of a penetration test include:
- Assess the overall security effectiveness of an organization.
- Emulate an actual adversary likely to target the client’s organization.
- Test the detection and incident response capabilities of the client organization.
- Identify attack paths an adversary can exploit to access sensitive information.
- Validate the ability of the people, processes, and technology to prevent a real-world cyber attack.
- Provide recommendations on how to remediate security gaps.
Types of Tests
Penetration testing and red team engagements are two overarching categories. Each category consists of various security tests a client can have performed. Understanding these various tests will help you recognize the differences between these security assessments.
Penetration tests can be broken down into six types of tests:
- Black box: This is a test where the person performing it has no knowledge of the system's internal implementation and to identify security vulnerabilities in the system, they need to rely on the system’s external behavior.
- White box: The tester has full access to the system's internal implementation. This speeds up the test because the tester does not need to perform initial reconnaissance to identify security vulnerabilities, and they are often given initial access.
- Gray box: Mixes black box and white box testing elements. This speeds up a penetration test whilst also providing some realism, as the tester will still need to use real-world TTPs to perform their initial reconnaissance.
- Network: This focuses on identifying security vulnerabilities in a client’s network architecture and security defenses.
- Application: This test looks for vulnerabilities or misconfigured security controls in an application or software system that allow a tester to gain unauthorized access.
- Social engineering: Evaluates a client organization’s susceptibility to social engineering attacks.
These tests assess a component of a client’s IT infrastructure for vulnerabilities. The knowledge and the type of component vary from test to test, but the common goal is to identify potential vulnerabilities that an attacker could exploit to gain unauthorized access.
Red Team Engagements
Red team engagements can also be broken down into different types of tests, these include:
- Full-scope: Simulates a real-world cyber attack from start to finish.
- Targeted: Focuses on a specific business unit or team to save time and resources.
- Adversary Emulation: The client organization instructs the red team to emulate a specific adversary’s TTPs so they can test their defenses against a specific threat actor.
- Assumed Breach Scenario: Starts with the tester already having initial access to the organization’s internal environment to speed testing.
- Tabletop: The security team will collaboratively work through common scenarios that arise during a cyber attack in the form of tabletop exercises that are guided by the red team.
- Physical security: Simulating red team assessments that test an organization’s physical security controls.
These different types of red team testing all focus on emulating a real-world cyber attack to test the people, processes, and technologies an organization has deployed to protect itself. Each type of engagement varies in scope to reduce strain on resources and time required for completion.
Objectives of Penetration Tests and Red Team Engagements
Penetration tests and red team engagements are performed for different reasons. The objectives that guide a penetration test differ from those that guide a red team engagement.
A penetration test aims to test every security control and system an organization implements to see if they are vulnerable to exploitation. This requires a systematic approach:
- A security control or system is tested for vulnerabilities.
- If a vulnerability is found, it is tested to see if it is exploitable
- If the vulnerability is found to be exploitable, the impact of exploiting this vulnerability is tested.
This systematic approach allows the tester to provide a comprehensive security assessment of all systems tested, including the impact a compromised system will have on the organization. It is a way for the organization to validate that its security controls work as intended and increase its overall security posture. This includes setting off detection alerts in the SOC if they have been configured.
Once a penetration test is complete, the tester will include a list of recommendations the organization can follow to mitigate vulnerabilities.
Red Team Engagements
Red team engagements are designed to simulate a real-world attack. This realism allows an organization to test its entire security posture. Hence, the primary objective of a red team assessment is to test the people, processes, and technology being used. This includes evading detection by the blue team.
To make a red team engagement realistic, the red team and client organization will collaborate in a pre-engagement meeting where they will decide on the objectives of the red team. These objectives often revolve around gaining unauthorized access to secure systems or data that the client organizations deem their crown jewels.
In cyber security, an organization’s crown jewels refer to its most valuable and critical assets. They are the primary asset an attacker will target because compromising them would significantly impact an organization’s operations, reputation, or finances. Examples of crown jewels include; intellectual property (IP), sensitive customer data, financial data, and operational technologies.
Once objectives have been agreed upon, the red team can use the TTPs of a designated threat actor to achieve those objectives.
|Red Team Engagement
|Identify vulnerabilities that an attacker can exploit.
|Emulate a real-world cyber attack using the TTPs threat actors use.
|Validate security controls work as expected.
|Assess the overall security effectiveness of an organization, including its people, processes, and technology.
|Describe the potential impact of a vulnerability being exploited.
|Demonstrate security gaps by gaining access to the organization’s crown jewels.
|Set off detection alerts if configured correctly.
|Evade detection to be realistic.
|Provide recommendations on how to mitigate vulnerabilities.
|Provide recommendations on how to improve security posture.
|Needed to fulfill a compliance requirement.
|Needed to provide a holistic assessment of an organization’s security posture.
Methodology of Penetration Tests and Red Team Engagements
A penetration test and red team engagement follow different security testing methodologies to achieve their objectives.
A typical penetration test will follow eight phases during an engagement:
- Planning and Preparation
- Scanning and Enumeration
- Vulnerability Assessment
- Remediation and Follow-up
This methodology allows a penetration tester to systematically assess hundreds of systems for exploitable vulnerabilities and the impact this will have on an organization.
During a penetration test, the organization’s security team will often know that a test is being performed. This is so they do not interfere with the test or mistake the testing activity for a legitimate attack. This is important as penetration tests usually work within a restricted timescale and must be as efficient as possible.
Another way to make a penetration test more efficient is by disclosing internal knowledge to the tester beforehand. It may seem strange that red teams would divulge sensitive information like this. However, it is important to remember that penetration tests are not trying to emulate a real-world attack and evade detection. Penetration tests focus on finding as many vulnerabilities as possible in a restricted timescale. This also means they can be noisy and set off detection alerts in the SOC as it validates those security controls are working.
Red Team Engagements
A typical red team engagement will start with a pre-engagement meeting between the head of the organization’s security team and the red team lead to define the scope of the engagement. Unlike a penetration test, scope definition usually involves deciding what threat the red team should model, which will dictate the TTPs a red team will use when performing their attack.
Once the scope is defined, a red team assessment will follow a path similar to the cyber kill chain. It includes seven steps that are common in most cyber attacks.
The model has been expanded over the years to more accurately represent how real-world cyber attacks unfold. The diagram below illustrates the common phases of an attack that an adversary needs to complete when attacking modern Windows environments.
A red team operator will try to follow these phases and use the TTPs of a designated threat actor the organization wants to emulate. This is usually done without the organization’s security team’s knowledge so that the red team can better mimic an adversary's activities, stay hidden, and keep persistence.
To avoid detection, a red team must often develop their own exploits to circumvent existing security measures, such as Anti-Virus (AV) and Endpoint Detection Response (EDR).
Unlike penetration testing, where the tester will typically use off-the-shelf exploits that security solutions can easily detect, as evading detection is not a priority for them.
|Red Team Engagement
|The pre-engagement meeting decides which systems are in scope.
|The pre-engagement meeting decides what TTPs will be used.
|The security team usually knows about a scheduled penetration test.
|The security team does not know about a red team engagement.
|Follows a strict methodology to systematically assess each system in scope.
|Follows a cyclical methodology of gaining access to one system, escalating privileges, and exploiting another system using the TTPs of threat actors.
|Pen testers testers use known exploits to attack systems.
|Red teamers develop their own exploits to attack systems.
When Should I Use a Penetration Test or Red Team Engagement?
To answer this question, two main factors need to be considered.
If you are in an industry that requires the regular scheduling of penetration tests as a compliance requirement, fulfilling this requirement is vital for your business, and you should invest in a penetration test.
Maturity of Organization
Penetration tests focus on identifying as many exploitable vulnerabilities as possible and this often means they are great for picking up the low-hanging fruit. Red team engagements focus on emulating actual threat scenarios and are best used against a mature cyber security program that has already eliminated all the easily exploitable vulnerabilities.
An organization that finds itself a major target for threat actors (such as government, infrastructure, major software/technology companies, law firms, etc.) must test its security team against actual threat scenarios. A red team assessment can provide this.
If you wish to learn the skills needed to become a penetration tester or red teamer, you might be interested in these courses: