It’s another new year, and another opportunity to tighten your ever-important security.
With the threat landscape constantly evolving, you don’t need us to tell you that an annual penetration test is a must.
Whether you’ve run one or two pentests before and are looking to up the ante, or you’ve got quite a few reports under your belt, you may be wondering about this other pentest test you’ve heard about: a Red Team operation.
In this post, we’re stacking the traditional penetration test up against the esteemed Red Teaming methodology to see if your company is the right fit for a Red Team engagement.
What is a Penetration Test?
A penetration test is a simulated cyber attack against your company’s computer network systems, devices, and people.
Trusted, experienced cybersecurity experts attempt to infiltrate a targeted network to find vulnerabilities— all aimed at giving their clients insights into hardening their security before a real hacker finds and exploits these weaknesses.
What is a Red Team Engagement?
“Red Teaming” is a phrase derived from military simulations, wherein officers think ahead to the “what if’s” for every plan of attack they strategize. It’s the idea that even if the military thinks up the perfect attack, they must always be prepared to stray from the plan. In order to expect the unexpected, it’s crucial to play out other possible scenarios.
Today, this “war game” Red-Team-tactic is a term used to describe a team of ethical hackers who strategize every possible way to breach a target company’s systems and pursue many attack vectors. The Red Team (AKA the ethical hackers) are on the offense, staging strategic attacks while the Blue Team (AKA the company being tested) plays defense.
For all intents and purposes, think of the Red Team methodology as a more advanced penetration test. Here’s why:
The Core Differences Between Pentesting vs. Red Teaming
For starters, penetration tests have a very different intention than Red Team engagements.
The goal of a pentest is to find as many security gaps as possible, exploit them and access each vulnerability’s risk level.
Red Teams, in contrast, aren’t trying to compile a laundry list of all your company’s weaknesses. A Red Team engagement’s goal is to find one way in, exploit it and then escalate laterally through your system to access the juiciest data they can.
Pentests and Red Team tests have different rules for what they’re allowed to attack.
Penetration tests are bucketed into six different types, wherein most company’s pentests are only focused on one or two areas per engagement. For instance, a business may choose to run a social engineering pentest and an external pentest simultaneously. The area of focus is specific and the pentesters have a narrow scope, allowing them to focus on specific attack vectors.
Red Team attacks are more like a free-for-all. Red Teams usually have complete freedom over the methods and pathways they use to breach your systems. They use whatever means they can to get in: from wireless exploits and application vulnerabilities to physically breaking into your office and stealing confidential data. The only exceptions are the attack vectors you may choose to deny in your agreement. With this in mind, Red Teams spend an impressive amount of time in the pre-attack phase of penetration testing.
Because Red Team engagements allow simulated attackers more freedom and the scope is broader, these security tests involve more resources.
Red Team operations typically bring in more pentesters— rallying more hands on deck. Separate teams often divide and conquer different penetration testing avenues— say one team to focus on internal network attacks while another on exploiting application vulnerabilities— allowing each team to work independently and simultaneously on their own focused attacks. There’s more technology involved, more people, more time. All around, more goes into running a Red Teaming pentest.
There’s a huge difference in time devoted to Red Team operations vs pentests.
Since penetration tests are more focused on specific types of engagements with defined scopes, the average pentest lasts 2-3 weeks.
Red Teaming goes much more in depth, with the typical Red Team project extending from 3-6 weeks— sometimes even longer depending on the company size and their systems’ complexity.
Remember, the goal of a penetration test is to glean as many weaknesses as possible in a tight timespan. With this in mind, sometimes pentests can be “noisy.” During a phishing campaign for a social engineering pentest, for instance, an employee may realize they received a suspicious email and report it to their boss.
Red Teams want a stealth way in and to remain undetected in the targets system for as long as possible, gleaning more and more information as they escalate throughout the company’s network. Because they’re after more sensitive data and have longer time to acquire it, they work silently in the shadows as to not be discovered.
Target’s Previous Testing Experience
This is where your company’s experience with previous pentesting comes into play.
Companies who have only ever conducted a vulnerability assessment are best conducting a few focused penetration tests before considering a Red Team operation. These smaller-scope and scale tests will reveal weaknesses for them to harden over time.
Once a company has hardened said discovered weaknesses, they may want to consider taking it a step further. Red Team engagements are for businesses with very mature security postures who are confident in the defenses they’ve built and want to put their hard work to the test.
Finally, there is a significant difference in the cost between a Red Team pentest and a traditional penetration test.
Because Red Team engagements are longer and more extensive in terms of people, resources, scope, etc. they are understandably more expensive than traditional pentests. A penetration test will likely cost a minimum of $25,000 while a Red Teaming project typically begins at $40,000.
What’s Better for You— a Pentest or a Red Team Operation?
Looking for the high-level overview? For organizations who’ve only run one or two pentests in the past, plan a different type of pentest before considering a Red Team engagement.
If you’re curious as to how we conduct pentests at Mitnick Security, check out how World Surf League uncovered its vulnerabilities.
Thinking that you’re ready for a Red Team pentest? Explore our Red Team Operations services and fill out the form, today.