In the dynamic and ever-evolving realm of cybersecurity, numerous enterprise-grade solutions serve to keep an organization’s infrastructure secure. As the cyber threat landscape continues to expand and companies’ risk exposure grows, so do the security assessment steps employed to safeguard networks and systems from the diversifying and intensifying threats of the modern age.

Two prominent testing services have been widely sought after by organizations looking to understand and enhance their cyber resilience from invasive threats and cyber fraud. Penetration testing (commonly known as pen testing) and red team assessments have become the go-to methods for testing an organization’s cyber posture and while their objectives align and methods overlap, they differ drastically in execution and methodologies.

In this short guide, we will delve into the nuances of both red teaming and penetration testing to help those unfamiliar distinguish between these two services that are often described interchangeably. By the end of this article, web and technology professionals should be able to comfortably navigate the intricate purposes and benefits of both these cybersecurity solutions to influence their defensive actions going forward.

Understanding Red Team Assessment and Pentesting Objectives

Cybersecurity is a multifaceted challenge and one that no organization - regardless of size or complexity - can ever truly ‘overcome’. As threats and risks evolve and emerge, system defenses and practices need to adapt as a way to protect systems and infrastructure, and even then, there are never any guarantees. The cost of cybercrime in the world is estimated to reach $10.5 trillion annually by 2025, so it’s imperative that companies take security seriously regardless of their size or sector.

An organization can only do so much to fortify its incumbent defenses to the point where it can maintain operations with reassurance that its base level of security is stable. That first step relies heavily on the strategic approach that a business takes to identify and mitigate the potential threats that exist before a system is compromised.

This is where the red team and penetration testing exercises differ. The objectives, tactics, and outcomes vary whether an organization commissions a penetration test or a red team exercise, which is why it’s vital to consider goals, targets, and budgets ahead of time.

To help you understand the unique philosophies of both of these exercises, we must look at the specific service in finer detail.

Everything You Need to Know About Penetration Testing

Penetration testing is a manual and ethical exploitation of one or more security vulnerabilities to test how far a malicious actor or hacker could feasibly infiltrate an organization.

Penetration tests can be broad or specific in nature; standard pentesting focuses on assessing networks, systems, devices, and endpoints, while more intricate pentesting exercises can identify and exploit specific weak points for more granular assessment.

Unlike red teaming, pentesting is not focused on the evasion or stealthiness of evading the attack, but rather, on the complexity (or lack thereof) of how vulnerabilities can be exploited.

1. What is the objective of penetration testing?

Identifying exploitable weak spots such as missing security patches, weak passwords, misconfigured integrations, poor access management, identity security mismatches, and more, that need to be remediated. The focus is on incumbent setup and infrastructure.

2. What tactics are involved in penetration testing?

Depending on the scale - i.e. whether executing a broad infrastructure penetration test or one confined to web apps, mobile apps, networks, etc. - breakout tests will be executed. These can simulate how real-world attackers would attempt to compromise systems, involving different tools and techniques.

3. What are the main outcomes of penetration testing exercises?

By the end of a penetration test, an organization should understand all of its potential exploitable vulnerabilities listed by highest priority and risk level. It will also be provided with remediation advice and technical recommendations to fix issues promptly and correctly.

4. How long does a penetration test usually take?

Some testing windows will last a couple of days while more complex estates could see them last up to a few weeks.

For organizations with less security awareness and maturity, a huge knowledge gap is bridged by understanding the amount and extent of their vulnerabilities and their wider business impacts if exploited. Broader threat knowledge will also help exponentially as companies begin to bolster defenses.

However, it’s worth considering what a red team assessment consists of, including its objectives, outcomes, and timescales, to ascertain whether it meets your firm’s needs more closely.

All You Need to Know About Red Team Assessments

Red team exercises involve a proactive and strategic approach where an organization’s security team’s readiness and capabilities are assessed in detail.

Unlike penetration testing which prioritizes finding as many vulnerabilities as possible, red teaming is focused on target objectives, often deploying various simulated attacks to examine how capable and cyber-aware a company’s security team is. When you consider the fact that 80% of cyber attacks are down to human or user error, it’s no wonder why red team engagements and awareness training are in high demand.

Red team tests are typically run covertly, with specific attack scenarios agreed ahead of time, but the methods of execution may vary from provider to provider. The principle of a red team exercise is to stealthily mimic how a malicious actor would want to remain undetected in a target organization’s system, moving laterally throughout the network without detection for as long as possible.

Therefore, red team assessments will often involve more detailed and methodical steps to understand the target’s infrastructure, facilities, environment, and data to formulate the most effective emulation of an ‘attack’ that truly puts the organization’s response team to the test.

1. What is the objective of red teaming?

Red team assessments involve accessing specific data or systems by actively exploiting vulnerabilities and evading baseline security controls to test response, detection, and security awareness.

2. What tactics are involved in red team exercises?

Red team exercises often begin with reconnaissance to collect information that should influence the tools and strategies deployed for the engagement. Red teaming will also involve intelligence-gathering practices to gain a deeper understanding of intricate processes and the culture behind the organization, such as social engineering tactics, to enable weaponization.

Red teaming places an organization as close to a legitimate security incident as possible to test incident response capabilities, with the red team explaining TTPs (tactics, techniques, and procedures) to the company on how to strengthen their detection and response methods.

3. What are the main outcomes of red team assessments?

By the end of a red team engagement, companies should understand how comprehensive their detection and response capabilities are. Organizations should use the data uncovered along with insights derived about physical and logical security, culture, and awareness to remediate their cyber policies, procedures, and remediation efforts.

4. How long does a red team assessment usually take?

Red team assessments often span several weeks and perhaps even months, depending on the complexity of the infrastructure and exercise objectives.

Another prominent area of confusion is the influence and purpose of two other teams that are regularly mentioned in conversations about red team exercises, namely, the blue team and the purple team.

In simple terms:

• A blue team refers to the target organization’s security personnel, whether the in-house employees or those working for an outsourced Security Operations Centre (SOC).
• A purple team refers to a third-party ‘mediator’ that is commissioned to supervise a red team and a blue team’s activity in a given engagement. The purple team provides a neutral, balanced perspective on the red team’s methods and insights, as well as the blue team’s attack surface and readiness.

Which Makes Most Sense to Bolster Cyber Resilience?

It’s evident that red team assessments and penetration tests share common goals of helping organizations bolster cyber resilience. However, due to their distinct methodologies and goals, they can’t be directly compared, so organizations should not necessarily choose one or the other.

Penetration testing is excellent at helping companies understand their security posture as it pertains to managing vulnerabilities. However, a company’s defenses and strategies are not assessed during this exercise, meaning that it cannot accurately assuage how susceptible it is to cybercrime like fraud. Meanwhile, red team engagements are perfect if an organization wants to understand how detection and remediation can be improved, rather than the risk factors of specific applications or systems.

Therefore, most organizations should carefully consider the service that meets their needs most based on their current cyber posture. As a rule of thumb, it’s widely presumed that companies considered to have greater cyber maturity - and, by extension, a broadened attack surface - should consider red team assessments.

However, if an organization has a less ‘defined’ or weaker cyber position, it makes little sense to commission a red team exercise. Instead, it should opt for penetration testing to identify vulnerabilities and how to overcome them. As a firm’s cyber posture gains more layers and its infrastructure and workforce grow, red team assessments make a logical next step to help firms understand the strengths and weaknesses of their cyber defense strategies.

Image by Freepik