Pen Testing Versus Red Teaming Use Cases: We Asked the Experts

Cover@2x

Clients sometimes come to us looking for penetration testing only to discover that they really need red teaming (and vice versa).

In this article, we want to clear up the different use cases for red teaming versus penetration testing by featuring our team's insights and advice about choosing between a penetration test and a red teaming exercise.

The “Too long; didn't read” (TL;DR) version of understanding red team versus pen testing is:

The rest of this article is a detailed guide to understanding pen testing versus red teaming use cases based on insights from SECFORCE’s offensive security team.

We also tell you about testing triggers and the maturity level you need to get the best value out of each testing type.


When to Choose Pen Testing

To test a building's security, a pen tester would check the condition of the windows and doors, looking for known weak points, as you look over their shoulder. The test would have a specific scope, and the tester would make no effort to stay hidden.

In your IT environment, you should choose a pen test to thoroughly test the security of a single asset, for example, a website, a cloud platform, or a group of IP addresses.

Penetration testing is a great fit for the following:

There doesn't need to be a specific trigger for a penetration test, but some of the most common reasons why clients approach us to do pen testing include:


Pen testing works best for organisations that already do vulnerability scanning

A pen test can be performed on more or less any system environment, including networks, servers, employee devices, cloud infrastructure, applications and IoT deployments.

However, to make the most of a penetration test, an organisation ideally needs an established process for scanning for vulnerabilities, prioritising remediation and patching them.

Patch management is how companies remediate any identified issues they find during a pen test. A pentest is also a good way to validate that patch management processes are actually working and reducing risk.

A risk management framework could also prove helpful in identifying and prioritising cybersecurity risks, ensuring that penetration testing efforts are targeted effectively.

Beyond these basics, the maturity level you need for pen testing varies, but our experts say that you should, at minimum, be capable of creating a robust environment for testing purposes.

Finally, it is very useful for an organisation to document and share its user journeys, network topology diagrams and data flow cases for any system being tested. This will ensure that the testing team has a better understanding of the assessed system and can conduct more efficient security testing.


When to Choose Red teaming

If we were to use the same analogy as we used above for pen testing, a red teamer would try to get into a building as quickly as possible and see how long it took someone to notice suspicious activity, call the police, and stop them.

The red team focuses not only on the doors and windows but also on any promising way of giving them access (e.g., luring a legitimate employee in the building into letting them in or disguising themselves as maintenance crew).

Red teaming has a wide scope, and red teamers do their best to stay hidden during an engagement.

Use red teaming to see how your organisation would fare against threats targeting your organisation’s technologies, processes, and people.

A red teaming exercise might start with a question like, “From x starting point, what can a cybercriminal do?”

Would a threat actor be able to compromise a payment system or other critical infrastructure, gain access to sensitive information, exfiltrate data, or even compromise the entire organisation?

By simulating certain scenarios, organisations can build resilience.

Red teaming test results can help organisations learn about exposures in their business processes and third-party dependencies.

It also allows organisations to benchmark KPIs like mean time to detection (MTTD) and fine-tune detections and response processes to make improvements.

Compared to penetration testing, red teaming is more fluid in scope (testing parameters often change based on what happens during a test), communication-heavy (including daily updates) and potentially risky if inadequate risk management measures are taken or communications are sub-optimal.

Generally speaking, red teaming is a more costly engagement than pen testing and tends to happen due to trigger events such as the following:


Red teaming is for mature security programs

If you don't already do pentesting, then red teaming probably won’t deliver much value.

We recommend that organisations who want to invest in offensive security follow this rough progression:

→ Vulnerability scanning (and patching) → Pen testing → Red teaming

Getting value from a red team exercise requires an organisation to have a functional security operation centre (i.e., a SOC, SIEM framework).

An organisation that doesn’t have these things in place can still do a red team exercise, but it won't get nearly as much value out of it. That said, on some occasions, a red team exercise that uncovers critical findings can work as a driver for allocating security budget, as it accurately demonstrates the impact of a sophisticated, persistent attack targeted against the organisation.

Red teaming’s key goal is to assess your defensive posture, so ideally, you should have an experienced blue team with established detection and response processes.

Before red teaming, an organisation should ideally gain assurances around its relevant security controls. Endpoint detection and response, malware resilience testing, and phishing exercises can help ensure that telemetry, detection and prevention capabilities are of a good standard.

This way, the centralisation of the aforementioned logs, as well as the defensive team's monitoring and response performance, will be better assessed during the red team engagement.

Since they've reviewed individual security controls, the organisation will also be better prepared and increase its likelihood of defending against the red team (or a real attack).

A purple teaming exercise, where a red and blue team collaborate openly, is also a good way to prepare for a red teaming exercise.

Table PT vs RT@2x


Red Teaming Versus Pen Testing Scope

Another way to think about the difference between pen testing and red teaming is scope.

Red teaming assesses defences, whereas pen testing focuses more on the assets themselves.

Pen testing has a narrow, specific scope (usually testing a specific asset or group of assets) and no mandate to avoid detection.

Red teaming has a wide scope - often the entire organisation - and is designed to avoid detection for as long as it makes sense.

SECFORCE’s preferred approach to red teaming is to show clients different thresholds at which they are able or unable to detect an attack.

We think a red team should be as stealthy as possible, but if an attack seems to go totally unnoticed, red teamers should intentionally increase the "noise" they make to see whether detection happens.

For example, if a red team hasn't been detected during the whole engagement, on the last day, with the organisation’s permission, we might add a high-privilege user to see if this incredibly loud activity would be detected.

Often, this added noise is still missed, but the client has the advantage of being able to see the different levels at which their security posture needs improvement.


Talk to Offensive Security Experts

Name an offensive security test type or methodology, and we are likely to have expertise in it.

SECFORCE is a CREST-certified pen testing firm and qualified to deliver best-in-class red teaming.

We pride ourselves in turning our team's decades of experience into easy-to-follow advice on offensive security.

Whether you're considering a pen test or looking to do a red teaming exercise, we would love to talk to you and answer any questions about offensive security.

Some of the world’s leading organisations continue to trust SECFORCE to test their systems because they have seen us excel in complex environments with variable conditions. Our experienced and accredited testers are committed to delivering professional, ethical, and value-driven red teaming engagements.

Contact us today.

You may also be interested in...

IoT
July 10, 2024

IoT Security Legislation Roundup

With the Cyber Resilience Act (CRA) on the horizon, we created this up-to-date roundup of existing mandatory and voluntary IoT-specific legislation.

See more
Visual-Portada-DORA-Critical-Third-Party
Sept. 17, 2024

Are You a DORA Critical ICT Third-Party Service Provider (CTPP)?

Breaking down the legalistic text within the Regulation (and supplementary documentation) to give you an easy-to-understand guide to whether an ICT third-party service provider is likely to be considered critical.

See more