Lately, our discussions with the customers have often brought up the dilemma of whether they really want us to run a penetration test or Red Teaming. There is a conceptual difference between the two, which we wrote about on the blog two years ago. To achieve the desired goal, we have to use the right tools or, in this case, services. When we compare the two, there is no better or worse because they are used for different purposes. This blog post points out which parameters we must consider when deciding on a penetration test or Red Teaming.
The demand for both types of tests is much higher today than it was at the time of our first blog post. The frequency of cyber-attacks is unprecedented, and both “offence” and “defence” are facing an entirely new battlefield:
- The attack surface is larger due to the dispersion of IT resources. Consequently, hackers have more potential targets to attack and profit from. SOC centres or IT departments have to protect a larger surface area, translating into more security devices and larger operations centres.
- Security devices are becoming more sophisticated and are capturing more malicious traffic. There is also an increasing emphasis on awareness-raising among users, who are becoming more adept at identifying potential attacks. Hackers need to prepare sophisticated attacks, which is beneficial for the defence.
The two points mentioned above clarify that all teams in the cyber security chain have an increasing volume of resources to learn from. This drives them to continuously improve and evolve cyber (in)security.
The motive and the perfect timing for a penetration test or Red Teaming
Roughly speaking, customers decide to purchase a cyber security test for two main reasons: for compliance and to verify security controls. In this case, they typically order penetration tests of IT systems, which are carried out once a year. In organisations that opt for periodic penetration tests, the level of cybersecurity awareness is usually relatively high. Consequently, it is often the case that they also want to check the security of applications and conduct security awareness training for users in the meantime.
However, companies also want to test their IT security after being attacked or an attack happened to someone close to them. This is the case when they would like to run a Red Teaming project. As it is a simulation of an actual attack, such a test gives the organisation a realistic picture of the IT system’s resilience to hacker attacks.
When is the right time for a test? It can be any time. But at least for penetration tests, it is undoubtedly a good idea to perform them after every major change in the IT system: application upgrade, replacing hardware or software, moving to a different location, etc. Every change in the IT environment causes a change in communication between the individual building blocks of the system and can create new vulnerabilities.
The user as a tool in the hands of a hacker
Regardless of the technical changes in IT systems, we must be aware that the initial target of cyber-attacks is no longer networks and security devices. Their technology has become too sophisticated to be easily abused without proper access.
On the other hand, there are vulnerable users in every company who are susceptible to social engineering and can be used by hackers as an entry point into business networks. Advanced attackers go “reconnaissance first”. They observe users’ online and social networking activities, examine relationships and roles between employees, and collect their personal data. Based on the information they gather, they design so-called spear-phishing campaigns – fishing attacks that target the user’s interests or vulnerabilities. Only one relevant user must click on a malicious link, and the attacker can start intercepting network traffic and obtaining confidential data. Therefore, it is imperative to ensure that your employees are cybersecurity-aware.
Make sure your security devices are properly configured
Although we often point out that users are the first line of defence when it comes to cybersecurity, security devices are just as important as they are. Use them to empower your security team with tools for an appropriate response to cyber-attacks. A precondition for the effective functioning of security devices is their proper configuration. This means not just the configuration of a single device but the device in the context of the entire IT system. In some environments, integrating several devices into a system may trigger a vulnerability that is not possible in another system. When running a penetration test, it is essential to look at vulnerabilities holistically, from a system perspective.
So far, we have discussed the exposure of the system to different attack vectors: either through social engineering and users or through vulnerabilities in devices or the connections between them. But how do you decide whether to order “just” a penetration test or Red Teaming? It depends on the goal of your project.
Let’s explain this with the example of a jewellery shop. If we are carrying out a penetration test, our objective is to break into the jewellery shop or check whether this is even possible given the implemented security mechanisms. When it comes to Red Teaming, the goal is to break into the jewellery shop and take the diamond necklace out undetected. In the first case, we check security devices, applications, systems, and even physical security – but all in a targeted and limited way. In the second case, we are trying to use social engineering and hacking methods to obtain high-value data and thereby – figuratively speaking – harm the organisation.
Penetration testing or simulated cyber-attack?
You should opt for a penetration test when you want to check compliance with legislation or the adequacy of security controls. It is carried out on a pre-defined limited network segment, often in a test or development environment, to ensure that the service is not compromised. Penetration tests are very time-limited – typically no more than two weeks. On the customer’s side, the entire IT team is usually informed about the test and monitors what is happening on the network during the test. Intrusion testing is focused on verifying the settings and operation of security devices or the technical resilience of the network to intrusions but does not check the response of the security team.
On the other hand, Red Teaming digs deeper than a penetration test. The duration is measured in months, while more extensive tests can even last for more than a year. It simulates a real hacker attack and includes different methods to abuse users and data. Unlike a pentest that targets security devices, Red Teaming usually starts with social engineering and gaining access to the internal network by abusing users: phishing, planting malware physically on the premises, or some other creative method. It is important to stay as quiet as attackers and not trigger alerts on security devices. After all, there is a Blue Team (the SOC centre or IT department) on the other side, keeping the network secure. Even when we gain access, we need to take all actions slowly and gradually penetrate as deep into the network as possible. To do this, operators develop their own scripts and malware and use advanced hacking tools.
Although Red Teaming is not limited to a specific network segment, it is not “hacking all over the place”. All actions must be carefully planned and targeted to a particular goal. Since the test is being carried out in a production environment, the operators must be even more careful to ensure that the system is not disrupted. The SOC centre or the IT department should not be informed about the test as the idea of Red Teaming is to make sure that as few people as possible know about it – ideally, only the CISO.
To conclude: Penetration test or Red Teaming?
So how can you decide which type of test is the right one for your organisation? Based on many years of experience, we recognise Red Teaming as an upgrade to the penetration test. Organisations that already perform penetration testing and train their users to identify social engineering attacks are mature enough to be able to perform Red Teaming on their network. Suppose you have not done security testing yet. In that case, we recommend you first run some regular penetration tests, start building on your users’ security awareness, and reinforce the three pillars of cybersecurity: confidentiality, integrity and availability.
A penetration test helps identify vulnerabilities and offers the foundation for ranking vulnerabilities and giving recommendations.
Test your IT team, employees, and processes. Red Teaming aims at hacking into your system without getting noticed.
Simulated phishing attacks are an effective way to train employees to identify phishing attacks and malicious links.