Red Teaming and Penetration Testing

What’s the difference?

In the rapidly evolving technological world that we live in it is a constant struggle to keep yourself and your organisation's resources secure. As the cyber security landscape expands, so do the security assessment procedures employed to best prepare against everchanging threats. Penetration testing and red team assessments have become the main way of testing the technical infrastructure and security resilience of an organisation. While both exercises contain common elements, they differ drastically in scope and approach.

A penetration test (PT) is a tool-assisted manual assessment to exploit one or more vulnerabilities to test how far an attacker would be able to penetrate into an organisation. PTs can be goal oriented, or more open-ended in nature. Standard penetration testing focuses on assessing networks, systems, web apps, mobile devices etc. in an effort to identify as many vulnerabilities as possible. When compared to red teaming, it is important to highlight that PTs do not often focus on stealth or evasion, instead the organisation and security team is typically aware of testing. The main benefit of this being, pen testers can put all of their focus on identifying as many vulnerabilities as possible, as little time would be spent in understanding the intrusion detection infrastructure. With this in mind, sometimes pen tests can be “noisy.”

person testing

A red team (RT) campaign is a threat-led penetration test where also the detection and response capabilities of the organisation (typically within your Security Operations Centre or SOC, and referred to as the Blue Team) are tested during the RT campaign. Typically, this test is run secretly, and specific attack scenarios are often agreed upon upfront. Red teaming, in contrast to penetration testing, is focused on target objectives. Rather than putting a priority on finding as many vulnerabilities as possible, a red team attempts to test how an organisation’s security team responds to various threats. Red teaming is typically employed by organisations with more mature or sophisticated security postures.

wired motherboard

Red teams want a stealthy way in and to remain undetected in the target's system for as long as possible, gleaning more and more information as they escalate throughout the company’s network. Because they’re after more sensitive data and have a longer time to acquire it, they work silently in the shadows so as to not be discovered emulating an Advanced Persistent Threat (APT). Red team assessments begin with reconnaissance to collect as much information as possible about the target to learn about the people, technology and environment to build and acquire the right tools for the engagement. Using Open Source Intelligence Gathering, red teamers can gain a deeper understanding of infrastructure, facilities, and employees to better understand the target and its operations. This further enables weaponisation such as crafting custom malicious file payloads, prepping RFID (Radio Frequency Identification) cloners, configuring hardware trojans, or creating falsified personas/companies.

Moreover, another actor has emerged in the last few years, namely the purple team. Its main role is to supervise the two other teams’ activity, in order to optimise the results. This does not only imply being a mediator between the red team and the blue team, but it also ensures an overall view from a perspective, which is different both from the attacker’s and the defender’s position. Thanks to this less known but not less important methodology, the organisation can have a much more clear idea of its exposure to a target attack and of its reaction to it.

As part of the execution, red teamers will carry out actions on the target such as face-to-face social engineering or planting hardware trojans while noting any opportunities for exploitation.

In some instances, the more realistic threat scenario of red teaming is a superior testing modality. Red teaming places your organisation’s security team as close to a real security incident as possible, accurately testing incident response. At the end of a red team engagement, the blue team gives the red team any indicators of compromise (IoCs) that were detected during the engagement. This data can then be compared to other data collected during the course of the engagement and incorporated into a report timeline. To help draw value from the exercise, the red team works closely with the blue team to explain its Tactics, Techniques and Procedures (TTPs) and how to better detect and respond to such offensive methods in future incidents.

engineering testing

Penetration testers, on the other hand, are more geared towards identifying existing vulnerabilities, applying a more general or holistic approach to testing. This has the advantage of providing more bang for the buck, especially for an organisation with less security maturity. Identification and validation of vulnerabilities provides a clear snapshot of the existing threats, identifying potential business impacts that may result from successful exploitation.

 

Penetration Testing

Red Teaming

Time

Shorter testing windows, from days to a few weeks typically.

Several weeks and potentially more than a month.

Objective

Identifying all exploitable vulnerabilities such as missing patches, misconfigurations and user access management weaknesses to identify security risks to be remediated. Focus is on the systems and technology in place.

Accessing specific systems or data by exploiting vulnerabilities, behaviours and circumventing technical controls with the aim of testing detection, response and security awareness and culture. More of a holistic approach with more time for reconnaissance and a look at the entire organisation’s security practices.

Tactics

Depending on the scope of the test – for example: external infrastructure, web application, mobile application and remote desktop breakout tests will follow different best practice methodologies and use different tools and techniques.

Combination of real-world tactics, tools and procedures including detailed open-source intelligence gathering, social engineering, distraction techniques, technical vulnerability identification and exploitation and data exfiltration all while making sure to remain undetected.


Outcome

Identification of exploitable security vulnerabilities – assessed on their level of risk to the organisation – together with remediation advice and technical recommendations.

Provides insight into the overall security posture of the target organisation (covering strengths and weaknesses) including detection and response capabilities, logical and physical security, security awareness and culture. Includes recommendations for key issues identified.

Cost

Usually cheaper, because a limited window for testing is agreed upon based on the client’s objectives and the available budget.

Usually more expensive, because more consultants are involved, and it takes longer using multiple tools and techniques to help avoid detection.

Contact us

Michel Ganado

Michel Ganado

Digital Services Leader, PwC Malta

Tel: +356 2564 7091

Kirsten  Cremona

Kirsten Cremona

Senior Manager, Digital Services, PwC Malta

Tel: +356 7975 6911

Follow us