In this article, we will review the difference and distinctions between Pen Testing and Red Teaming. Terminology in the world of Cyber Security can be daunting even for the gifted. Trying to chug the waterfall of acronyms can make one’s brain feel as though it could explode. There is no wonder why confusion exists around Cyber Security and the meaning of words in relation. One of the more critical misunderstandings around offensive security, in my opinion, is the often-dubious use of the term “Red Team.” The name is often used in the colloquial sense to mean “any Cyber offense role,” bundling together and ignoring the very distinct nuances that make the roles different. How many Cyber positions could fall under such a categorization with differing specializations? There are Vulnerability Management Testers, Web Application Penetration Testers, Network Security Penetration Testers, Code Application Testers, Mobile Application Testers, and Red Teamers, to name the ones that come to mind. Though the list might be pedantic, dull, or even prosaic, one might argue that we should simplify and say the roles should be bundled up into three major categories: Vulnerability Management, Penetration Testing, and most importantly (IMO) Red Teaming. I could not contest the idea of such role simplification for discussion purposes.
Without digging into the details too far, Vulnerability Management folks scan networks and web applications for any vulnerabilities that can be identified no matter their validity. Vulnerability scanning is often misconstrued as Pen Testing, especially where marketing is concerned. These are not the same activities though there is some overlap concerning tooling. These differences detract from the main topic, and as such, I will leave it at that. Here is a graphic to help wrap the mind around the scope and depth of different job functions:
Another way of viewing the three significant overlapping categories could be done in military-like flavors. Vulnerability scanning is akin to firing thousands of bullets from a mounted machine gun to see what hits.
What is Pen Testing?
“A penetration test, also known as a pen test, is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities”. Pen Testers are akin to a Tactical Ops team. Pen Testers go a step further than vulnerability scanning. They run around in tactical gear using night vision goggles to see what is otherwise hidden, rifles with various settings (three-round bursts, lasers, grenade launchers), and other such gadgets to validate vulnerabilities via active exploitation. They are deployed to determine if any holes in the enemy defenses can be successfully infiltrated. Pen Testers will typically be up-to-date on the latest and most remarkable exploits along with the discovery methods for those vulnerabilities. Pen Testers are highly skilled specialists, and generally, they are more interested in the subtler depths of specific tools and what they yield. They are usually not concerned with being covert as they are under tight deadlines set during scoping activities of the engagements to which they are assigned. These tight deadlines are often the result of one if not all of the following: customer budgets, non-technical project managers responsible for the scoping process, and customer compliance drop-dead dates. Pen Testers use various techniques to uncover vulnerabilities, including automated enumeration techniques like vulnerability scanners and directory busters. Also, many Pen Testers will execute brute forcers against reachable applications, including HTTP(S) web apps authentication portals, FTP, SMB, SNMP, and DNS (to name a subset). Brute forcing activities, even when customized, are notoriously noisy, and assuming their victims have a relatively decent degree of Cyber maturity, they will be detected quickly. Another thing worth note here is that Pen Test operations are usually required to notify their customer’s requested contacts before they begin offensive activities. These notifications put defense teams on high alert and remove the opportunity to determine the customer’s defensive operations’ efficacy.
What is Red Teaming?
A red team or red cell is a group of hackers with varying backgrounds, that test the assumption of an organization’s digital presence and the blue team’s threat response activity . Red Teaming is a goal or objective-based operation conducted against a target to evaluate an organization’s technical defenses and incident response capabilities when subjected to real-world attacks. Red Teaming is the process of using tactics, techniques, and procedures (TTP) to emulate real-world threat actors with the goal of training and measuring the effectiveness of people, processes, and technology used to defend an environment . Red Teamers are akin to strategic snipers. They emulate known adversaries from public, and private threat intelligence feeds, news sources, and blogs. They don’t care about all possible entry vectors but instead focus on vectors that real-life threat actors favor when surveying the threatscape. Red Team snipers crawl around in ghillie suits, biding their time. They spend long efforts staring through powerful scopes gathering intel. Red Teams tediously map out victim headquarters and associated defensive measures. Operators meticulously note who and what is frequenting the target location while keeping logs for reference. They revel in identifying high-value targets and developing detailed roadmaps accounting for each possible failed step along the way to their goal. Accounting for hiccups along the pre-charted path allows them to acquire and exfiltrate high-value victim assets with great precision. Red Teams help distinguish the difference between what is possible vs. what is actively happening in the wild — this distinction aids in determining if your organization is at risk of such adversaries.
The differences between Pen Testing and Red Teaming
Now for the main event, Pen Testing vs. Red Teaming. Is there a difference? It may already have become clear from reading above, but Pen Testing and Red Teaming fulfill different functions and, as a result, produce different values as a result. Pen Testing validates the assertions made by vulnerability scan operations. Pen Testers are looking for any path to Domain Administrator within more narrowly scoped engagements than Red Teams. One might say Pen Testers are placed more closely to the enemy defenses, thus forcing them to narrow their view of the potential attack surface. As a result, Pen Tests are more operational than strategic as the scope is pointed. For example, a Pen Test engagement might be narrowed down to a single network subnet or a single web application.
One might say the narrow scoping gives the Pen Testers tunnel vision in a sense. This thin scoping stands in stark contrast to what Red Team Operators can exercise. Red Team Operations can be scoped broadly to contain many websites, networks, human targets, phishing, spear-phishing, vishing, and physical assessments with malicious device implants. Penetration tests focus on exploits to help determine business risk. Per the “Red Team Development Operations: A Practical Guide,” it is common for a penetration test to explore a wide range of vulnerabilities to discover their risks. During a Red Team engagement, flaws will be exploited only to the degree needed to achieve the goals or objectives. Red Team operators are rarely focused on domain administrator-level access unless such access is necessary to their established goals and objectives. Red Teams are not typically focused on DA accounts because they are in line with mimicking adversaries who are more often concerned with finding and exfiltrating data that can be monetized. Besides, Red Teams do not initialize vulnerability scanners as this is a noisy approach and would unmask their covert operation. Instead, they move more slowly, often looking for opportunities to abuse flaws, weaknesses, misconfigurations, and over-privileged user accounts. Also, they will often chain together many of the aforementioned items to exploit a system only in an attempt to achieve their objectives. Red Teams take on adversarial personas with little to no notification given to the target organization. They also work directly with Blue Team Operations in Purple team efforts to develop IoCs, alerts, and blocking techniques for undetected attacks during previous red team ops. The secondary Purple function provided by the Red Team help refine alerting, blocking, and tackling people process and technologies that cannot be derived from Pen Testing Ops alone.
From the differences to similarities, Red Teams and Pen Test Teams both provide substantial value to organizations. The value provided by Pen Testing is an effective “vulnerability scan plus.” Pen Testing adds active exploitation to the mix with more specific and pointed activities. These activities uncover the exploitability of vulnerabilities that allow them to kick down your digital doors and find a path to take over the domain. In contrast, Red Team’s value-add is more refined and threat actor category-specific. These threat actors’ specific actions are broadly scoped to be as realistic as possible and verify if your organization can stave off varying degrees of sophisticated adversaries (Hobbyists, Hacktivists, State-Sponsored), helping to appropriately measure organization risk more effectively.
If you like my content and the work I have provided here please consider sending some coffee love my way @ https://www.buymeacoffee.com/killbit