Red Team Assessment and Penetration TestingPublish Date: August 10, 2018
Red Team exercises take a comprehensive approach to the full spectrum of organization policies, processes, and defenses to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
It’s a cybersecurity assurance test. It builds on Penetration Testing by having a much wider scope and remit both regarding attack surfaces looked at, and in the level on controls that are tested.
As pointed earlier, a Red Team Assessment is focused on vulnerabilities associated with their goals. A Red Team Assessment needs maturity for security programs at the organizational level which can be achieved by performing regular penetration tests and patching vulnerabilities.
Red teams are outside entities brought in to test the effectiveness of a security program. Red teams are employed to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.
Penetration testing starts with the identification and assessment of vulnerabilities in the enterprise. Next, tests are designed and executed to demonstrate precisely how an adversary can either subvert the organization’s security goals (e.g., the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g., the establishment of a covert Command and Control infrastructure). The results provide deeper insight, through demonstration, into the business risks of various vulnerabilities.
External Penetration Testing initiates an attack on a security system or a network from an external or public source. This attack mimics the tools and techniques of a hacker or outside attacker. It is the methodology to find out the real targets of the attacker. As current systems are connected to the internet, testing is required on controls that protect Internet-facing corporate IT assets. However, care must be taken during external testing not to harm the mission-critical corporate IT and operational systems.
Internal Penetration Testing is more targeted and involves attacking the security of a computer system or network of devices from the inside of the network imitating the tools and techniques that a real internal attacker would use. The objective is to determine which systems a malicious insider would be able to access within the internal structure of the network. Is the target include only the generic corporate user access areas or the access control for sensitive data and industrial control systems?
Penetration Testing and Red Team Assessments both have strengths and weaknesses and are more suited for specific circumstances. Your goals can determine what you need to choose or what is best suitable for your needs. You may need a blend of both.
Getting Confidence through Checks
Most of the industries and organizations typically outsource their system and physical security to a third party. The cybersecurity monitoring may also be outsourced to another entity which may use a chain of contractors and outside firms for securing the IT systems. It creates a layer of security check levels. An attacker may find the weakest link in these levels for a security breach. Therefore, it is essential to test all the surfaces of a security program to determine where the breaking points exist. A Red Team Exercise mimics a motivated attacker and executes a plan, explores the organization’s infrastructure for physical installations and then tests the physical, cyber, and social defenses through a stepwise exercise.
Do I need Red Teaming?
Need to know: How mature is your information security posture?
Almost all organizations conduct penetration testing on a regular basis.
- A penetration test allows organizations to plan and strategize on security budget investments and controls needed to protect their data. It involves identifying vulnerabilities in a target organization and exploiting them to determine the level of access an attacker can gain.
- Red Teaming, on the other hand, emulates targeted cyber-criminal attacks looking to avoid detection. They can mimic what a real-world attacker would do, having little restrictions so that the client can experience a cyber-attack scenario, and determine if their defense can withstand the attack.The team will initially involve off-site reconnaissance using public sources about the organization (as a cyber-criminal would do) before actively polling organizational targets. These targets could include physical work sites or offices, external internet exposed systems, the organization’s employees with the aim of gaining a foothold within the corporate network. Once this has been achieved, the campaign persists and attempts to gain the objectives of the Red Team campaign.
Red Teaming is one of the most comprehensive and in-depth engagements helping organizations determine if and how their most sensitive assets could be compromised.
Red Team exercises act as extended penetration tests and are distinctive if performed correctly.
The major variances between Red Team Exercises and other tests are:
- The target or goal As stated earlier, penetration tests target a particular system or an application. Red Team focus is more integrated and is spread across the assets. More than a physical target which is the condition in a penetration test, the red team focuses on sensitive content like intellectual property, contact lists, payment details, credentials, etc. So, the objectives of Red Team Tests are different in many ways than the penetration tests.
- Team Structure Penetration does require special skills but can be carried out using a single generic approach. Each member of the Red Team is specialized with a unique set of skills. Therefore, Red Team Assessment need assorted skills and teamwork to compete against diverse security controls.
- Type of Efforts Conventional penetration tests are limited in scope as they have specified targets like an application or network segment. The structure and the technology are well known to the testing team, and These are more mechanical. For example, the penetration tests check if the exposed network area has the updated security patches, supported technically, give justice to user credentials, limits access to the database and confidential information, etc. All of these tests are largely mechanical or can be automated.However, the Red team focuses not only on the electronic defenses but also on the “human” part of the attack. For example, user password access due to humane error, access to restricted areas without authentication, or employees’ negligence. These attacks arise from physical or social domains, and it is the Red Team’s duty to think and act like an attacker to find out their techniques and strategies.
- Combine Attacks Red Team Assessments ranges the tests from electronic, automated, mechanical, network-based, as well as social and physical domains. Red Team member, therefore, has more freedom to choose a method like phishing, unlocking manipulating, or influencing to perform the test. Red Team tries to understand what goes inside the attacker’s brain to replicate the real attack in a controlled and authorized way.
Which one is better?
Traditional penetration testing is crucial to security but can be limited due to time and scope constraints. In comparison, Red Team campaigns seek to remove this limitation by providing a service that recreates actual attack scenarios and expose attack surfaces.
Red team engagements are as close to a real-world hack as you can get. Normal penetration testers don’t have to account for adversaries, so there is no one to hide from. While a penetration test’s goal is to find vulnerabilities, each red ream campaign has a specific objective… to be achieved through any means necessary.
The true answer is one is not necessarily better than the other. Often Penetration Testers and Red Teams are the same people in am organizations wearing different functional caps and using different methods and techniques for different assessments. Determining the organizational goal is essential to start with as the methods and approaches differ with the goals. You may consider having the Red Team to evaluate your incident responses, or you may choose Penetration Tests to discover vulnerabilities. The takeaway is to avoid being listed as a victim organization affected by a sophisticated attack, being prepared with your goals and teams is essential.
Get more than what you think from your security solutions with YASH.
Manga Sridhar Akella-Program Manager Information Security @YASH Technologies
Program Manager Information Security @YASH Technologies