Red Team vs Penetration Testing – Which one is the right choice for your business?

Red Teaming Assessment

Whether it’s a security assessment, a vulnerability scan, a red team or a pen test – What’s common in them? To identify issues and mitigate them from an organizational risk perspective.

This article is aimed at weeding out various confusions from the readers mind.

Stock up your caffeine, we are going to cover these areas under this topic:

What is Penetration Testing?

A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets.

This exercise is limited to simulation of threat actor activity affecting a particular asset or group of assets. For example, an online retailer can commission a penetration test against web and mobile applications, underlying APIs and the supporting infrastructure. This in-depth exercise uncovers flaws from an unauthenticated and authenticated threat actor perspective (known as grey box methodology).

Average duration of penetration testing engagement is one to four weeks. For bigger programmes such as a transformation programme undergoing large scale technical risk assessment could extend to months. Once an assessment is finished, a deliverable in the form of a report and risk matrix in line with customer’s risk register format is provided to help with remediation plan.  A dedicated remediation service can be initiated to help remediate the identified findings. We have covered an in-depth article specifically dedicated to penetration testing, different types, process, methodology, costs and more here.

Size doesn’t matter

It’s not just large businesses, small and medium sized businesses are also targeted by cyber criminals. It’s no more limited to big budget companies who require protection and have the budget for. Every business is at risk. Given the digital advancements and our reliance on internet since pandemic hit the entire planet, the need to do safe and secure business online is ever growing.

In order to perform penetration testing, it is important to understand the context of assets in scope for the engagement. Pen testing projects are categorised into three areas on the basis of the level of knowledge and access granted to the security consultants. These are:

  1. Black Box Penetration Testing: A black box pen test starts with no prior knowledge and access to the target. For example, an internal infrastructure security assessment with zero prior knowledge.
  2. Grey Box Penetration Testing: A grey box pen test involves some level of knowledge and access to the target. For example, an internal infrastructure security assessment targeted at certain servers where IP address/ranges and other information is provided.
  3. White Box Penetration Testing: A white box pen test is granted with the highest level of information and access. For example, a secure hardening review on a specific build where administrator level access is provided to assess the gaps in current controls.

Business Benefits of Penetration Testing

There are multiple benefits of penetration testing to organisations opting for in-depth checks against their assets. These are listed below:
  • Identify and mitigate vulnerabilities before hackers
  • Independent third party opinion including out of box thinking based business logic flaws
  • Cyber attack simulation in controlled manner (without disrupting operations)
  • Meet compliance and regulation requirements
  • Demonstrate cyber security commitment

Penetration Testing Methodology

  • Initial Scoping & Objectives Initial scoping & objectives are agreed to ensure business context is taken into account. Defining an accurate scope defines the boundaries of a pen test, clarity of objectives, exclusions and what to do in case things go south.
  • Reconnaissance Reconnaissance involves profiling the target with information gathering phase. This intel helps to understand the target asset, underlying components and surroundings (network, applications, systems, devices).
  • Scanning Scanning is performed with an aim of finding vulnerabilities within the defined targets. This involves scanning the target for listening ports, hosted services, fingerprinting and analysing these services to prepare a rough attack layout.
  • Exploitation Exploitation involves attack attempt performed to gain access on the systems using vulnerabilities identified in the previous step. Post exploitation is performed after initial foothold to escalate privileges horizontally (across the similar privileged accounts, systems) or vertically (higher privileges to find highest level accounts) to infiltrate further into the network.
  • Reporting Reporting phase consists of data analysis and documenting the identified flaws. This involves clear wording citing details along with proof concept, reasons if/when manual verification was performed and the associated risk severities. Attack likelihood and impact is added in the findings section, followed by remediation advice. We ensure that tactical and strategic recommendations are also included to ensure non-technical audiences are aware of efforts and resources needed to fix these flaws.
  • Remediation Remediation is an optional phase, offered as consultancy service to the customers where risk mitigation plan is defined and executed on behalf of the customer.

Here’s a penetration testing methodology diagram indicating different stages of an engagement.

Penetration Testing Methodology
Penetration Testing Methodology

What is Red Teaming?

This is an intelligence led attack simulation campaign attempted to exploit weaknesses in the defensive controls deployed by an organisation. Red teaming exercise takes into account all the three factors:

  • People : Often used as foot in the door tactic by utilising spear-phishing or social engineering techniques.
  • Process : Exploiting known weaknesses in the processes using information gained during the extensive OSINT (Open Source Intelligence) phase
  • Technology : Bypassing technical controls (such as anti-virus) or taking advantage of the lack of technical controls (such as no data exfiltration checks)

This is a full-scale targeted attack conducted in stealth aimed at an organisation to assess its defensive controls. Our red team prepares the plan based on surveillance and research, as well as the latest tactics, techniques, and procedures (TTP) used by malicious threat actors.

Red team assessments run from 5-6 weeks to a few months depending upon the scope. As this is a scenario driven exercise, no credentials are provided to the red team consultants. Unlike penetration testing that is conducted on the staging/development environments (mostly in case of web applications), red team is always targeted at the production environment. This engagement leverages post-breach scenarios to pivot into new systems and networks, and launch further attacks or to exfiltrate data.

Red team costs are charged as one time fixed project fee. At Cyphere, we have tiered pricing based on the extent of access achieved in the client infrastructure. It’s only fair to charge clients based on the actual effort and not the entire project fee. More customisation are possible in certain projects where clients have specific objectives such as exfiltrating data from specific databases, tiered test cases to raise noise levels to alert blue teams or fully stealth projects.

Business Benefits of Red Teaming

Red team exercise often leads to surprises in terms of new findings that were blind spots to the organisation. By engaging red team and working with blue team, it leads to increases cyber defences and capabilities reducing the overall risk and increasing the alertness levels. Here are the main benefits of a red teaming activity:

    • Identify misconfigurations and gaps in the existing security products and processes
    • Assess the maturity of detection and response programmes whether it’s your MSSP or internal security team
    • Elevate awareness levels amongst staff to ensure human factor is covered from risk perspective
    • Utilise red teaming as a chance to build the core security capabilities, increasing the overall cyber security maturity
    • Experience an organisational attack in a real-time scenario – nothing’s more insightful than to observe your teams, products and processes responding to these events
    • You’ll be able to prepare a business case that management buys into

By thinking like an attacker, or one of your competitors, the Red Team exercise is driven to gain access and is not restricted by assumptions or preconceptions.

Red Teaming Methodology

Red team activities follow the famous ATT&CK Framework , that is a popular knowledge base of adversary tactics, techniques and procedures (TTPs) based on real experiences of red and blue teams. A red team attack sequence is largely based on cyber kill chain, originally developed by Lockheed Martin, used to break down the red team attack into identifiable stages. This is

  • Reconnaissance A threat actor performs profiling on the target, utilising range of online and onsite sources without actively performing any intrusive checks. This largely involves advanced OSINT techniques used to gather information that is analysed and used as basis for the attack setup.
  • Payload & Delivery Based on the information analysis, attack infrastructure is set up with targeted payloads that are likely to bypass the target organisations’ controls. Delivery mechanisms help safe execution of malicious payloads to bypass the protection mechanisms in use on target endpoints.
  • Exploitation A threat actor needs further privileges on the underlying system to access privileged assets and areas of the organisation infrastructure. This involves exploiting vulnerabilities to execute code on the system.
  • Installation After initial execution, a backdoor or related program is installed to ensure access to the attacker.
  • Command & Control The threat actor gains persistent access to the target network without worrying about losing connection. This ensures access is maintained even if target system is restarted.
  • Actions on Objectives End goal actions are initiated that may involve sensitive data theft (or data exfiltration to prove red team objectives), data corruption or deletion.

Cyber Kill Chain

Common Terms & Acronyms

  • TTPs – Tactics, techniques and procedures (TTP) is a concept in terrorism and cyber security, that discusses the behaviour of a threat actor. By analysing TTPs, one can understand the behaviour of attackers and how specific attacks are orchestrated. 
  • Implant – An implant will act similar to a trojan virus, with main difference that it’s under full control of an attacker. An implant could be a software or hardware deployed to be stealthy and obtain information in short time.
  • EDR Solution – Endpoint detection and response solution is a centrally managed solution, with endpoints deployed across the organisation against effective malware protection. 
  • C2 Servers – Command and control servers, also called C2, C&C, are set up by attackers and/or threat actors to maintain communication with compromised assets within the target network. 
  • Indicators of Compromise (IoC) – An artefact that is observed on a network or a computer system indicating a breach or an intrusion. IoCs provide valuable information on what happened, and what can be done to prevent such attacks.
  • APT (Advanced Persistent Threats) – A stealth threat actor ( belonging to nation state or organised crime group) that gains unauthorised access to a network and remains undetected for extended periods. 
 

Are you ready?

It’s often asked question because of multiple factors based around misunderstandings, budgets, timings, scopes and outcomes. Here are the breakdowns providing further insight.

When should you consider red teaming?

  1. To identify the core risks that affect the organisation (for example, lack of content filtering allowing data exfiltration)
  2. To assess your cyber-attack preparedness in real time
  3. To gain insights into how attackers can target your organisation
  4. To understand how to address your attack surface
  5. To review your cyber security investments (or to build a business case where necessary)

When you are asking for a ‘red team’ and don’t need one.

Red team, originally used by military, is often confused with penetration testing. Unfortunately, this scenario is carried out by security companies where sales teams have convinced potential customers for red teaming without talking about business context, their history of security processes and/or cyber security maturity. This is equally a buyer’s decision without probing into their objectives and mapping actions that would help them review their controls. A red team conducted without an organisation understanding the security basics is similar to spending on house decoration where structural issues have not been sorted yet.

Red team investment may not be justified yet if an organisation isn’t equipped with the following:

  • Technical security baselines on major assets such as servers, user endpoints.
  • Basic logging and monitoring processes
  • Incident response teams and processes

The above signs are also indicators of an organisation lacking cyber security maturity. Same red team budget can be split into multiple areas where risk identification and mitigation can be initiated as smaller projects, contributing to an overall secure posture.

A successful red team reports on the above areas, and your blue team may not be well equipped to detect, respond and recover from the attacks carried out by red team. Assuming your organisation has all those capabilities, it would make red team a worthwhile opportunity to plug the gaps where blue team needs more refinement in their processes and procedures.

When you are asking for a ‘pen test’ and don’t need one.

In the past, customers have requested penetration testing of enterprise products in use inside their environment. Although this is not at all a wrong decision to perform a pen test on the product, this should be least of your worries as it’s often looked at during the product evaluation process. It’s your vendor’s responsibility to first-hand adopt secure development lifecycle processes and deliver you a safe and secure product. Product vendors often put their products through various rounds of pen testing during development stages, and finding weaknesses in their product would drain your security budget. Vendors these days often provide cyber assurance collaterals that include details of product pen tests. For instance, a medium sized business using Citrix XenApp may not get much out of a pen test directed at the Citrix XenApp product. However, a customer may get better return on investment if a secure configuration review or a breakout assessment is aimed at the product implementation in customer’s infrastructure context. There are two benefits in this example case:

  • Your investment is carefully planned on the target asset in your business context (that is to help secure remote working users).
  • Your security budget is directed towards relevant elements i.e. secure configuration review and breakout assessment that are cheaper in cost compared to product security assessment.

Which one should I pick for my business?

If you are interested in doing quick checks on your system to find vulnerabilities in specific areas, penetration testing is a great way to do so quickly. If you want to know just how hard it is for attackers to compromise your business, red teaming is the course of action you want to take. However, base these decisions on what you have, what are your functional objectives and whether these activities fit in at right times.

Roughly, project scope under red team is the entire organisation. Supply chain scope could even stretch this further where subsidiaries are also included. Let us provide you this diagram that illustrates the differences in an easy to understand manner (adapted from @coffeetocode).

Security Testing

Vendor selection tips for Pen Testing and Red Teaming

A quick search shall show you what certifications, companies you need to select for the right vendor for pen testing and/or red teaming. We understand it’s important to equip readers with key mistakes about this process. Budgets as well as outcomes are important factors from such exercises. You should keep in mind the following pointers that often stump businesses looking to perform pen testing and red teaming campaigns.

  • SMB businesses often end up relying on IT service providers. This is either due to lack of awareness or to avoid one more vendor onboard. However, there is more downside to upside in this issue as IT service providers often lack the depth that cyber security specialists have, and lack the clarity on where they stand in comparison to peers in their industry.
  • Utilising the same vendor for MDR (Managed Detection Response)/ outsourced SOC (Security Operations Center) and Pen testing is a clear No! No! There is a clear conflict of interest here no matter how much convincing factor their sales team has.
  • If a penetration test vendor isn’t prepared to help you with your third party developers, not able to translate or help with remediation plan, you are paying for a report and run consultancy. 
  • Vendors who provide CV’s of experienced resources to win opportunities, later swap them with lesser experienced consultants citing availability or other reasons. This is clearly aimed at tricking the customer and increased profitability without considering customer relationship.
  • Jump into high budget red teams without considering and agreeing the deliverable outcomes.
  • Although this is not the norm amongst big security vendors, pricing must be agreed in line with the possible outcomes. For example. In case of red teams, it’s not always proven that entire organisation can be compromised or all objectives can be achieved, therefore vendor shouldn’t  charge the entire fee of the project. It’s clear that when they haven’t utilised resources for the entire duration of the project, it does not justify the high billing. Many other factors in relation to this should make part of your project discussions.

Conclusion

Making sure your company’s security measures stand up to the latest cyber-attacks is vital to keeping your business safe from online criminals. With these kinds of security assessments, you can ensure that any weaknesses in organisations are addressed and that your team understands how to stop potential cyber-attacks.

If you are looking for help with such tests, do not hesitate to work with cybersecurity firms. They will have the necessary tools and techniques to rigorously test your security implementations, helping you understand what is vulnerable to attack and what you can do to reinforce your security measures.

Cyphere offers various cybersecurity services, from penetration testing to threat intelligence, to help businesses strengthen their cybersecurity. If you are looking for vendor neutral penetration testing and managed services, work with us today!

CONTACT US