Finding the right security service to assess your organisation is a critical aspect of any security program. Each security service has its benefits and fits a specific purpose, and it is important to therefore understand the differences between these services to maximise the results of a security engagement. Two of the most popular security services are Penetration Testing and Red Teaming engagements. Although they might look similar in some aspect, they serve different purposes and have distinct goals. This blog post will compare these two services and analyse differences and similarities between them.
What is Penetration Testing?
Penetration Testing is an assessment performed with the goal of identifying as many vulnerabilities as possible on a given scope. The scope of a Penetration Test is defined in advance and agreed with the customer, and can vary from a single web application to a network range, an API or even a single server. The Penetration Test will give you full visibility on all the critical risk issues that expose your organisation to an immediate risk, as well as highlighting lower risk issues which your organisation may need to address to achieve a compliance status.
The Penetration Test can be performed from different perspectives, depending on what is the goal:
Black-box approach: using this approach, the tester will not be provided with any additional information about the systems in scope, such as any documentation for an API or any account to access a web application.
White-box approach: in this case, the tester is provided with more access and therefore more visibility to the scope, such as an administrator account for a web application or administrative access to a server.
Each of these approaches has their advantages and disadvantages. When performing the Penetration Test from a Black-box perspective, the tester will more closely simulate an external attacker with no level of access, however, due to the reduced visibility, a number of issues that could only be found from an authenticated point of view may go undetected. This issue is addressed by performing the Penetration Test from a white-box perspective, where full or partial access is granted to the tester. Additionally, the extra level of information and access in a white-box approach could result in a more time-efficient approach by the tester, allowing more ground to be covered during the engagement.
What is a Red Teaming engagement?
A Red Teaming engagement is a goal-based exercise which aims to simulate a real world attack. The attacking team, referred to as the Red Team, is going to perform a number of attacks with the purpose of mimicking a real threat actor targeting your organisation. This engagement gives your organisation the chance to test whether the security team, referred as the Blue Team, will detect real attacks against your network. Being a goal-oriented exercise, the organisation requesting the engagement will define a goal for the Red Team to achieve, for example obtaining access to a specific server or getting access to the mailbox of the CEO.
The Red Team assessment is divided into different phases, as highlighted below:
Reconnaissance: the goal of the Red Team is to gather as much information as possible about the target organisation, including its employees, office buildings, exposed systems and much more.
Initial Compromise: During this phase, the Red Team will use what they have gathered during the previous phase in order to get an initial access to the target’s internal network. This can be achieved in a number of ways, such as sending a malicious email or guessing an employee’s password.
Escalation of Privileges: The Red Team will try to escalate their privileges on the network and attempt to get access to privileged resources.
Persistent Access: Depending on how they obtained remote access to the corporate network, attackers would always try to establish a persistent connection to the organisation. This will allow the malicious actor to access the target network at any time. The goal of this phase is to simulate this scenario by employing a number of techniques used by real attackers.
Lateral Movement: The Red Team will move across the target network using a number of tools and techniques in order to identify sensitive systems and resources, such as databases containing personally identifiable information (PII) or credit card data.
At the core of these phases, there is the exfiltration phase, where the Red Team simulates an attacker copying sensitive data out of the target network, an activity that should be detected by the network security team.
A key aspect of these engagements is also represented by the fact that these are performed without the Blue Team being aware of the simulation. This ensures that the detections and investigations performed by your security team are as realistic as possible.l
Differences with Penetration Testing
When comparing the two services, there are quite a few differences between a Red Teaming and Penetration Testing engagement. One of the main differences is that the Red Teaming assessment is goal-oriented, which means that the attacking team has a certain goal or objective that they need to obtain. Whilst this mimics a real-world scenario, this also implies that the Red Team will take an opportunistic approach when attacking your network. For example, if the Red Team discovers that one of your servers is affected by a critical vulnerability, and that exploitation of this server is enough to reach the goal of the engagement, the Red Team might not try to discover whether the same vulnerability is present in other servers on your network. Similarly, if the team discovers that one of your administrator users has a weak password, the Red Team will only leverage on this information; however, it might be possible that other users are also using a weak password. Finally, since the Red Team will only exploit vulnerabilities that can lead them to their goal, other vulnerabilities could not be reported, which may include critical vulnerabilities as well as lower risk vulnerabilities which could potentially be chained together to form a kill chain towards critical resources or data, posing a higher risk when combined.
Conversely, the goal of a Penetration Test is to identify as many vulnerabilities as possible in a given timeframe on a given scope. All the issues identified are therefore reported, including lower risk issues which an organisation might need to address to meet its compliance status.
The other significant difference between the two services is the scope. In a Red Team assessment, the scope is very broad and typically this includes the entire organisation: any system, web application, mobile application and even users are included in the scope. Contrarily, the scope of a Penetration Test is clearly defined and can be as small as a single web application or server. This will result in shorter engagements that provide security assurance on a specific component of your organisation.
Other differences between the two services are summarised in the table below:
| Red Team Assessment | Penetration Test | |
|---|---|---|
| Approach | Opportunistic approach. Red Team will take advantage of vulnerabilities that would allow an adversary to compromise systems and resources. | White or black box approach. When a white box pen test is performed, all information is shared with the tester. Conversely, when a black box test is carried out, only details of the target scope are provided. |
| Visibility | Only a small number of individuals are aware of the Red Team, or sometimes just the CTO. Blue Team or SOC are not aware of the assessment. Results are shared across Blue Team and Red Team only when the assessment is complete. | IT Team and developers are aware of the test. Results are shared with the IT team and developers when the test is complete. |
| Goal | Prove that sensitive data and systems can be compromised, and test detection and response capabilities. | Identify as many vulnerabilities as possible within a given scope, and within an agreed time frame. |
| Scope | Entire organisation. All possible attack vectors are permitted. | The scope is defined by the organisation requesting the penetration test and can be as small as a single external IP address. |
| Duration | Usually spanned over a period of 3 months, subject to agreed objectives. | Depending on the size of the scope. |
| Output | Detailed report on how the organisation has been compromised. Feedback on detection and response capabilities based solely on the discovered vulnerabilities exploited during the exercise. | Detailed report on the vulnerabilities identified within the given scope. There is no testing of detection and response capabilities. |
| Main Benefits | Mimic a realistic cyber security attack. Best tool to evaluate current overall cyber security posture. | Good tool for evaluating the security of a single application or network. |
Which one is right for me?
If your organisation is only starting out with security testing, penetration testing is a good starting point. This service will give you an overview of your security posture while also giving you the possibility to focus only on a particular area or product, for example by performing a web application penetration test. More mature organisations will also benefit from penetration testing to ensure that new services and systems are deployed in line with security best practices.
If your goal is however to test whether your security team is able to detect and promptly respond to a real cyber-attack, performing a Red Teaming engagement is the right choice. Additionally, if you have purchased a third-party service such as an externally managed Security Operations Centre (SOC) or a security product such as Endpoint Detection and Response (EDR) software, you can perform a Red Teaming engagement to evaluate your return of investment and make sure that these products do function as intended.
