Blogs

Comparing Penetration Testing and Red Teaming

06.11.2020

QinetiQ’s Security Health Check Team

  • How to choose between Penetration Testing and Red Teaming.
  • Is Penetration Testing or Red Teaming right for your organisation?
  • Red Teaming vs Penetration Testing. What gets the best result?

At first glance the difference in output between Penetration Testing (PEN Testing) and Red Teaming isn’t obvious, especially when so many people use the terms interchangeably. But it's important for you to know the difference so that you can choose the best test for your specific requirements and like many things, it's about choosing the right tool for the job.

Let's start by looking at the similarities between them. Firstly, both Penetration Testing and Red Teaming are types of authorised, simulated attacks against an organisations systems, both internet facing and internal estate. The attacks use the latest techniques, mimicking real world adversaries. The ultimate goal for the client is to receive a technical report which will help you to focus on, improve the weak spots or vulnerabilities and quickly improve your security posture. After all, security testing is about managing, and hopefully reducing, risk and allowing you to focus your money, time and energy where it's needed most. There is a word of warning, however, no test can tell you about all of the issues. Security testing by its very nature is time constrained and testers have to focus on what they can achieve in the time allotted.

Introduction to penetration testing and red teaming

Now on to the differences, let's start by looking at Penetration Testing.

What is Penetration Testing?

Penetration Testing is a focused security test, usually concentrating on finding vulnerabilities within a single system, network or asset. PEN Tests tend to be quite tightly scoped, with shorter time-frames (one or two weeks) than a Red Team engagement.

There are many types of Penetration Testing:

  • Infrastructure
  • Application
  • Cloud infrastructure
  • Wireless
  • Mobile

A Penetration Test can include one or more of these. In fact, our Penetration Test can include any of these combinations.

PEN Tests are not about finding the latest 0-day exploits, but are about confirming if there any known vulnerabilities in the software or system and then exploiting them to prove the impact. PEN Testing is all about confirming known issues within a system.

Penetration Testers don't usually have to worry about being spotted by your organisations defence team as they are normally also aware the test is taking place and there is no attempt to hide what is going on. In some cases, the Penetration Test can be about making sure the Blue Team monitoring solution or security controls are actually working as they should. We often describe Penetration Testing as a 'mile wide and an inch deep', as the main drive is about getting the best coverage and identifying as many vulnerabilities in the system as we can in the time we've got. PEN Testing is not about chaining exploits together to accomplish a goal or reach a particular target.

What is Red Teaming?

Red Teaming is more of a scenario based and goal driven test, with the ultimate aim of emulating the real world adversaries and attackers who are trying to break into a particular system or steal information. We call these systems and information your "crown jewels", as these are the things that would keep you awake/cost you your job/cause financial ruin/loss of brand equity if they were compromised or stolen. You know what these things are.

Red Team events tend to take place over longer time-frames (sometimes as long as months) than a PEN Test and also have wider ranging scopes. Red Team scopes will include multiple systems, networks and can even include physical testing of security controls, such as gaining unauthorised access to a controlled site.

Our 'Advanced Intrusion Exercise' includes physical testing as mentioned above and we've delivered many engagements for some of the world’s largest organisations where a fake ID badge and a winning smile has got us access to a restricted site or office building. As a result, our Red Teamers are all quite capable at picking locks or cloning ID badges, as we never know what security protection you'll have on your site when we get there.

Stealth, for us, is a major part of Red Teaming and we've done plenty of tests where the Blue Team were unaware that the test was taking place. We don't want to get caught if we can help it. Our 'Multi Scenario Attack Simulation' testing is geared toward emulating the stealthy real world campaigns that take place over months and we've specifically designed it to exercise the Blue Team's playbook over longer time frames.

We use 'low and slow' attacks to probe for any weakness in everything from internet facing systems, email filtering or even identifying potential targets (your employees) by the things they are sharing on social media. We employ every trick we've seen the real world attackers using. Testing without the Blue Team being aware is great for you if you want to know how their processes and procedures would work during a real world attack.

Our Red Teamers take great pride in being able to evade, and even subvert, security controls to gain access to systems, chaining multiple attacks in order to reach their goal.

So as you can see Red Teaming is a more 'real world' test of your estate and systems. Some of our best results have come from our customers who realise that you need to 'train like you fight', allowing us to employ every technique available to gain access and thoroughly test how secure those 'crown jewels' really are.

So we've looked at the similarities and differences of Penetration Testing and Red Teaming and I'm sure you'll realise that both have their place. Ideally you would have both in your security testing plan. If your goal is to test a newly deployed system, application or configuration then Penetration Testing might be best for you. If you want to make sure that all of your processes work together to produce true defence in depth solution then a Red Teaming engagement might be best for you. We can help you to pick the best tests for your requirements.

We’ll be sharing real examples of Red Teaming tests and outcomes in our upcoming webinar presented by our experts ‘Red Teaming – Hacking (organisations) from the hotel’ on the 25th November 2020. Sign up here.