Understanding Red Team Penetration Testing
Understanding Red Team Penetration Testing
If you’re running a company, organization or business that uses a computer, then cybersecurity is a must these days. That might look like keeping up with your basic security hygiene, but for a lot of organizations it needs to go beyond the basics. Regular vulnerability assessments, penetration tests and, possibly, red team penetration testing might be in order.
If you want to understand the differences between those things, read on! Need a tl;dr already? Red team penetration testing is the deluxe package when it comes to testing your cyber security practices. It’s the test that organizations dealing with highly sensitive or protected data will need if they want to be properly prepared to fend off (or quickly respond to) a data breach. And to potentially save the organization millions in the process.
What Is a Vulnerability Assessment?
Regardless of size, scope or industry, every organization will benefit from regular vulnerability assessments. Essentially, they are a quick way to check for security problems and areas of weakness across your network. Performing a vulnerability assessment means doing a scan of your access points and public facing information along with your systems and saying, “hey, here are the problems! Here are the cracks.”
Vulnerability assessments are kind of like an external home inspection. The inspector shows up, looks over everything and shares in detail all the things that might go wrong from the outside looking in.
So, no matter what type of organization you run – a vulnerability assessment will help prevent security breaches. It’ll give you a sense of where your security measures up against outside attacks. And, hopefully, give you the information you need to shore everything up.
The Difference Between Penetration Testing and Vulnerability Assessments
Now, a penetration test is a deeper dive following a vulnerability scan and assessment. A lot of organizations have a penetration test requirement as part of their security compliance expectations. Maybe those are internal requirements, maybe they’re external. But the important thing to understand is that vulnerability assessments and pen tests aren’t the same. The assessment is just the inspection. The pen test means coming in and actually exploiting the cracks.
Here’s where the home buying analogy falls apart, because you’re pretty unlikely to pay someone to come try and break things in your home. So, let’s shift the metaphor to stress testing in manufacturing. If you’re building a skyscraper, you need to be able to rely on the steel beams to support the weight that they’re engineered to support. If they don’t – catastrophe. So, it’s the manufacturer’s responsibility to test those beams to ensure they will function properly.
Similarly, if your company handles protected and/or sensitive customer data, those customers need to be able to trust that your system won’t fail. That’s why you need to run penetration tests. They help to ensure that if your system is attacked, it’ll hold up to the assault.
Penetration Testing vs. Red Team Penetration Testing
For many organizations a typical penetration test is enough. But it does have its limitations. Pen tests are run in a controlled environment. The variables are all calibrated. When a company is performing a pen test, they’re usually pretty focused on their line of defense. Everybody knows what’s happening and is paying attention. So, there isn’t as much room for chance to intervene. Everyone is keyed up, anticipating the test. Like the build up to finals week where the pen test is the final exam.
Red team penetration testing, on the other hand, is like the pop quiz from that one professor. You know that guy. The one who would wait for the one day that you stayed up too late and didn’t do the reading. Or you skipped lab and were totally planning to make it up on Thursday. Red team penetration testing is like that. Even though you’ve been coming to class and doing the reading and feel pretty sure you’re on top of things, there’s always a chance you won’t pass a pop quiz.
By emulating specific, real-world threats, red team penetration testing operates just like the real bad guys do. In a regular pen test, trained professionals come in, look at the system, and exploit the known vulnerabilities. It gives you the opportunity to respond to a threat that you know is coming. Red team pen testers, on the other hand, come in when no one is looking. They sneak in, with the explicit goal of avoiding getting caught – and seeing just how far they can get.
What Does Red Team Penetration Testing Involve?
The underlying premise of a red team pen test is to simulate real-world scenarios. That means the goal is to get in without being detected. So, it’s likely that only a few people in the company or organization know that a red team test is going to happen. And even then, they probably won’t know exactly when. The point is to try and get in and see how your system and response team actually respond to a threat. Consequently, red team testing involves a lot of prep work and planning to find areas of opportunity within the organization.
What does that look like? Red team testers will do a lot of advanced prep setting up covert infrastructure. Again, they’re essentially masquerading as cybercriminals, so they’re going to set safeguards in place to ensure that if they do get in, it’s not easy to trace it back to the home office. So, they’ll set up cloud resources that probably need time to age and potentially gain some good reputation. And just like the bad guys, they’ll also have a plan B or backup in place in case those resources fail.
What this means is that red team pen tests unfold over a longer period of time. Testers will develop customized exploits and capabilities for your organization’s systems – the ultimate goal is to test all lines of defense including antivirus or other end-point detection tools.
A red team test will also likely include things that are off-limits during regular penetration tests. They might try email phishing, phone call pre-testing and even physical penetration of the building. Red team testers might try sneaking in as a FedEx guy and getting a device onto the internal network. Scary, right? But that’s what really happens out there in the world of cybercriminals. They’re sneaky, too.
Why Perform a Red Team Pen Test?
Most organizations need a vulnerability assessment to ensure they don’t have any gaping holes. Once you’ve covered those and are doing a good job of running your program, a basic penetration test is the next level up. You think you’re good but now want to hire someone who is a specialist in breaking into organizations. That will tell you if your defenses really measure up to the test. A red team test is really intended for the most mature security programs. They will bring real world threats and give a security team the opportunity for detecting those threats – as they appear in the wild.
Red team pen tests aren’t for folks who simply have a compliance requirement for a pen test. Whether it’s a requirement set out by HIPPA or CMMC, you can generally meet those with a standard pen test. Red team testing is for those who want to go beyond the minimum checkbox pen test. Who really want to understand the gaps in protections and how people in the organization are going to respond in a very close to real-world scenario.
The benefit of a red team test is that it gives your defenders real world detection against sophisticated adversaries. It helps to highlight the tiniest of cracks in your systems from top to bottom – whether it’s policies and procedures, detection, cybersecurity awareness, response, or simply a team member getting lax about letting people into the building.
Ultimately, red team testing serves to get your security as tightly shored up as possible. It helps keep anything and everything that your organization needs secured out of the hands of the bad guys and behind locked doors – both literal and virtual.