For an organization concerned about a specific aspect of its cybersecurity, a common decision is whether to do a penetration test or a red teaming exercise. It’s easy to search online for definitions of both, but what’s harder is to align the activity with the need. Which to do is a question I’m asked often by clients. It’s a question I’d like to help others answer here.
But first, let’s start with the basics so you and I are working within the same context.
What is a penetration test?
A penetration test is designed to find all of the vulnerabilities across a specified scope of the network or technology. A good metaphor is a security team testing all the doors and windows in a certain area to see which are unlocked or slightly ajar. It’s generally a tool of breadth, not depth. For the most part, it’s procured by the IT security team and is a central component to many organization’s compliance regimens.
What is a red teaming exercise?
A red team test is a realistic, unannounced attack based on an agreed scenario that’s executed by a group of friendly hackers—typically external security professionals. Unlike in a penetration test, the red team only needs to find one open door. Once inside, we, the red team, see how far we can navigate toward a target without being detected or blocked. Entry into the network could be gained through a vulnerability that would be picked up by a penetration test, but could also be achieved through a successful phishing attempt, for example. Scope is normally not limited, unless the company wants us to avoid compromising certain individuals (e.g. the CEO), databases, or certain critical systems.
The name originally comes from military terminology. The red team is the aggressor team; the blue team—typically an organization’s internal information security team— is on the defensive. The blue team must be unaware of the planned attack so its true defense capabilities can be measured. Due to the necessity of stealth, red teaming can be procured by a select few IT security folks, but it’s more often procured by senior executives, audit teams, general counsel, or even external counsel. When engaged by counsel, there’s an opportunity to perform the test under attorney-client privilege.
Matching the network security test to the need
Next, to demonstrate when you’d want to use each, I’ve provided some common client needs and explained which test would be most appropriate.
Client need: I have a new piece of software or hardware, or a new network connection. How do I know if it’s created any new vulnerabilities?
Test: Penetration test. If you’re worried about whether someone could get into your network because of a misconfigured technology stack, an open port, or exploitable vulnerabilities, this is for you. We analyze and examine all potential points of entry within the determined scope of the pen test.
Client need: There’s a new cyber attack in the news. Could this happen to me?
Test: Red team testing. A proficient red team can play any role asked and examine any attack vector, whether it’s based on a breaking-news hack or a vexing concern about the security of your connection to a subsidiary in a foreign country such as China. We can simulate the attack in question to see how resilient your organization is to a particular attack vector. This test will help to uncover how quickly will an attack be detected? How effectively will the attackers be blocked? How close could the attackers get to sensitive data?
Client need: Will my detection capabilities actually detect an intrusion?
Test: Red team. By nature of being a planned stealth attack, a red teaming exercise tests an organization’s detection capabilities, from the technology to the people monitoring it and responding. Usually the client notices us red teamers at some point, but there have been a few instances where the client hasn’t detected anything we’ve done for weeks. As we progress, we become deliberately noisier to see when we’re detected. We can also work with the organization’s blue team to tell you if any activity was logged by your monitoring systems but not flagged as part of an attack, or perhaps we left a tell-tale that wasn’t found.
Client need: My company needs evidence that it’s compliant with specific regulations. How do I get this?
Test: Depends on the regulation. Pen tests are often used to demonstrate compliance with cybersecurity and data protection regulations. Increasingly, however, regulators are concerned about advanced persistent threats (APTs). For example, bank regulators in United Kingdom, Netherlands, Singapore, and Hong Kong are asking banks to test against APTs to see if an attack on the bank could impact the larger economy. In this latter case, a red team is the way to go. We can work with you to determine a realistic APT attack scenario and implement it on your unsuspecting security team to determine your risk level.
There are many ways to measure cyber risk and cyber resilience. Assessments on the market span from the highly technical to governance focused, from a focus on malicious insider risk to third-party risk—and from penetration testing to red team testing. Choosing starts by identifying your goals, and then balancing the cost of service with the potential cost of not doing the service. In all cases, it’s a challenging decision-making process.