A few years back, the concept of red teaming was all the rage and at the tip of the tongue of every information security professional. There’s are common misconceptions about red teaming and the term is often used interchangeable with penetration testing. This post will explain the 5 main differences between red teaming and penetration testing.
A penetration test encompasses a portion of your network. For example, you can choose whether you want the internal, external or web applications tested for vulnerabilities and then have said vulnerabilities penetrated. This is often performed with defense software and products turned off during the test so that all systems can be properly tested against for vulnerabilities. Tools used during a penetration test are normally a vulnerability scanner such as Qualys or Nessus, and internal access is normally provided through the form of a VPN or remote connection to an internal machine on your network.
a red team engagement is a black box test against your network with an objective based scope rather than a systems based scope. For example, a penetration test scope would be “perform and external vulnerability and penetration test against 25 IP addresses” whereas a red team scope would be “gain internal network access and compromise the administrative account of SuperAdmin”. For red team engagements, defense mechanisms and blue teams are active and working to stop the attack. The initial foothold is commonly a social engineering threat vector such as phishing with a payload that executes a Microsoft office macro or prompts the user for a password, which could allow the red team operator access to the internal network. Tools used for red team engagements do not include a vulnerability scanner or and all tools that make noise that could alert a blue team or an automated monitoring solution. Typically a command and control product such as Cobalt Strike, Sliver, or SilentTrinity is used and, once a machine has been compromised, all commands are run using these frameworks and most are run using living-off-the-land (LOTL) techniques.
One of the largest difference is the time it takes to perform a red team assessment vs a penetration test. The average penetration test can last from 1-3 weeks whereas an average red team lasts for about 1 month.
Because of the increased time and effort a red team assessment demands, the cost of a red team engagement is typically 2-3 times more expensive than that of a standard vulnerability and penetration test.
Red team engagements are not right for every organization. If you’re an organization that has an annual penetration test performed, has a blue team, has advanced monitoring and MDR products installed and are looking to take your security testing to the next level, than red teaming may be a great fit for your annual security program.
What’s right for you?
What’s right for your organization may boil down to the maturity of your security program, budget, desired scope, amongst other items. Hopefully this post has helped you identify the differences between these two types of engagements.
To learn more about our penetration testing and red team service offerings, use the form below to contact us!