Let’s compare two popular security testing methodologies – Red Team and Penetration Testing – to make it easier for you to choose the best option for your business. Red Team and Penetration Testing are effective tools for identifying vulnerabilities and ensuring the maximum level of security for your company. However, they have some differences that should be considered before making a decision. Red Team is a comprehensive approach that simulates a real enemy attack on your infrastructure. The Red Team simulates various attack scenarios and uses a wide range of techniques, including social engineering, physical intrusions and technical attacks. This approach allows you to identify weaknesses in the system and processes, assess your team’s response to critical situations, and improve the overall level of security. Penetration Testing (also known as Ethical Hacking) is a focused process of identifying and exploiting specific vulnerabilities in your system. Security testers carry out targeted attacks using a variety of methods to identify vulnerabilities and ensure their remediation.
Penetration Testing allows you to get a detailed report on the identified problems and recommendations for improving security. Choose Red Team if you need a comprehensive security assessment of your company, taking into account different types of attacks and using a wide range of methods. Penetration Testing would be a better option if you need to conduct targeted testing of specific vulnerabilities with detailed reporting. The same story with pentest and redtiming. Both approaches have strengths and weaknesses, making one preferable depending on the circumstances. To get the most out of it, you need to define your goals and then decide what best suits them. The ultimate goal of both assessments is to examine an organization’s security posture as well as its full stack of security controls, specifically using adversarial tactics. However, both assessments differ in terms of the ultimate goal, as well as the methods and methodologies used.
The term “Red Team” first appeared during the Cold War, when the color red was strongly associated with communism. In this multi-year military confrontation between the West and the East, the USA designated itself as the Blue Team, and the USSR and the People’s Republic of China as the Red Team. Evaluating the possible actions of the enemy during the attack and using critical thinking, the military modeled various threats and emergency situations, thereby achieving high-quality development of their strategic plans. Subsequently, this method of predicting the actions of the enemy began to be actively used in many industries that require a thorough analysis of defense systems.
In information security, the Red Team is a team of experts who simulate a real cyber attack, and their goal is to think and act like an attacker, trying all possible ways to penetrate a company’s information security system using technical, social and even physical* means. Therefore, the Red Team assessment compared to other types of security analysis usually gives a more detailed and realistic description.
When we first started planning the creation of our department, we tried to attend as many profile events as possible to get to know the opinions of specialists from other companies about what functions the Red Team should perform. In the classical definitions and Red Team concepts, the physical method of security analysis is historically fundamental. For example, some teams practice infiltrating a facility using cloned pass cards or implementing hardware bookmarks. Such methods have categorical opponents, but personally I find this type of analysis extremely funny and exciting.
Pentest, or penetration testing, is an analysis conducted by ethical hackers to assess the degree of protection of a company and identify vulnerabilities. Pentesters focus on finding technical flaws and can, in particular, scan networks, find and exploit vulnerabilities in services. The results of the pentest are often presented in the form of a report, which lists the identified shortcomings and recommendations for their elimination. Although it is worth noting that SOC direct training is treated differently in different organizations, and the Red Team may additionally participate in the activities listed below.
Purple Teaming often refers to several different concepts, but they agree in defining its main tasks: verifying the configuration of the PPE and the rules for the SIEM within the company in a white-box format. Both offensive and defensive specialists participate in this process, which increases the efficiency of the two teams (Red Team and Blue Team), and in an ideal world, also creates a constant dynamic interaction between them. Purple Teaming is characterized by instant feedback from all parties and is concentrated within the IT department of the company without the involvement of outside specialists.
In the broadest sense, cyber training is the bringing together of several companies, organizations, government services and law enforcement agencies to simulate a joint response to a major cyber threat. In a smaller sense, it is the process of simulating target threats by offensive specialists from the Red Team or pentest teams, which takes place in the Black/Gray-Box format. Both internal and external specialists can be involved in cyber training. Their goal is to test and improve consistency of actions and cooperation between companies or teams when countering cyber threats. Or, as in the case of Purple Teaming, strengthen the defense systems and the Blue Team. After the cybercrime, the attackers provide a log report of their actions for further investigation and the information necessary for comparison with the Blue Team’s security system logs.
The Red Team approach is often broader and more flexible, consisting of combinations of different methodologies (MITRE ATT&CK, OWASP, PTES), while pentesters have a more structured approach and adhere to a certain methodology. The purpose of the Red Team is to identify vulnerabilities and weak points in the company’s security systems, providing recommendations for their improvement. Its actions are usually more covert and may include methods such as social engineering*. Pentesters, on the other hand, are focused on finding and exploiting technical vulnerabilities in the company’s systems and networks.
The Red Team will use social engineering techniques in the form of a targeted attack, such as phishing with a malicious attachment. Pentesters and IT specialists within the company can also conduct phishing mailings, but they will be mass in nature and designed to test user awareness.
In case you are not yet lost in the number of cyber definitions and concepts, let’s touch on cyber polygons. These are specialized training grounds for simulating cyber attacks on “training” infrastructure. Cyber training grounds typically include various networks and computer systems that are designed to simulate real-world environments, allowing Red Team and Blue Team to hone their skills in a controlled environment.
In general, Purple Teaming, cyber training and cyber training ground are similar in that they involve cyber threat simulations to test a company’s defense systems. However, they differ in scope and focus: Purple Teaming aims to test defenses, cyber training focuses on testing coordination between company employees, and cyber training grounds are a controlled environment to hone Red Team and Blue Team skills.
In addition to the use of various methodologies and TTP, the Red Team has another extremely important task: to verify in practice the probabilities of the realization of undesirable events for the business. In simple words, it is about the company’s assets critical from the point of view of information security and the associated risks. For example, if we take a financial company, then it will be logical to assume that its most critical assets will be systems related to receiving and processing payments, as well as systems containing information about users. Knowing about such assets, their location in the corporate network, external access points and technology stacks used in the creation of information systems, it is possible to estimate the probability of occurrence of undesirable events, calculate the potential losses of the organization and even predict the frequency of occurrence of these events.
This is what risk assessment specialists, sets of metrics and frameworks exist for. With the help of collected analytics and risk studies, it is possible to agree on the application of TTP of specific hacker organizations. In the case of a financial company, APT groups specializing in such organizations, such as Carbanak, can be emulated. The Red Team can assist in confirming or disproving a hypothesis about the occurrence of a particular adverse event in order to adjust the risk assessment methodology or framework used in a particular company. During pentests, it is practiced to disable security tools and add IP addresses of pentesters to whitelists so that they can identify as many vulnerabilities as possible within the given time. The work of the Red Team is usually set aside from several months to a year, and protections are not disabled. The Red Team’s approach is more stealthy, because defense systems are not turned off to perform this type of analysis. In such a situation, each step can become the last and you will have to start the chain of exploitation from the beginning. During the pentest, the customer company and the information security service are informed about the start and end dates of the tests, and they are carried out according to the conditions clearly prescribed in the technical specifications.
The main advantage of Red Team specialists within the company is that they know the structure of its systems and processes. This makes them more effective when simulating threats. With access to sensitive information and systems, they find and exploit vulnerabilities more easily.
External teams can look at everything with a fresh eye and provide unbiased assessments of the company’s security. They are not familiar with the internal systems and processes, so it will be easier for them to think like a real attacker and identify vulnerabilities that the internal Red Team might miss.
The choice between an internal or an external team depends on the specific needs and goals of the company. Overall, both Red Team variants will be valuable security analysis tools, and even have the potential to complement each other.
If you want to know:
In this case, you need a security analysis by the Red Team. In addition, regularly performing such checks will help your organization identify new security risks and prepare for real threats.
If you are concerned about:
Pentest will be able to answer these questions. It is focused on finding and eliminating specific vulnerabilities, will help identify weak points and direction for further security improvement.
As I said, Red Team is useful for organizations that want to test the effectiveness of their response to IS incidents. But how do you know that you can fully respond to incidents?
If you believe that this list can be applied to you, then Red Team will be a fresh perspective and a new useful experience for you.
Pentest is a type of security analysis suitable for organizations of all sizes. For small and medium-sized organizations, pentest will help to quickly find and eliminate vulnerabilities. Such organizations may not have the resources or response centers for full comprehensive security assessments. For large companies with “mature” information security, it is advisable to use Red Team together with pentests.
I will summarize:
In the case of strengthening the information security of the company, it is necessary to increase the number of methods of its assessment.