Hey, man, what’s Red Teaming? Is it a pentest?
The phrase “Red Teaming” has been increasingly mentioned in cybersecurity discussions. It sounds interesting, somewhat mysterious, contemporary, and offers a wide range of possible explanations for what it should actually mean.
As I have repeatedly come across different opinions in my discussions with colleagues in the field, it seemed appropriate to try to cover this topic.
So, let’s try to explain the difference between the Intrusion Test and Red Teaming, and what is the added value of one or the other. Both are security checks.
Let’s go back to the roots: How to test?
Although many contractors opt for techniques and practices that are otherwise the result of their own experience, the implementation of a security test has a certain advantage over a methodologically regulated approach – consistency, repeatability, and efficiency.
In the world of security auditing, the reference is the OSSTMM methodology. OSSTMM is a peer-reviewed methodology for systematically performing security tests using metrics, and as such provides a comprehensive framework that can be adapted to any type of security testing.The beauty of the OSSTMM methodology begins with determining the type of inspection itself and ensures that the contractor (hereinafter referred to as the “attacker”) understands the needs of the contracting authority (hereinafter “the target”).
The methodology proposes six different types of security testing approaches that depend on the attacker’s initial awareness of the target and the target’s awareness that the test will occur (picture 1). For example, “Double Blind” means that the Attacker knows nothing about the Target which on the other side isn’t aware of the test. We will focus on two tests here: the Blind test and the Reversal test.
Blind Test – In this mode, the attacker knows nothing about the target, but the target is ready and expecting the test. This type of test is best suited to test the attacker’s ability.
Reverse Test – the attacker has complete insight into the target, and the target knows nothing about the test. This type of test is intended to test the target’s readiness for attacks.
These two tests are diametrically opposite in their purpose. The first one tests the tester’s experience and quality of security controls, and comes closest to the classic penetration test, while the second tests the organization’s readiness for an unannounced attack attempt, and according to OSSTMM authors, is most commonly referred to as “Red Team Exercise.”
A penetration test or pentest, is a simulation of an attack on a system in order to prove the vulnerability of the system in the event of a real attack. It checks the effectiveness of security controls. Since the concept of penetration testing often refers to vulnerability assessment, it is worth pointing out a significant difference here. The task of the pentester is to actually perform an “unauthorized” action (gain management access, change the digital record of information, etc.), while the task of assessing vulnerability is to identify areas where the system could be at risk of being attacked by an attacker. As soon as the vulnerability assessor identifies the vulnerability, he stops and no longer interferes with the system, while the pentester tries to exploit the identified vulnerability, which is the core of the penetration test.
“Red Team” comes from military terminology, most often in correlation with “Blue Team”. For some time now, military strategists realized that defense against the enemy will be even better if you occasionally test simulating an attack that points out any weak points. In the world of cybersecurity, the Blue is the defensive side, typically members of the SOC team, constantly monitoring and responding to potentially harmful cyber activities. They are of reactive nature, waiting for something to happen. Unlike the Blue, Red Team is extremely proactive, simulates real attacks and tries to bypass defense without being detected. The job of the Red Team is to find gaps in defense in order to improve Blue Team’s ability to detect intrusion attempts.
So what is the difference between a Penetration test and Red Teaming? The goal of the pentester is to find out where the real technical flaws in cybersecurity are, and to reduce the attack surface to the lowest possible level, while the purpose of the Red Team is to literally train the Blue Team. Pentester helps improve cybersecurity, while Red Team tests and improves detection and response capabilities. Red Teaming encompasses a comprehensive understanding of cybersecurity management made up of people, processes and technology.
- Prilagoditev metodologije penetracijskega testiranja povezanih vozil, Matjaž Kosem, 2016, magistrsko delo