Red team vs penetration testers: which one to choose

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It's also known as information technology security or electronic information security.

Medical services, retailers and public entities experienced the most breaches, with malicious criminals responsible for most incidents. Some of these sectors are more appealing to cybercriminals because they collect financial and medical data, but all businesses that use networks can be targeted for customer data, corporate espionage, or customer attacks.

This may cause up to billions in losses to certain companies in which some of them opted to employ a certain king of employees that focuses on the fortification of said company, and usually they work in teams.

What is Teaming?

Teaming is a cybersecurity exercise that fully simulates a real life attack to help measure how well an organization can withstand the cyber threats and malicious actors of today. A red team serves as the attacker in this simulation, using the same techniques and tools of hackers to evade detection and test the defense readiness of the internal security team. This includes testing for not just vulnerabilities within the technology, but of the people within the organization as well. Social engineering techniques like phishing or in person visits. Even the security of the physical premises may be tested. Ultimately, teaming serves as a comprehensive assessment of your security infrastructure as a whole. 

By definition a red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping. They are often effective in helping organizations overcome cultural bias and broaden their problem-solving capabilities. In other words a red team is formed with the intention of identifying and assessing vulnerabilities, testing assumptions, viewing alternate options for attack, and revealing the limitations and security risks for an organization. This designated group tests the security posture of your organization to see how it will fare against real-time attacks before they actually happen. Because of their roles as the attackers, teaming exercises are sometimes also referred to as red-teaming. On the other side penetration testing aims at assessing a network, system, web app or any other resource so as to detect as many configuration issues and vulnerabilities as possible. Testers looking through the eyes of threat actors later exploit these vulnerabilities and find out the level of risk behind them.

What is the difference between a penetration test and a red team exercise? The common understanding is that a red team exercise is a pen-test on steroids, but what does that mean?

While both programs are performed by ethical hackers, whether they are in-house residents or contracted externally, the difference runs deeper.

In a nutshell, a pen-test is performed to discover exploitable vulnerabilities and misconfigurations that would potentially serve unethical hackers. They primarily test the effectiveness of security controls and employee security awareness. The purpose of a red team exercise, in addition to discovering exploitable vulnerabilities, is to exercise the operational effectiveness of the security team, the blue team. A red team exercise challenges the blue team's capabilities and supporting technology to detect, respond, and recover from a breach. The objective is to improve their incident management and response procedures.

The challenge with pen-testing and red team exercises is that they are relatively high-resource intensive. A pen test can run for 1 to 3 weeks and a red team exercise for 4 to 8 weeks and are typically performed annually, if at all.

Today's cyber environment is one of rapid and constant change. It is driven by evolving threats and adversarial tactics and techniques, and by the accelerated rate of change in IT and adaptations to the security stack. This has created a need for frequent security testing and demand for automated and continuous security validation or breach and attack simulation (BAS). These solutions discover and help remediate exploitable vulnerabilities and misconfigurations, and they can be performed safely in the production environment. They enable security teams to measure and improve the operational effectiveness of their security controls more frequently than pen-testing. But can they be used in a red team exercise?

There are two approaches that need to be considered. The first, red team automation, has the obvious advantage of increasing the operational efficiency of a red team. It enables them to automate repetitive and investigative actions, identify exploitable weaknesses and vulnerabilities, and it provides them a good picture of what they are up against, fast.

In principle, this is not too far from what BAS provides today by supporting a broad set of attack simulations and providing a rich library of atomic executions codified to the MITRE ATT&CK framework. They even provide red teams the capability to craft their own executions. Red team automation can support red team activities, but the value is limited, and most red teams have their own set of homegrown tools developed for the same purpose.

A new approach, red team simulation, takes these capabilities a step further. It enables a red team to create complex attack scenarios that execute across the full kill chain, basically creating custom APT flows. Instead of executing a bank of commands to find a weakness, it performs a multi-path, sequenced flow of executions.

The primary advantage of this approach is that it incorporates logic into the flow. As the simulation progresses, it leverages the findings of previous executions in addition to external data sources and tools. It will even download tools on a target machine, based on the dependencies of an execution. For example, a sample flow could include Mimikatz providing credential input to a PSexec based technique and drop to disk PSexec on the target machine if it's missing. A red team simulation can include all the stages of an attack from initial access to impact and even reconnaissance performed in the pre-attack stage.

Penetration testing has been the trusted security measure for a long time. However, due to time and scope related constraints, something with a more specific perspective is also required at times. Red Team assessments overcome the limitations of penetration testing and provide a full-proof way of recreating actual threat scenarios by exposing serious attack surfaces. Sometimes it's better to completely simulate the real-world threat scenario. And that's what Red Team engagements do. They take your organization's security teams as close to a real security incident as they could. Penetration testers, on the other hand, are more inclined towards finding vulnerabilities. But, they aren't as focused on achieving specific security goals as Red Teamers are. Moreover, they don't check your organization's response or preparedness in case of an actual attack.

Health organizations may be more concerned about their patients' health-related data. Banking institutions might care more about their customers' accounts and card related information. Red Teams safeguard all these specific business goals without any constraints. They help businesses stay on their toes when it comes to facing any adverse situation.

Employing a Red Team assessment not only helps organizations in highlighting critical vulnerabilities but also use the test information to educate the end-users regarding more safe practices and increase their security awareness. Moreover, understanding your enemy's motivations better also puts you one step ahead of them. You can disrupt your enemy's actions anytime and show them their real place.

The benefits of red team simulation extend beyond operational efficiency for both in-house red teams and companies that provide red team services. Scenarios can be replayed to validate lessons learned from previous exercises. Red teams that operate in global companies can cover more geographies.

Even with red team simulation, the human factor remains key in assessing the result of an exercise and providing guidance to improve incident management and response procedures, but it makes red team exercises accessible and achievable to a larger market, where cost is a limiting factor. In the battle between Penetration Tests and Red Team assessments, no clear winner can be identified. They are simply one of the best testing procedures in their own specific scenarios. However, you certainly need to make a choice when you have to choose between stealth and detailed exploration. You would never choose to conduct a penetration test to assess your incident response. Similarly, you would never choose to perform Red Team assessment if you wish to explore vulnerabilities in detail. 

A better choice, however, will be to identify the right situation and employ the test method which best suits your needs.