Red Teaming and Penetration Testing are useful practices for organizations looking to improve their cyber security. Learn more about the key differences between the two.
What is red teaming and how is it different from penetration testing?
Red teaming is the practice of simulating the tactics, techniques and approaches of another (typically malicious) actor. Red teaming engagements are run by a "Red Team" that plays the role of the threat actor. The term 'Red Team' originates from a military setting but is used in many other fields including that of cyber security.
Red teaming is different from penetration testing in that it directly simulates an adversary, such as a national state or Advanced Persistent Threat (APT), whereas Penetration Testing (typically run by an ethical hacker) is often limited by time and scope and the key objective to identify as many vulnerabilities within a given period, rather than to ultimately breach an organisation without detection over a longer period of time.
Why is it called a red team and what is its purpose?
A red team is known as such because they play the role of the 'dangerous enemy' or malicious actor. Whilst their engagement is deliberately benign their objective once a breach has been demonstrated is to then provide security feedback to the client to help them better protect and secure their defences. By contrast, a "blue team" will play the role of the 'defenders' against the red team threat. The blue team's sole objective is to detect, stop and defend against the red team's activity.
The purpose of a red team is to act as realistically as possible by mimicking a genuine cyberattack - albeit within controlled parameters that lower the risk of actual impact to the client. The red team will typically use the same tools, techniques and approaches as the malicious actor they seek to emulate would do. The overall objective and key purpose of red team engagements are to improve the overall security posture of the target (client) estate and infrastructure.
By simulating cyber-attacks via a red team, your organisation will be better prepared to defend against a real attack, having gained the additional insights as to what your blue team, or Security Operations Centre (SOC), should be looking out for and monitoring as part of their BAU routines.
Who should use red teaming?
All organisations should consider red teaming as part of their offensive security program. Malicious hackers continually seek ways to breach organisations and a red teaming engagement - especially one from CovertSwarm, that provides Constant Cyber Attack - can help all organisations to outpace their genuine cyber threats.
Why is red teaming important?
Red teaming is important because it is one of the only ways you can simulate a real cyber attack against your organisation: you likely already regularly run fire drills within your organisation to simulate a response to a fire in the building. Think of red teaming like running a drill for a cyber attack.
Is red team testing more effective than penetration testing?
Red team testing and penetration testing are two different disciplines. Each has a different focus and target outcome. They are closely linked and the right choice for your organisation really depends on the value you are looking to obtain.
If you have a compliance obligation to perform regular penetration testing, or penetration testing is mandated by a third party that you supply - then it is likely the best first option to explore. Additionally, if you do not yet feel that your organisation is ready for a fully simulated cyber attack then penetration testing against certain assets only may provide the initial insights and results you are looking for.
However, if you wish to truly identify how your organisation would respond to a real cyber-attack or how an attacker might breach your organisation then red teaming is the best answer for your organisation.
The challenge for both penetration testing and red teaming is that they are both "point in time" and creates a cyber risk gap. This is where CovertSwarm and its Constant Cyber Attack service modernise and challenge the cyber service market.
The benefits of using a red team
The benefits of using a red team are:
You will be working with ethical hackers who will think like a malicious hacker, using the same techniques and approaches they do but their focus is to help you raise your security bar and strengthen your organisation's defences to cyber-attack;
Only through working with a red team can you truly understand the threats and risks your organisations face from cyber-attack;
Board rooms will normally listen if you can demonstrate a genuine point of compromise or breach. It is challenging to distil this from the noise created from other offensive security service reports, such as those created by traditional snapshot Penetration Testing engagements.
How penetration testing & red team operations are executed
Penetration Testing is typically executed by ethical hackers and red team engagements by 'red teamers', however, it is common for ethical hackers to also be involved in red team engagements and for 'red teamers' to occasionally perform penetration testing - despite their differing objectives.
The two terms and disciplines, despite having differences from a delivery and engagement perspective have similarities in terms of the underlying knowledge and skillsets required.
Both Penetration Testing and Red Team Operations are executed against a set methodology, often created by the offensive security services provider with direct input from their employed pen-testers or red teamers.
The methodologies and approach between a penetration test & a red team operation do differ, however: Pen testing tends to have a limited, set scope that requires only a set number of ethical hacker days to deliver and identify as many cyber vulnerabilities as possible in that time. Conversely red teaming is typically a longer, slower engagement whose objective is to breach the organisation whilst remaining undetected. Often red team operations will run over an extended period of time - sometimes many weeks or months. For most red team engagements the scope is a whole organisation, rather than a set technical scope as with most penetration testing engagements.
The red team approach and methodology explained
CovertSwarm's red team approach and methodology form the foundations of our Constant Cyber Attack offering.
Reconnaissance and Information Gathering
Upon the commencement of CovertSwarm's Constant Cyber Attack service to our clients, our Swarm performs an initial discovery phase to enumerate all assets whilst gathering additional, detailed information relating to the organisation.
This phase of our attack process includes the use of passive discovery techniques before we move to employ more overt, active techniques such as port scanning and manual probing. Depending upon the organisation’s public presence a significant amount of information relating to staff members, infrastructure deployments, and application data is normally obtained through open-source intelligence (OSINT) gathering. An example of this would be the discovery of corporate IP addresses; hostnames; and ranges, along with information that may be beneficial during social engineering attack vectors which may include phone numbers; email; and username details of staff members as well as public-facing APIs; applications; and the operating hours of offices etc.
CovertSwarm often returns to this reconnaissance stage during an engagement as each step within an attack chain may require additional information discovery in preparation for one of our bespoke attacks.
The purpose for us is to always and accurately replicate an Advanced Persistent Threat.
Research & Exploit Development
Following our initial reconnaissance and information gathering phase CovertSwarm then increases the size of the client-focused pool of ethical hackers during the delivery of our research and exploit development phase. This step is normally disclosed to stakeholders at the time of the planning and scoping process.
The purpose here is to utilise specific, advanced skillsets within the team to further benefit CovertSwarm’s delivery and the resulting output for customers.
Utilising the information gathered in the previous phase a number of areas are included in the research and development elements (note: the list below is non-exhaustive):
Performing dedicated research for new exploitation of previously disclosed vulnerabilities (for example, expanding upon proof-of-concept exploit tools to action into a working exploitable vulnerability);
Developing new tools and techniques to evade anti-malware, EDR/XDR, SIEM and similar security controls, and to create bespoke attack infrastructures such as C2 platforms;
Constructing attack scenarios for social engineering vectors, such as phishing, vishing, etc.
This phase of the engagement is crucial to the success of our operations against our clients and takes time to plan, craft and deliver.
CovertSwarm then moves to actively engage in delivering an attack(s) during this phase. All of which is made possible using the information gathered within the research and development phase.
The goals of this phase include the successful compromise of at least a single system; application; individual person(s); or physical locations - without triggering a detection by the customer’s blue team or SOC.
The purpose of this is to evade any possible detection from blue team members who monitor firewall or Intrusion Detection logs - any detection of our activities is a positive sign for our clients that highlights them possessing a strong security posture and that the defences they have in place are effective.
All our activities during the Attack Execution stage are logged in order to support the blue team in terms of ad-hoc and ongoing remediation of possible attack vectors, which includes times, dates, IP addresses, targets, etc. Our audit trail also helps the client blue team to 'fine tune' their monitoring to ensure detection in the future - effectively helping to upskill and tighten their security posture.
At any point during this phase of an engagement, CovertSwarm may return to previous stages (reconnaissance and research/development) to further explore and strengthen possible attack vectors as additional information is uncovered organically: an example of this would be where specific information relating to the anti-malware software, internal software and operating systems, or similar systems information are disclosed to our Swarm during phishing engagements or other social engineering attacks.
The output from our engagement is delivered on a frequent, dynamic basis as general updates throughout our cyclical attack process and is also summarised at both a high level (C-Level audience) and in granular technical detail (Technology team audiences) within formal reports that are produced. All reporting is delivered exclusively via our unique Offensive Operations Centre portal - never via insecure channels such as email.
CovertSwarm operates an open communication policy to ensure that clients are kept abreast of our Swarm's discoveries in real-time. As noted above, general updates are regularly produced (at least weekly) and critical notifications are actioned at the time of discovery to the key stakeholders - with a clear escalation path always being maintained and followed where necessary.
Upon completion of testing the respective Hive Members involved in that cycle of attacks provide a formal debrief to the client by presenting their findings, and making themselves available to answer any questions that may arise from the results.
Client-side stakeholders and senior CovertSwarm leadership members normally take part in the debrief meeting that concludes each significant round of testing. This meeting also often includes the customer’s blue team, SOC and more broadly involved Hive Members within CovertSwarm; the purpose of this is for us to provide as many insights and educational touch-points as possible areas regarding identified areas of cyber risk and weakness. Debriefs can go into great technical and audit-level detail whether the attack exposed an operational process run by the client's Security Operations Centre (SOC), or uncovered a more technical vulnerability. Typically we share details of our exploitations or bypasses, involving timestamps and metadata details of our attacks so that the blue team are able to review logs and technical controls to explore the root cause of compromise and to tighten their monitors and alarms.