If you’ve conducted a few successful penetration tests already, you may be wondering, “what’s next?”
You took the advice from your pentests and made repeated improvements to your security. Honestly, you’re feeling pretty confident about your security posture and aren’t sure additional pentests are needed.
If that’s how you’re feeling, that likely means it’s time to up the ante.
You may have heard of Red Team operations before, but are they really suitable for your company— or is it overkill? We’re here to help you decide.
Here are six questions to see if you're ready for a Red Team engagement:
1. What is the difference between a Red Team engagement and a traditional penetration test?
Sometimes we hear professionals (incorrectly) use the terms Red Team operations and penetration test interchangeably. However, they are not the same.
Red Team operations are more in-depth. To simplify your understanding, Red Team engagements require more time on the pentesters’ part, therefore, a higher cost. But that’s not the only way they differ. Instead of breaking down their similarities and differences in one paragraph, we wrote an entire blog on the topic. Read Red Team Operations vs. Penetration Testing to learn more.
2. How many traditional pentests should my company run before starting a Red Team engagement?
Red team engagements should never be the first type of security assessment run against an organization. Although each company is unique, it is usually best to have two or three penetration tests under your belt before engaging in Red Team operations.
Since Red Team pentests take more time and incur higher costs, this type of extensive engagement would be a waste for any organization that isn't confident in its current security posture.
Red Team tests are a good fit for companies with a mature security posture, that feel they've built resilient security defenses. The goal would be to test the strong defenses they've already put in place.
3. What's the ultimate goal?
Before determining if Red Team operations are best for your organization, you must define your ultimate goal. For example, if your ultimate goal is to find as many security gaps as possible, you'd be better off choosing a standard penetration test than Red Team operations.
The goal of a Red Team engagement is not to create a laundry list of vulnerabilities and weaknesses. Instead, the sole point is to find one way in, exploit it, and then move laterally through the system to see what type of mission-critical or confidential data can be accessed.
4. Do you have the budget?
It's essential to determine if you have the right budget before deciding between a penetration test and Red Team engagement. While you may already have set aside enough for a pentest, it may not be enough for a Red Team...
A standard pentest typically costs a minimum of $25,000. However, due to their longer duration, Red Team engagements often start closer to $40,000. Therefore, anything under the $40,000 mark is not likely to be a true Red Team.
5. Do you have the time?
As we previously mentioned, Red Team engagements require far more time to complete than a standard pentest. Penetration tests focus on specific areas for testing that are defined within a scope. Red Team engagements are much more fluid.
For this reason, standard penetration tests typically have a duration of 2-3 weeks, while a typical Red Team engagement spans 3-6 weeks. Red Team projects can sometimes span even longer durations depending on the size and complexity of the organization.
Additionally, the Red Team engagement may involve seeing how easy it would be for an attacker to remain in the network for an extended period of time, undetected. This alone will add additional time to the project.
6. Are you comfortable with the no bars held approach?
Prior to a penetration test, the assessment team sits down with the stakeholders to determine the scope of the project. Typically, penetration tests have a narrow scope and focus on a few areas. There are six main types of penetration tests, and each focuses on a specific attack vector. For example, an organization may choose to simply focus on a social engineering engagement and web application pentest.
Red Team engagements give complete freedom to the testing team to use whatever methods or tactics they see fit to breach the systems. The team may opt to perform a social engineering experiment, use wireless exploits and even physically break into the office to steal data.
While that can sound a bit intimidating, there is no need to worry. During the Red Team engagement scoping and agreement chat, you can deny certain attack vectors and specify what is off-limits.
Think of it this way: in a penetration test, you explicitly say which attack vectors are allowed to use. In a Red Team engagement, you only say which attack vectors are specifically not allowed to be used.
See Our Red Team in Action
If you think you’re ready for the security big leagues, it’s time to schedule a Red Team engagement.
Here at Mitnick Security, we specialize in Red Teaming like no other. Read our World Surf League Case Study to see for yourself.
Request more information about our Red Team pentesting services.