Red Team and Penetration Testing for Corporate Security
How easy is it for a malicious actor to get into your network? Penetration testing seeks to answer this question. Commonly referred to as white hat pentesting, a penetration test detects and exploits vulnerabilities throughout your network and infrastructure. While pentesting overlaps with red team exercises—to the point where some people think the concepts are interchangeable—they are actually quite different activities. One is not inherently better than the other and organizations see value in both. When combined, they can present a company with a good, point in time, risk evaluation.
Comparing Pentesting with Red Team Security Testing
The goal of penetration testing is to find all potential security vulnerabilities, such as unpatched servers and open ports, within a defined period of time and scope. Pentesters, depending on the scope of the engagement, may also try to exploit any vulnerability that they find. In the end, they present an organization with their findings. A pentest report can show where gaps in security controls are and lapses in security policies could expose the organization to the risk of attack and penetration. However, a pentest is not necessarily intended to uncover new vulnerabilities like “zero-days” exploits.
Red team activities are similar to those of pentests, but they are generally more coordinated and targeted. The goal is not to find as many vulnerabilities as possible. Rather, the red team tests are geared towards a targeted entity and general detection and response capabilities. Red teams are more dynamic—some might say “sneaky”—in the way they approach the work. They might mimic the attack techniques of a malicious actor to avoid detection. In some scenarios, a pentester will do the same but most SecOps team are usually aware of this activity.
Red Team & Pentesting: When and Why?
When should you do red team exercises versus pentesting? There’s no simple answer. In some cases, you might not have a choice. Some regulations require a pentesting program at least once a year. For example, in order to be certified with the credit card industry’s PSS-DCI standard, a company must demonstrate that it has an active penetration testing on its networks and infrastructure. The same is true for the HIPAA regulations that govern medical records. The regulations do not mandate red teaming.
A red team exercise offers a number of benefits over pentesting. It’s more realistic, for one thing. Red teams are mimicking hackers that are trying to get inside your network without tripping detecting alarms. Red teams know the network and the assets that are critical to an organization. Depending on the amount of time a red team has been established in an organization, they will also know the security controls and where they are placed. With that intimate knowledge, they will try to avoid detection and take a more stealthy approach to an attack.
In today’s climate and with the prevalence of serious Advanced Persistent Threats (APTs), red teaming may be the best solution. APTs and techniques, they are stealthy by design. They avoid the obvious vulnerabilities. Pentesters don’t necessarily reveal their attack paths, for most, they will just provide a remediation report.
Addressing the cost issue, opinions may vary on the value of red team versus pentest. Some organizations will argue that red teams are inherently more expensive due to the need of hiring experienced white hat hackers. However, pentesting can get so complex and deeply scoped that it takes quite a few people to stay on top of it all and pentesting is usually performed by outside consulting firms. Thus, the testing program can create an unexpected expense that organizations may have not budgeted for. Depending on the circumstances, a limited duration red team project might actually be cheaper.
The Value of a “Purple Team” Approach
Matched up with the red team is a “blue team,” which is in charge of defending against the red attackers. The blue team is usually the IT and SecOps staff. Opposition and conflict are implied, but not necessarily. When organizations look at these two teams, they are developed with a charter that they are working side-by-side and value what each person brings to the team.
Another approach is to establish just one team, a “purple team,” if you will. A purple team combines the attack (and maybe simulation) of the red team with the defensive posture of the blue team. Done right, a purple team can be goal oriented and effective at improving security without creating counterproductive interpersonal conflict.
A purple team can also be automated, which truly accelerates the advantage of this approach. An automated purple team solution can continuously simulate attacks like APTs. This automated platform should also validate and any remediation to thwart an attackers’ path(s) to critical assets. It never stops performing the red/blue cycle and helps augment the team’s tool kit. This is helpful, given the constant changes in user activity, network infrastructure, network settings, and patches that characterize IT in real life. Vulnerabilities open and close round-the-clock. It’s best to detect and respond to them in a timely fashion. It is inhuman to do this manually, but machines and software (built correctly) can and should perform these tasks to aid in the fight against APTs.