What is the Difference Between a Penetration Test and a Red Team Assessment?
Posted by Luke McLemore
When looking for external security services there is often a lot of confusion across the board concerning what exactly a penetration test is vs a “Red Team” operation, as a main component of the latter is essentially penetration testing. This blog acts as a resource to identify the differences between a normal penetration test and a full red team assessment.
This is a blog in our security services series highlighting the corporate security journey, and identifying the main areas of focus when considering external security services as you move your organization along the corporate security journey. First we will look at the traditional (commoditized) penetration test, and then locate where penetration tests fall into the more comprehensive Red Team assessment.
What is a Penetration Test?
Commoditized Penetration Testing
A penetration test evaluates the effectiveness of security controls by simulating a real-world attack that reasonably mimics current adversary techniques. Penetration testing is useful for illuminating unknown security weaknesses that could result in a compromise, but are often confined to certain attack vectors and are limited by testing, scope, and time restrictions. The quality of a firm’s talent in pentesting can change the outcome dramatically, but can also result in the moving of goal posts to ensure a win. Penetration attack vectors for traditional testing include:
- Social Engineering Test
- External Network Penetration Testing
- Internal Network Penetration Testing
- Wireless Network Penetration Testing
- Physical Penetration Testing
While penetration testing does not tell the whole story of your security infrastructure, it can help identify gaps in your organization’s detection and procedures. It can’t identify all vulnerabilities, but it is a useful tool to have, so long as it’s incorporated in a bigger toolbox. This is used to define a broader set of issues rather than to escalate those issues further.
PCI Penetration Testing
PCI penetration testing simply uses the industry approach of utilizing
NIST SP800-115 standards to ensure compliance. While this is a great foundation, it does not account for more advanced attack vectors, and does not follow a model of continuous improvement. You can check boxes while searching for problems that the boxes don’t account for, but this method does not solve for that. To meet PCI requirements for penetration testing, the industry accepted approach utilizes NIST SP800-115. There’s a certain checklist to follow for this type of test, and most firms recommend the following activities to satisfy PCI requirements:
- Approach based on the industry-accepted standard NIST SP800-115
- Coverage for the entire CDE perimeter and critical systems
- Testing from both inside and outside the network
- Testing to validate any segmentation and scope-reduction controls
- Application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Network-layer penetration tests to include components that support network functions as well as operating systems
- Review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results
As covered in the introductory blog, these types of tests are not an effective way to measure risk, identify the security gaps that matter, or improve the overall security posture of your organization, but rather only function as one pillar of a much larger structure.
What is a Red Team assessment?
The capstone exam of the corporate security journey, a red team exercise is a client’s opportunity to evaluate not only the strength of their networks, but of their entire security organization: incident responders, automated defensive tools, SOC analysts, etc. It is their chance to take all of the knowledge imparted on them from past penetration tests and tabletop exercises and determine if they can work together in a “real-world” threat simulation. Operators on a red team assessment get to combine high levels of both technical ability and creativity to provide clients with as real of a threat as possible.
While penetration tests are essentially incorporated in this assessment, the philosophy is entirely different. Penetration tests come with a well-defined scope and will provide as much coverage on that scope as possible. This is often done in a white-box manner, without the fear of getting shunned or blocked by automated defense systems.
In a red team assessment, there is no well-defined scope, and the goals are radically different. Red Teams are used when an organization is interested in testing their team’s detective and response capabilities, so broad coverage of vulnerabilities is not the focus, defense evasion and goal completion is. You can sort of think of it as the difference between a breadth-first and a depth-first search, where red teaming is the depth-first. More components are required for this kind of assessment, including: recon, exploitation, privilege escalation, objective, completion, and persistence.
For information on some of the attacks used in Red Team assessments, download our report: The Top 10 Most Prevalent Internal Attacks and How to Prepare for Them.
When should I consider a Red Team assessment?
In our next blog we will cover where Red Team assessments fall in the corporate security journey, break down the exact components of a Red Team operation, and how to identify if your organization is ready for a fully comprehensive Red Team assessment.