TRENDING
From our experience , customers often get confused between three types of services – vulnerability assessment , penetration testing and red teaming .
To once again demonstrate how vulnerability assessment , penetration testing and red teaming differ , we ’ ll consider three basic criteria – the goal of the service , its scope and methodology .
What ’ s out there ?
Vulnerability assessment ( VA ): The most common service of the three , is an automated or semiautomated approach to the identification of security issues . Its goal is to discover as many publicly-known vulnerabilities as possible among a strictly defined set of systems , ideally minimising false positive results . The methodology is quite simple , and boils down to pattern matching data received from a network service against a database of known security issues . Such a straight-forward approach allows for a great level of automation , thus gaining the advantage of speed and repeatability . Disadvantages on the other hand are quite obvious too : in the end , all you get from a VA is a list of existing well-known vulnerabilities .
We ’ re not stating that VA is not the right service for you ; it is a crucial part of the vulnerability management program in any security-mature organisation , alongside asset inventory and change management processes .
Keep in mind that VA has nothing to do with any kind of simulation of adversarial behaviour . So , if a service provider you ’ ve enlisted for penetration testing or red teaming engagement mostly relies on an automated vulnerability scanning solution in the course of their work – they are not doing it right .
Now with vulnerability assessment addressed , let ’ s take a closer look at penetration testing before digging into red teaming .
As the name implies , penetration testing ( pentest ) aims to demonstrate how a security boundary could be breached , allowing a threat actor to get from point A to point B inside an organisation ’ s network . Unlike a vulnerability assessment , pentest goes beyond plain enumeration of potential security weaknesses : proper penetration testing engagement , applied to an external perimeter , corporate network or both , would show how a malefactor would behave if targeted to compromise a company ’ s IT infrastructure .
Methodology-wise , pentest is mostly a manual service that relies more on the knowledge and experience of the expert team performing it rather than on tooling and automation . Considering the above , you should plan the project accordingly : typical engagement might take you everywhere from 30 to 60 business days for the practical part and reporting . And since reporting is the key deliverable of the whole exercise , when choosing a service provider , pay close attention to what would be included in your report . Most established vendors would have a sample report that you could request to evaluate whether the final product would match your expectations .
Finally , a red teaming service is focused on the assessment of a company ’ s operational security capabilities via conducting a sophisticated attack simulation exercise and evaluating detection and response reaction of defending SOC specialists ( blue team ). Though it may look similar to penetration testing , there are significant differences behind testing security operations ( OpSec ) and looking for attack vectors .
The methodology and scope of each red teaming exercise are heavily dictated by threat intelligence ( TI ) gathered prior to the engagement . During penetration testing , a service provider is trying each and every attack vector that would aid in breaching IT infrastructure security . During red teaming , the customer and service provider develop a set of goals together , to be reached via a corresponding set of attack scenarios . These would be the most relevant for the company based on the results of a deep threat intelligence research . In most cases the scope would not be limited by any particular IP addresses or domains , instead covering the whole organisation , including people and processes . These kinds of exercises also last longer than any others , half a year or even longer , due to the need to simulate low-profile behaviour of a real attacker .
So now when you ’ ve seen all the typical propositions and weighed up your real needs , ask yourself one more question before starting the hunt for the top red teaming service provider : “ how did my SOC perform the last time we ordered a proper pentest ?” If your answer is akin to : “ oh , well now I ’ m unsure if we ’ ve ever conducted one ” or “ actually we don ’ t have a dedicated security operations team right now ”, then you probably won ’ t get the bang for your buck that a red teaming engagement would cost and you may get better value from hiring an expert penetration testing team . Just remember to ask them to keep a timestamped track of all the indicators of attack and compromise . If , on the other hand , your answer would include such cryptic terms as , “ threat hunting ”, “ MTTD ”, “ MTTR ” or similar – then chances are you ’ re good to go for a red teaming adventure . p
20 INTELLIGENTCIO AFRICA www . intelligentcio . com