Whether it’s a security assessment, a vulnerability scan, a red team or a pen test – What’s common? To identify issues and mitigate them from an organizational risk perspective.
This article is aimed at weeding out various confusions from the readers mind.
Stock up your caffeine, we are going to cover these areas under this topic:
- What is Penetration Testing?
- Business benefits of Penetration Testing
- Penetration Testing methodology
- What is Red Teaming?
- Business benefits of Red Teaming
- Red Teaming methodology
- Common Terms & Acronyms
- Which one should I pick for my business?
- Vendor selection tips
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets targeted to find as many vulnerabilities as possible. It involves vulnerability assessment followed by manual focus on exploitation of identified flaws.
This exercise carried out by pen testers is limited to simulation of threat actor activity affecting a particular asset or group of assets. For example, an online retailer can commission a penetration test against web and mobile applications, underlying APIs and the supporting infrastructure. This in-depth exercise uncovers flaws from an unauthenticated and authenticated threat actor perspective (known as grey box methodology). The output relates to configuration issues, sensitive information storage practices, encryption configuration, secure hardening practices , logging and monitoring and authentication/authorisation security mechanisms.
Average duration of penetration testing engagement is one to four weeks. For bigger programmes such as a transformation programme undergoing large scale technical risk assessment could extend to months. Once an assessment is finished, a deliverable in the form of a report and risk matrix in line with customer’s risk register format is provided to help with remediation plan. A dedicated remediation service can be initiated to help remediate the identified findings and improve the security posture. We have covered an in-depth article specifically dedicated to penetration testing, different types, process, methodology, costs and more here.
Given the digital advancements and our reliance on internet since pandemic hit the entire planet, the need to do safe and secure business online is ever growing due to large security postures.
In order to perform penetration testing, it is important to understand the context of assets in scope for the engagement. These projects are categorised into three areas on the basis of the level of knowledge and access granted to the security consultants. These are:
- Black Box Penetration Testing: A black box pen test starts with no prior knowledge and access to the target. For example, an internal infrastructure security assessment with zero prior knowledge.
- Grey Box Penetration Testing: A grey box pen test involves some level of knowledge and access to the target. For example, an internal infrastructure security assessment targeted at certain servers where IP address/ranges and other information is provided.
- White Box Penetration Testing: A white box pen test is granted with the highest level of information and access. For example, a secure hardening review on a specific build where administrator level access is provided to assess the gaps in current controls.
Business Benefits of Penetration Testing
- Identify and mitigate network & web application vulnerabilities before hackers
- Independent third party opinion including out of box thinking based business logic flaws
- Cyber attack simulation in controlled manner (without disrupting operations)
- Meet compliance and regulation requirements
- Demonstrate cyber security commitment
- Initial Scoping & Objectives
Remediation is an optional phase, offered as consultancy service to the customers where risk mitigation plan is defined and executed on behalf of the customer.
What is Red Teaming?
This is an intelligence led attack simulation campaign attempted to exploit weaknesses in the defensive controls deployed by an organisation. Red teaming exercise takes into account all the three factors:
- People : Often used as foot in the door tactic by utilising spear-phishing or social engineering techniques.
- Process : Exploiting known weaknesses in the processes using information gained during the extensive OSINT (Open Source Intelligence) phase
- Technology : Bypassing technical controls (such as anti-virus) or taking advantage of the lack of technical controls (such as no data exfiltration checks)
This is a full-scale targeted attack conducted in stealth aimed at an organisation to assess its defensive controls (checks on detection and response capabilities throughout the organisation). Our red team prepares the plan based on surveillance and research, as well as the latest tactics, techniques, and procedures (TTP) used by malicious threat actors. This exercise is carried out by security consultants known as red teamers (also pen testers with relevant skill-set).
Red team assessments run from 5-6 weeks to a few months depending upon the scope. As this is a scenario driven exercise, no credentials are provided to the red team consultants. Unlike penetration testing that is conducted on the staging/development environments (mostly in case of web applications), red team is always targeted at the production environment. This engagement leverages post-breach scenarios to pivot into new systems and networks, and launch further attacks or to exfiltrate data.
Red team engagement costs are charged as one time fixed project fee. At Cyphere, we have tiered pricing based on the extent of access achieved in the client infrastructure. It’s only fair to charge clients based on the actual effort and not the entire project fee. More customisation are possible in certain projects where clients have specific objectives such as exfiltrating data from specific databases, tiered test cases to raise noise levels to alert blue teams or fully stealth projects.
Discuss your concerns today
Business Benefits of Red Teaming
By engaging red team and working with blue team, it leads to increases cyber defences and capabilities reducing the overall risk and increasing the alertness levels. Here are the main benefits of a red teaming activity:
- Identify misconfigurations and gaps in the existing security products and processes
- Assess the maturity of detection and response capabilities whether it’s your MSSP or internal security team
- Utilise red teaming as a chance to build the core security capabilities, increasing the overall cyber security maturity
- Experience an organisational attack in a real-time scenario – nothing’s more insightful than to observe your teams, products and processes responding to these events
- You’ll be able to prepare a business case that management buys into
By thinking like an attacker, or one of your competitors, a red team assessment is driven to gain access and is not restricted by assumptions or preconceptions.
Discuss your concerns today
Red Team Methodology
Red team assessment activities follow the famous ATT&CK Framework , that is a popular knowledge base of adversary tactics, techniques and procedures (TTPs) based on real experiences of red and blue teams. A red team attack sequence is largely based on cyber kill chain, originally developed by Lockheed Martin, used to break down the red team attack into identifiable stages. This is
- Payload & Delivery
- Command & Control
- Actions on Objectives
Common Terms & Acronyms
- TTPs – Tactics, techniques and procedures (TTP) is a concept in terrorism and cyber security, that discusses the behaviour of a threat actor. By analysing TTPs, one can understand the behaviour of attackers and how specific attacks are orchestrated.
- Implant – An implant will act similar to a trojan virus, with main difference that it’s under full control of an attacker. An implant could be a software or hardware deployed to be stealthy and obtain information in short time.
- EDR Solution – Endpoint detection and response solution is a centrally managed solution, with endpoints deployed across the organisation against effective malware protection.
- C2 Servers – Command and control servers, also called C2, C&C, are set up by attackers and/or threat actors to maintain communication with compromised assets within the target network.
- Indicators of Compromise (IoC) – An artefact that is observed on a network or a computer system indicating a breach or an intrusion. IoCs provide valuable information on what happened, and what can be done to prevent such attacks.
- APT (Advanced Persistent Threats) – A stealth threat actor ( belonging to nation state or organised crime group) that gains unauthorised access to a network and remains undetected for extended periods.
Are you ready?
It’s often asked question because of multiple factors based around misunderstandings, budgets, timings, scopes and outcomes. Here are the breakdowns providing further insight.
When should you consider red team assessment?
- To identify the core risks that affect the organisation (for example, lack of content filtering allowing data exfiltration)
- To assess your cyber-attack preparedness in real time
- To gain insights into how attackers can target your organisation
- To understand how to address your attack surface
- To review your cyber security investments (or to build a business case where necessary)
When you are asking for a ‘red team’ and don’t need one.
Red team, originally used by military, is often confused with penetration testing. Unfortunately, this scenario is carried out by security companies where sales teams have convinced potential customers for red teaming without talking about business context, their history of security processes and/or cyber security maturity. This is equally a buyer’s decision without probing into their objectives and mapping actions that would help them review their controls. A red team conducted without an organisation understanding the security basics is similar to spending on house decoration where structural issues have not been sorted yet.
Red team investment may not be justified yet if an organisation isn’t equipped with the following:
- Technical security baselines on major assets such as servers, user endpoints.
- Basic logging and monitoring processes
- Incident response teams and processes
The above signs are also indicators of an organisation lacking cyber security maturity. Same red team budget can be split into multiple areas where risk identification and mitigation can be initiated as smaller projects, contributing to an overall secure posture.
When you are asking for a ‘pen test’ and don’t need one.
In the past, customers have requested penetration testing of enterprise products in use inside their environment. Although this is not at all a wrong decision to perform a test on the product, this should be least of your worries as it’s often looked at during the product evaluation process. It’s your vendor’s responsibility to first-hand adopt secure development lifecycle processes and deliver you a safe and secure product. Product vendors often put their products through various rounds of security testing during development stages, and finding weaknesses in their product would drain your security budget. Vendors these days often provide cyber assurance collaterals that include details of product security assessments. However, a customer may get better return on investment if a secure configuration review or a breakout assessment is aimed at the product implementation in customer’s infrastructure context.
Discuss your concerns today
Red Team vs Penetration Testing – Which one should I pick for my business?
If you are interested in doing quick checks on your system to find vulnerabilities in specific areas, penetration testing is a great way to do so quickly. If you want to know just how hard it is for attackers to compromise your business, red teaming is the course of action you want to take. However, base these decisions on what you have, what are your functional objectives and whether these activities fit in at right times.
Roughly, project scope under red team is the entire organisation. Supply chain scope could even stretch this further where subsidiaries are also included. Let us provide you this diagram that illustrates the differences in an easy to understand manner (adapted from @coffeetocode).
Red Team vs Penetration Testing – Selection tips
A quick search shall show you what certifications, companies you need to select for the right vendor for the right type of assessment. We understand it’s important to equip readers with key mistakes about this process. Budgets as well as outcomes are important factors from such exercises. You should keep in mind the following pointers that often stump businesses looking to perform security control validations.
- SMB businesses often end up relying on IT service providers. This is either due to lack of awareness or to avoid one more vendor onboard. However, there is more downside to upside in this issue as IT service providers often lack the depth that cyber security specialists have, and lack the clarity on where they stand in comparison to peers in their industry.
- Utilising the same vendor for MDR (Managed Detection Response)/ outsourced SOC (Security Operations Center) and Pen testing is a clear No! No! There is a clear conflict of interest here no matter how much convincing factor their sales team has.
- If a penetration test vendor isn’t prepared to help you with your third party developers, not able to translate or help with remediation plan, you are paying for a report and run consultancy.
- Vendors who provide CV’s of experienced resources to win opportunities, later swap them with lesser experienced consultants citing availability or other reasons. This is clearly aimed at tricking the customer and increased profitability without considering customer relationship.
- Jump into high budget red teams without considering and agreeing the deliverable outcomes.
- Although this is not the norm amongst big security vendors, pricing must be agreed in line with the possible outcomes. For example. In case of red teams, it’s not always proven that entire organisation can be compromised or all objectives can be achieved, therefore vendor shouldn’t charge the entire fee of the project. It’s clear that when they haven’t utilised resources for the entire duration of the project, it does not justify the high billing. Many other factors in relation to this should make part of your project discussions.
Making sure your company’s security measures stand up to the latest cyber-attacks is vital to keeping your business safe from online criminals. With these kinds of security assessments, you can ensure that any weaknesses in organisations are addressed and that your team understands how to stop potential cyber-attacks.
If you are looking for help with red team assessments or pen tests, do not hesitate to work with cybersecurity firms. They will have the necessary tools and techniques to rigorously test your security implementations, helping you understand what is vulnerable to attack and what you can do to reinforce your security measures.
Cyphere offers various cybersecurity services, from penetration testing to threat intelligence, to help businesses strengthen their cybersecurity. If you are looking for vendor neutral penetration testing and managed services, work with us today!