The term Red Team Testing has been around for a while, its origins are from the military, wherein simple terms, team A (the Blue Team) would be tasked with defending a specified zone and team B (the Red Team) would be tasked with attacking it. Thus, highlighting deficiencies in both the Blue Team and Red Teams capabilities and tactics.
In terms of Information & Cyber security, the concept is the same. Organisations’ security is tested in a real-world way but with the safety net of a closed, simulated environment.
Penetration Testing is not Red Team Testing
…but Red Team Testing can (and should) include penetration testing.
I once had an elderly neighbour who used to work in the London East End Docks before they became somewhere anyone would dream of wanting to live in. He had a saying: ‘Same meat, different gravy’ It was one of those sayings where you simultaneously couldn’t quite articulate its exact meaning but at the same time knew exactly what it meant. I think it works perfectly here.
Penetration Testing involves testing a network, system, web instance another related asset. It can also involve testing a physical (as in bricks & mortar) entity – from evaluating access-controlled office reception areas through to literally trying to climb over a perimeter barrier fence to gain access. A red team operation can include social engineering as part of its attack simulation or real world attack to gain access to sensitive information.
Penetration testing is executed within a brief prescribed time scale and seeks to exploit known vulnerabilities against pre-determined and explicit targets.
Penetration testing is not black & white
At this stage I could go on to detail different types of penetration testing – Black Box, White Box and even Grey Box but as this could induce a kind of literacy-based colour blindness.
So back to Red Team Testing; As part of a comprehensive Red Team engagement, your cyber defences should be tested, and your physical ones come to that, but without the strict parameters of orthodox penetration-testing. It should be a comprehensive no-holds-barred assault on all of your organisation’s defences – over an extended time period and with only the most critical of essential personnel knowing about it.
Be careful in what you wish for
Until all your defences are tested in a realistic, real-world type way you don’t know how well your systems, personnel, policies and procedures are going to react. This is where the ‘careful what you wish for’ sentiment comes in.
Red Team Testing can be viewed as tough love. The chances are, in the short term, it’s going to hurt. There could be repercussions, accusations and a general upset of the Status Quo. And rightfully so. You don’t know what you don’t know until you test what you do know.
To be frank, you have two options when it comes to the stance you take over your company’s security. If you don’t see past a box that needs ticking then go for a penetration test – in fact, you might even be able to get away with a vulnerability scan. If you’re just shopping for a tick then why not go for the cheapest, least intrusive one you can find?
Then why conduct a Red Team test?
On the other hand, if you’re serious about protecting your organisation’s sensitive data, it’s Intellectual Property, its finances, your employee’s privacy and safety then you should consider a penetration test with at least an added element of Red Teaming, ideally you should go for a full-blown Red Team Test – but we do understand the need for walking before running when it comes to your security program.
We’ve been developing, designing and delivering Red Team Testing to the Enterprise for over 20 years. If you’re ready to take the jump, we’ll provide the safety harness.