More than often when organisations are directed by the board to deploy a Red Team test, there is often confusion on what testing should encompass. Many often think Red Team testing is just robust penetration test – but in fact, each have many differences. Although there are some similarities, they differ not only in terms of the end results, but techniques utilised and the inclusion of testing people. So, it is important to be aware of the difference between the two assessments to receive the results you are seeking.
Here is what you need to know to ensure you deliver what the board is expecting and to get the maximum return on your testing investment. Let’s start with the basics.
What is penetration testing?
The aim of a penetration test is to find vulnerabilities and configuration issues within an allotted timeframe. The security tester uses their expertise to exploit the vulnerabilities found within your IT infrastructure, in order to discover the risks that connect with vulnerabilities. Typically, the tester aims to look for known vulnerabilities in the system and they do not seek new vulnerabilities.
The assessment ends with a detailed report and a session with the client to go through the vulnerabilities identified, risks linked with the vulnerabilities and recommendations for remediation. Good testing service providers will also provide on-call assistance and complimentary retesting after remediations are made.
Best practice is to conduct a penetration test annually at a minimum. If your organisation goes through internal changes such as taking on a new IT system, then you should conduct a penetration test to ensure the system’s security.
How does Red Team Testing differ?
A typical Red Team test includes a mimicry of a real-life attack with the goal of accessing your systems and data, as a hacker would, by using a combination of techniques and tools. This is difference number one where testing includes not only your technology’s robustness but processes you use to respond and mitigate attacks.
Difference two – is that a penetration test is an agreed assignment within a specific timeframe, and it is shared with the entire security and IT team in the organisation. Whereas a Red Team test is conducted discreetly over a long period of time to make it less evident in order to test the Blue Team’s responses.
Number three – testing is also carried out on your people. Social Engineering attacks are implemented on staff to try to pull account details and enter systems. This could also include physical attacks where testers seek to obtain access to offices and data held on-site.
Ultimately, the goal of penetration testing is to detect as many vulnerabilities that you are able to exploit whereas, a Red Team test is conducted to achieve a specific objective such as access to target data and systems.
The easiest way to understand a Red Team test is to think of it as robbery where a thief’s objective is trying to gain access to your valuable items in your property. Conversely, a penetration tester’s objective is to test if there are any weak entrances of getting into the property, such as doors, locks, keys, windows, through security guards and the home security company’s response time. At this point, they have identified the weaknesses that the attacker could exploit and then it is the owner’s responsibility to remediate the vulnerability and strengthen protocols.
Which one do I need?
The benefits of a Red Team vs Penetration test is that you are testing your entire defence – People (your strongest defence), Technology and Processes. Sometimes the understanding of what a Red Team test should be is not so obvious to all stakeholders requesting it as they may only want technology and process included.
Therefore, choosing between a penetration test and a Red Team test all depends on your organisation’s goals. So, if your goal is to test your systems and networks to detect known vulnerabilities and see if they can be exploited then you may want to go with a penetration test. However, if you are looking to test your organisation’s security posture then a Red Team test is high recommended.
For a better understanding, you can find the infographic where you are able to see the differences side by side between a penetration test and a Red Team test.