At RSM, one of our goals is to help guide the client into choosing the right test for them. This isn’t always as simple as it sounds, as it takes into consideration factors such as goals or size of the network. One of the most common questions we receive are on the difference between a penetration assessment and a Red Team assessment.
Many in the cybersecurity world also seem confused between the two. After all, isn’t the goal of both assessments to penetrate a network? At face value, Red Team assessment and penetration testing seem very similar. Both are designed to simulate some sort of cyber threat, attack, and/or analysis of an attack. But the differences between the two assessments makes all the difference—for tester and for client alike.
The Goals and Methods of Penetration Tests
During penetration tests, testers are careful to not perform any actions that may harm the business in any way while assessing the targeted hosts for vulnerabilities and their potential risk of exploitation.
Typically, a penetration test is performed on either an organization’s internal or external environment within a specified scope of an engagement. If a penetration test includes both the external and internal environments, these environments are assessed separately.
For a client, the goal of a penetration test is to answer questions such as:
- Are our systems secure?
- What vulnerabilities exist on my systems?
- How can I strengthen the cybersecurity on my systems?
- Is our password policy strong enough?
- Have we made any security misconfigurations?
- Are our encryptions strong enough?
To answer these questions, the penetration tester has a number of tools at their disposal. From vulnerability scans to brute-force password attacks to attempting common attack vectors, a tester is looking to probe every element of a network for weaknesses (operating, of course, under a deadline and within the client’s specific scope).
Overall, a penetration test is going to be used to point out vulnerabilities that exist within the organization’s systems, exploit them, and find the associated risk involved with the vulnerabilities. Penetration tests will focus more on the systems and what could happen if an attacker could reach them.
The Goals and Methods of Red Team Assessments
From a surface level understanding, penetration testing and red team assessments can look similar, but the approach is very different. A Red Team assessment is designed to take a more realistic approach to testing to ensure that all areas of an organization’s defenses are assessed for gaps and alignment to industry standard configurations.
When performing this type of assessment, the Red Team (“attacking” team) attempts to bypass defenses (firewall configurations, intrusion detection systems, anti-virus suites, manual IT staff review, etc.) in pursuit of domain administrator accounts, sensitive data, or otherwise unauthorized access that might be valuable to an attacker.
In a Red Team assessment, the Red Team will try not to get “caught” while assessing the organizations defenses and overall detection capabilities and do nothing to harm the business in any way.
A Red Team assessment will be used to analyze the organizations overall defenses and detection capabilities and focuses on the organization’s security as a whole with a much more realistic approach.
When considering a Red Team assessment, the client is looking to answer questions such as:
- Are we capable to withstanding a true cyberattack?
- What are the weak spots in our cybersecurity?
- Will our cyber response plan work?
- Will we be able to identify an active cyber threat?
- Are our employees trained in security awareness (i.e., can they spot a social engineering attack)?
- What would happen if a cyberattack occurred right now?
Unlike a penetration test, a red team assessment involves performing testing on both environments at the same time. This is also often paired with continuous social engineering to assist in attacks and analysis/reporting of the organization’s overall defense and detection capabilities.
Furthermore, a Red Team will have an infrastructure that would be like one an adversary would use, such as mail servers, relay servers or web servers. Such infrastructure also has capabilities to assist the Red Team in not being caught.
This article was written by Noah Godfrey. A special thanks to Jeremy Schoeneman for his assistance with this article.