So the other day, I was debating the ins and outs of a cyber strategy to protect a network. At one point, my learned friend scoffed at me, saying I was splitting hairs – that there was essentially no difference between “red teaming” and penetration testing.
I respectfully disagreed, and here’s why:
Actually, let’s first admit that they do have one thing is common. They both are key to a holistic defense strategy, but they should not be conflated.
Let’s define what we are talking about first.
Penetration Tests Defined
A Penetration Test has clearly defined parameters. Its purpose is to perform a specific assessment during a specified time in order to test the cyber resiliency or weaknesses of a given system, software or policy.
The job might include finding exploitable vulnerabilities in a specific system or testing the staff’s ability to spot and block a phone scam or ransomware attack.
At the end of the testing phase, it is usual for a the pen tester to provide a report, outlining any problems and associated remediation advice.
Red Teaming Defined
The concept of Red Teaming reportedly hails from methods used by the military to test force-readiness. The term refers to the team responsible for acting like the adversary in a simulation or exercise.
The idea behind red teaming, both then and now, is similar: set the enemy parameters (for instance, estimated likely resources, goals, previous activities, etc), and then attack the entity’s systems, users or data simulating that personna.
Red teams often have an accompanying Blue Team, the entity’s defender. It is this team that counters the attack. Its job is to thwart the attackers from attaining their goal or causing any harm to the entity. A blue team’s raison d’etre is to learn from the attack and outline strategies and policies that effectively heighten security.
Thinking like an enemy reveals less predictable attack types, and that information can help entities – be they companies, non-profits or government – to implement more informed policies and strategies to defeat the enemy.
How they work together
So a penetration test can be seen as tactical, in that it is useful when you want to hammer a specific something, record the findings and implement recommendations, while red teaming is more strategic, helping the entity better understand the attack surface vulnerabilities.
Or another way to look at it is that a penetration test is like going to physical trainer and saying ‘My leg feels weak. Please test it, and tell me how I can improve it“. Whereas redteaming is more like ongoing training for a kickboxing match. Your training opponent tries to surprise and neutralise you, helping you better prepare for the real match.
My point here is that they work hand in hand. Penetration tests are often a compliance requirement. PCI, GDPR and HIPAA, for example, each require regular penetration testing. Red teaming however is not required by most regulators. For one, it is a nebulous term by design. Simulate a surprise attack so we can see what our damage would have been had it been real. Red Teaming does not have a defined code of conduct.
Ironically, it is this very aspect, the nebulous unknowns, the unpredictability of it all, that makes the experience so rewarding and useful. The glut of new knowledge that can come from a successful (or even failed) simulation attack is incredibly valuable in helping strengthen the security profile of a network or system, and its users.