What to choose: Red Team or Penetration Testing

7 May 2023 11 minutes Author: D2-R2

Pentest or Red Team? Pirates vs Ninjas

Let’s compare two popular security testing methodologiesRed Team and Penetration Testing – to make it easier for you to choose the best option for your business. Red Team and Penetration Testing are effective tools for identifying vulnerabilities and ensuring the maximum level of security for your company. However, they have some differences that should be considered before making a decision. Red Team is a comprehensive approach that simulates a real enemy attack on your infrastructure. The Red Team simulates various attack scenarios and uses a wide range of techniques, including social engineering, physical intrusions and technical attacks. This approach allows you to identify weaknesses in the system and processes, assess your team’s response to critical situations, and improve the overall level of security. Penetration Testing (also known as Ethical Hacking) is a focused process of identifying and exploiting specific vulnerabilities in your system. Security testers carry out targeted attacks using a variety of methods to identify vulnerabilities and ensure their remediation.

Penetration Testing allows you to get a detailed report on the identified problems and recommendations for improving security. Choose Red Team if you need a comprehensive security assessment of your company, taking into account different types of attacks and using a wide range of methods. Penetration Testing would be a better option if you need to conduct targeted testing of specific vulnerabilities with detailed reporting. The same story with pentest and redtiming. Both approaches have strengths and weaknesses, making one preferable depending on the circumstances. To get the most out of it, you need to define your goals and then decide what best suits them. The ultimate goal of both assessments is to examine an organization’s security posture as well as its full stack of security controls, specifically using adversarial tactics. However, both assessments differ in terms of the ultimate goal, as well as the methods and methodologies used.

Red Team

The term “Red Team” first appeared during the Cold War, when the color red was strongly associated with communism. In this multi-year military confrontation between the West and the East, the USA designated itself as the Blue Team, and the USSR and the People’s Republic of China as the Red Team. Evaluating the possible actions of the enemy during the attack and using critical thinking, the military modeled various threats and emergency situations, thereby achieving high-quality development of their strategic plans. Subsequently, this method of predicting the actions of the enemy began to be actively used in many industries that require a thorough analysis of defense systems.
In information security, the Red Team is a team of experts who simulate a real cyber attack, and their goal is to think and act like an attacker, trying all possible ways to penetrate a company’s information security system using technical, social and even physical* means. Therefore, the Red Team assessment compared to other types of security analysis usually gives a more detailed and realistic description.

When we first started planning the creation of our department, we tried to attend as many profile events as possible to get to know the opinions of specialists from other companies about what functions the Red Team should perform. In the classical definitions and Red Team concepts, the physical method of security analysis is historically fundamental. For example, some teams practice infiltrating a facility using cloned pass cards or implementing hardware bookmarks. Such methods have categorical opponents, but personally I find this type of analysis extremely funny and exciting.

Penetration testing (pentest or pentest)

Pentest, or penetration testing, is an analysis conducted by ethical hackers to assess the degree of protection of a company and identify vulnerabilities. Pentesters focus on finding technical flaws and can, in particular, scan networks, find and exploit vulnerabilities in services. The results of the pentest are often presented in the form of a report, which lists the identified shortcomings and recommendations for their elimination. Although it is worth noting that SOC direct training is treated differently in different organizations, and the Red Team may additionally participate in the activities listed below.

Purple Teaming

Purple Teaming often refers to several different concepts, but they agree in defining its main tasks: verifying the configuration of the PPE and the rules for the SIEM within the company in a white-box format. Both offensive and defensive specialists participate in this process, which increases the efficiency of the two teams (Red Team and Blue Team), and in an ideal world, also creates a constant dynamic interaction between them. Purple Teaming is characterized by instant feedback from all parties and is concentrated within the IT department of the company without the involvement of outside specialists.

Cyber learning

In the broadest sense, cyber training is the bringing together of several companies, organizations, government services and law enforcement agencies to simulate a joint response to a major cyber threat. In a smaller sense, it is the process of simulating target threats by offensive specialists from the Red Team or pentest teams, which takes place in the Black/Gray-Box format. Both internal and external specialists can be involved in cyber training. Their goal is to test and improve consistency of actions and cooperation between companies or teams when countering cyber threats. Or, as in the case of Purple Teaming, strengthen the defense systems and the Blue Team. After the cybercrime, the attackers provide a log report of their actions for further investigation and the information necessary for comparison with the Blue Team’s security system logs.

Methods and objectives

The Red Team approach is often broader and more flexible, consisting of combinations of different methodologies (MITRE ATT&CK, OWASP, PTES), while pentesters have a more structured approach and adhere to a certain methodology. The purpose of the Red Team is to identify vulnerabilities and weak points in the company’s security systems, providing recommendations for their improvement. Its actions are usually more covert and may include methods such as social engineering*. Pentesters, on the other hand, are focused on finding and exploiting technical vulnerabilities in the company’s systems and networks.
The Red Team will use social engineering techniques in the form of a targeted attack, such as phishing with a malicious attachment. Pentesters and IT specialists within the company can also conduct phishing mailings, but they will be mass in nature and designed to test user awareness.

Cyber polygons

In case you are not yet lost in the number of cyber definitions and concepts, let’s touch on cyber polygons. These are specialized training grounds for simulating cyber attacks on “training” infrastructure. Cyber training grounds typically include various networks and computer systems that are designed to simulate real-world environments, allowing Red Team and Blue Team to hone their skills in a controlled environment.

Disagreements

In general, Purple Teaming, cyber training and cyber training ground are similar in that they involve cyber threat simulations to test a company’s defense systems. However, they differ in scope and focus: Purple Teaming aims to test defenses, cyber training focuses on testing coordination between company employees, and cyber training grounds are a controlled environment to hone Red Team and Blue Team skills.

Risks and Business Risks/Terms

In addition to the use of various methodologies and TTP, the Red Team has another extremely important task: to verify in practice the probabilities of the realization of undesirable events for the business. In simple words, it is about the company’s assets critical from the point of view of information security and the associated risks. For example, if we take a financial company, then it will be logical to assume that its most critical assets will be systems related to receiving and processing payments, as well as systems containing information about users. Knowing about such assets, their location in the corporate network, external access points and technology stacks used in the creation of information systems, it is possible to estimate the probability of occurrence of undesirable events, calculate the potential losses of the organization and even predict the frequency of occurrence of these events.



This is what risk assessment specialists, sets of metrics and frameworks exist for. With the help of collected analytics and risk studies, it is possible to agree on the application of TTP of specific hacker organizations. In the case of a financial company, APT groups specializing in such organizations, such as Carbanak, can be emulated. The Red Team can assist in confirming or disproving a hypothesis about the occurrence of a particular adverse event in order to adjust the risk assessment methodology or framework used in a particular company. During pentests, it is practiced to disable security tools and add IP addresses of pentesters to whitelists so that they can identify as many vulnerabilities as possible within the given time. The work of the Red Team is usually set aside from several months to a year, and protections are not disabled. The Red Team’s approach is more stealthy, because defense systems are not turned off to perform this type of analysis. In such a situation, each step can become the last and you will have to start the chain of exploitation from the beginning. During the pentest, the customer company and the information security service are informed about the start and end dates of the tests, and they are carried out according to the conditions clearly prescribed in the technical specifications.

Internal and external teams

The main advantage of Red Team specialists within the company is that they know the structure of its systems and processes. This makes them more effective when simulating threats. With access to sensitive information and systems, they find and exploit vulnerabilities more easily.
External teams can look at everything with a fresh eye and provide unbiased assessments of the company’s security. They are not familiar with the internal systems and processes, so it will be easier for them to think like a real attacker and identify vulnerabilities that the internal Red Team might miss.
The choice between an internal or an external team depends on the specific needs and goals of the company. Overall, both Red Team variants will be valuable security analysis tools, and even have the potential to complement each other.

When is it better to use pentest and when is Red Team?

We test a cyber attack on ourselves

If you want to know:

  • will your organization survive a real targeted cyber attack;
  • check how information security and SOC employees will behave;
  • determine the effectiveness of the protections you use;
  • find out the real probability of business damage from a cyber attack.

In this case, you need a security analysis by the Red Team. In addition, regularly performing such checks will help your organization identify new security risks and prepare for real threats.

We are looking for bugs ?

If you are concerned about:

  • How many vulnerabilities are there on the external and internal perimeter of the organization?
  • How many bugs get exploited and does SSDLC work properly?
  • Do administrators make mistakes in the configuration of systems and networks?
  • Do you need to implement additional security systems?

Pentest will be able to answer these questions. It is focused on finding and eliminating specific vulnerabilities, will help identify weak points and direction for further security improvement.

When there is someone to oppose ?

As I said, Red Team is useful for organizations that want to test the effectiveness of their response to IS incidents. But how do you know that you can fully respond to incidents?

  • You have a SOC and it’s up 24/7; you are sure that at any time of the day or night, the security system alert will be reviewed by an IS employee, and not by the system administrator on duty.
  • You have sufficient coverage with monitoring tools and already have sets of rules – IS events are recorded.
  • You regularly conduct pentests and know that the protection of the external and internal perimeter of your organization is rated as medium or high.
  • Employees of your company mostly understand what phishing is and fear it by reporting suspicious events to IS.

If you believe that this list can be applied to you, then Red Team will be a fresh perspective and a new useful experience for you.

When you don’t know where to start ?

Pentest is a type of security analysis suitable for organizations of all sizes. For small and medium-sized organizations, pentest will help to quickly find and eliminate vulnerabilities. Such organizations may not have the resources or response centers for full comprehensive security assessments. For large companies with “mature” information security, it is advisable to use Red Team together with pentests.

I will summarize:

  • Red Team and pentest enable the company to assess information security and identify weak points.
  • Red Team and pentest complement each other and can be used together to get a complete picture of a company’s information security.
  • Choosing the right approach depends on the specific needs and goals of the company.
  • In the case of strengthening the information security of the company, it is necessary to increase the number of methods of its assessment.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.