In IT security there is a certain confusion between the Red Team Assessment and pentest services. In this blog post, these two terms are compared and contrasted. It also discusses which measure provides the most benefit at what point in time and what the business challenge is associated with each assessment, so that the reader can understand which use case fits best.
Red Teaming is used to test an organization's detection and response capabilities. Red Teaming attempts to access sensitive information in any way possible and as undetected as possible. This assessment emulates a malicious actor actively attacking and trying to escape detection, similar to Advanced Persistent Threat (APT). A Red Team Assessment does not look for multiple vulnerabilities, but rather for the vulnerabilities that can be used to achieve the objectives. A pentest, on the other hand, is designed to uncover as many vulnerabilities and configuration problems as possible, exploit them and determine the risk level. The methods used in a Red Team Assessment include Social Engineering (physical as well as electronic) and all methods that are also used in a pentest. A pentest often lasts 1-2 weeks, while a Red Team Assessment can last 3-4 weeks or longer and often involves several people.
However, a Red Team Assessment is not suitable for everyone and should be conducted by organizations with mature security programs. These are organizations that frequently run pentests, have most vulnerabilities patched, and generally have positive pentest results. The following added value is generated:
- Measurable detection and response capability of IT security
- Realistic risk understanding for the organization
- Help with the elimination of identified attack vectors
Red Teaming operations have narrowed down the goals and the simultaneous approach. They often require more people, resources and time as they go deeper to fully understand the realistic level of risk and vulnerability in terms of an organization's technology, people and material resources. The NIST defines Red Teaming.
Penetration testing attempts to identify application, network and system-level vulnerabilities and ways to compromise physical security barriers. While automated tests can identify some cyber security issues, real pentests also manually consider the company's attack vectors.
Many people do not understand the differences between a pentest and a Red Teaming assessment, so all these assessments are wrongly called pentests. These may have similar components, but each is different and should be used in different contexts. The essence of a real pentest is to find as many vulnerabilities and configuration issues as possible in the time allocated, and to exploit these vulnerabilities to determine the risk of the vulnerability.
This does not necessarily mean that new vulnerabilities such as zero days need to be discovered, but rather that known unpatched vulnerabilities are searched for. A pentest is designed to find and evaluate vulnerabilities to ensure that they are not false positives. Pentesting goes further, however, as the pentester attempts to exploit a vulnerability by concatenating attacks to achieve the goal. Each organization is different, so this goal may change, but usually involves access to personally identifiable information and trade secrets.
When a network, application, cloud/server, and physical security is viewed through the eyes of a pentester, the following is identified:
- Which attack vectors can be exploited
- How are the systems attacked
- How do hardening measures look like
- What damage could occur
In the complex cyber security landscape, pentests have become a must for most industries. Even companies that believe that they do not have valuable information to protect could run the risk of someone trying to take over the network, install malware or disrupt services. Because there are so many malicious players, pentests always keep pace with evolving technology.
What power is required?
Is a pentest better than Red Teaming? Often pentesters and Red Teams consist of the same people using different methods and techniques for different evaluations. The true answer in Pentest vs. Red Teaming is: One is not better than the other! Each performance is useful in certain situations. It does not make sense to hire a pentest to test an organization's ability to recognize and respond. Neither is it useful to use Red Teaming to look for vulnerabilities at the complete application layer. You can find more information about penetration testing and red teaming in the CREST paper.