Penetration Testing vs. Red Teaming - What's the difference?
Red Teaming and Penetration Testing are two distinct, but related (and often confused), security assessment techniques. Both involve simulating a real-world cyber attack against your organisation to identify potential vulnerabilities and inform your cybersecurity defences. But what’s the difference between Red Teaming and Penetration Testing? And which one is right for you?
Red Teaming vs. Penetration Testing
Red Teaming and Penetration Testing are two distinct, but related (and often confused), security assessment techniques. Both involve simulating a real-world cyber-attack against your organisation to identify potential vulnerabilities and inform your cybersecurity defences. But what’s the difference between Red Teaming and Penetration Testing? And which one is right for you?
Let’s take a closer look.
Despite some similarities and the terms often being used interchangeably, overall, there is a significant difference between red teaming exercises and penetration testing. At a top level:
- Red Teaming: Focuses on testing the overall cyber resilience of an organisation.
- Penetration Testing: A more focused scope, often limited to a system or application.
What is Penetration Testing or a ‘Pen Test’?
Standard Penetration Testing is a simulated and focused attack against your organisation’s applications and environment or systems.
The aim is to assess defined networks, systems, applications, devices, or people within your business to uncover and ethically exploit vulnerabilities within an agreed timeframe.
Penetration Testers, aka ‘ethical hackers’ act as real-life attackers would in penetrating your company’s defences. An experienced Pen Tester will be able to identify how and where a cyber-criminal might attack, how your defences would hold up and the magnitude of a potential breach within the target surface area, e.g., a specific system or application.
There are different types of Penetration Testing with some of the most adopted being:
- Web Application Penetration Testing
- Mobile Application Penetration Testing
- API Penetration Testing
- Network and Infrastructure Penetration Testing
- Cloud Penetration Testing
- Physical Penetration Testing
- Browser Exploitation Testing
- Wireless Penetration Testing
- Social Engineering
Penetration Testing methodology varies from consultancy to consultancy which is why it’s critical before selecting a security partner to verify their credentials and methodology in advance. Typically speaking, a Penetration test will consist of pre-engagement, reconnaissance, threat modelling, exploitation, post-exploitation, analysis, reporting and follow-up.
Any professional Pen Testing provider will not rely solely on automated testing and will combine a manual human approach to test and validate identified findings.
The results of a Penetration Test are generally provided in a report which should include all vulnerabilities discovered with a risk level for each as well as remediation advice. A debriefing is helpful for running through findings in more detail and an opportunity to seek further information or clarification.
What is a Red Teaming Assessment?
Red Teaming is not a Penetration Test.
Instead, a Red Team exercise focuses on simulating a realistic and targeted attack on an organisation, in a controlled manner.
At first glance, a Red Team Assessment might look like its friend the Penetration Test, but the real goal here is for the Red Team provider to use the latest tactics, techniques, and procedures (TTPs) to penetrate the organisation’s defences and access their crown jewels, aka target systems or data. It is also an opportunity to test the organisation’s detection and response capabilities.
Usually for a Penetration Test, there would be a shorter defined number of days or time for the specific test, whereas a Red Teaming Exercise usually happens over an extended period to allow the assessors to be stealthier and try more attack scenarios, just as they would in real life.
A Red Team needs to consist of certified and experienced ethical hackers who have an in-depth understanding of all security domains as an assessment would usually consist of multiple phases and approaches. The types of techniques used could include everything from social engineering to a physical attack whereby the team may try to gain access to an office to reach the onsite systems and data.
An organisation’s cyber team is aware of when a Penetration Test is happening and what the desired goals are, however, with Red Teaming it’s more common for the wider team (even IT security) to be kept mostly in the dark. This enables the defenders or ‘blue team’s’ detection and response ability to be put to the test.
What are the differences between Red Teaming and Penetration Testing?
|A short-lived project with a predefined number of days. The average Pen Test lasts 2-3 weeks.
|There are various types of Penetration Testing, including web and mobile, API and cloud. Best practice methodologies and techniques will be adopted depending on the type of Penetration Test.
A Red Team will use a combination of Tools, Techniques and Procedures (TTPs). Experienced teams will use a methodology covering multiple phases such as reconnaissance, weaponisation and exploitation.
Pen Tests can be ‘noisy’, i.e. a group monitoring the network will know or may find out as the idea is to uncover the max number of vulnerabilities with no concern for being caught.
All discovered vulnerabilities within the target scope are identified, analysed, and reported with a level of risk and remediation advice.
A far more detailed, technical report will be provided, describing scenarios used and their effectiveness, providing the organisation with an indication of company wide strengths as well as weaknesses. A Red Team Assessment acts as a practical test for internal security teams to truly test their detection and response ability.
|Costs are higher as more consultants participate across a wider range of scenarios and over an extended period of time.
|Periodical exercise, most consultants will recommend at least one penetration test a year
This varies from organisation to organisation, but tends to be less frequent than Penetration Testing due to the size, cost and duration.
What are the benefits of Red Teaming vs. Penetration Testing?
Red Team Assessments can be viewed as a more 360 degree or holistic approach, as they aim to get under the skin of an organisation’s overall security posture, as opposed to specific systems or data. However, once the crown jewels are reached and the goal achieved, other vulnerabilities could be overlooked. In contrast, a Penetration Test is so focused on uncovering exploitable vulnerabilities of a specific system etc., that an organisation’s wider exposure would often not be considered in scope.
So, what's right for my business?
We often get asked 'which is better, a Pen Test or Red Team Assessment?' and the honest answer is one is not necessarily better than the other. Each is important and each has its place.
Ultimately, it boils down to organisational maturity.
If you’re at the beginning of your cyber journey (congratulations for getting started) then you’re probably looking at neither option and the first port of call would be a Vulnerability Assessment and/or Cyber Essentials as well as setting a strategy for moving forward.
Perhaps you’re an organisation reading this who has only ever had one or two Pen Tests, and, in that case, you should likely discuss your readiness with your trusted security consultancy before engaging with Red Teaming.
Red Teaming is best for organisations that have a more mature security culture, that will have had multiple vulnerability assessments and penetration tests previously, and will have remediated known vulnerabilities.
For those organisations reading this who are saying ‘tick, tick tick’ then Red Teaming is absolutely the next step to consider in bolstering your defences and overall ‘security posture'.
If you're curious to know more, would like some help in selecting the right next step for your organisation or are ready to hit ‘go’ then you’re in the right place.