Red teaming is a service focused on the assessment of a company’s operational security capabilities via conducting a sophisticated attack simulation exercise and evaluating detection and response reaction of defending SOC specialists (blue team). Alexander Zaytsev, Head, Security Assessment, Kaspersky, explains the difference between red teaming and other services including vulnerability assessment and penetration testing.
More than a third of enterprises experienced a targeted cyberattack in 2020. So, you might say that it’s important for companies to understand how their security operations would hold up if they are faced with similar sophisticated threats. Arguably one of the best ways to achieve this understanding is to look at your own organisation from a threat actor’s standpoint. Unfortunately, there’s a plethora of security assessment service offerings out there, masquerading behind misleading marketing materials.
What are security assessment services all about? From our experience, customers often get confused between three types of services – vulnerability assessment, penetration testing and red teaming.
Unfortunately, in the field of information security, a lot of shiny, new terms eventually get promoted aboard a hype-train for a never-ending ride of supply-creating demand. This was true when penetration testing first became a thing and the same is true today for red teaming.
Almost any security service provider on the market is ready to offer some form of “red team” service, because more and more regulations demand it, resulting in more and more requests for proposals (RFPs), which push requests for “new services”.
Closer communication with customers reveals that in around 80% of all the requests we receive for red teaming, the company is actually looking for good, old fashioned penetration testing.
This discrepancy is perfectly understandable, because the “penetration testing” term is currently just as muddied by marketing as “red teaming”. The only difference being that you could easily end up getting a vulnerability scan labelled “penetration testing” and companies will often overlook this option in favour of an “upper tier” service.
That being said, we consider that the key steps to fulfilling your own expectations from any kind of security assessment service are: taking the time to formulate your needs and ensuring that the vendor understands how to satisfy them with their offering.
To once again demonstrate how vulnerability assessment, penetration testing and red teaming differ, we’ll consider three basic criteria – the goal of the service, its scope and methodology.
What’s out there?
Vulnerability assessment (VA): The most common service of the three, is an automated or semi-automated approach to the identification of security issues. Its goal is to discover as many publicly-known vulnerabilities as possible among a strictly defined set of systems, ideally minimising false positive results. The methodology is quite simple, and boils down to pattern matching data received from a network service against a database of known security issues. Such a straight-forward approach allows for a great level of automation, thus gaining the advantage of speed and repeatability. Disadvantages on the other hand are quite obvious too: in the end, all you get from a VA is a list of existing well-known vulnerabilities.
We’re not stating that VA is not the right service for you; it is a crucial part of the vulnerability management program in any security-mature organisation, alongside asset inventory and change management processes.
Keep in mind that VA has nothing to do with any kind of simulation of adversarial behaviour. So, if a service provider you’ve enlisted for penetration testing or red teaming engagement mostly relies on an automated vulnerability scanning solution in the course of their work – they are not doing it right.
Now with vulnerability assessment addressed, let’s take a closer look at penetration testing before digging into red teaming.
As the name implies, penetration testing (pentest) aims to demonstrate how a security boundary could be breached, allowing a threat actor to get from point A to point B inside an organisation’s network. Unlike a vulnerability assessment, pentest goes beyond plain enumeration of potential security weaknesses: proper penetration testing engagement, applied to an external perimeter, corporate network or both, would show how a malefactor would behave if targeted to compromise a company’s IT infrastructure.
Methodology-wise, pentest is mostly a manual service that relies more on the knowledge and experience of the expert team performing it rather than on tooling and automation. Considering the above, you should plan the project accordingly: typical engagement might take you everywhere from 30 to 60 business days for the practical part and reporting. And since reporting is the key deliverable of the whole exercise, when choosing a service provider, pay close attention to what would be included in your report. Most established vendors would have a sample report that you could request to evaluate whether the final product would match your expectations.
Finally, a red teaming service is focused on the assessment of a company’s operational security capabilities via conducting a sophisticated attack simulation exercise and evaluating detection and response reaction of defending SOC specialists (blue team). Though it may look similar to penetration testing, there are significant differences behind testing security operations (OpSec) and looking for attack vectors.
The methodology and scope of each red teaming exercise are heavily dictated by threat intelligence (TI) gathered prior to the engagement. During penetration testing, a service provider is trying each and every attack vector that would aid in breaching IT infrastructure security. During red teaming, the customer and service provider develop a set of goals together, to be reached via a corresponding set of attack scenarios. These would be the most relevant for the company based on the results of a deep threat intelligence research. In most cases the scope would not be limited by any particular IP addresses or domains, instead covering the whole organisation, including people and processes. These kinds of exercises also last longer than any others, half a year or even longer, due to the need to simulate low-profile behaviour of a real attacker.
So now when you’ve seen all the typical propositions and weighed up your real needs, ask yourself one more question before starting the hunt for the top red teaming service provider: “how did my SOC perform the last time we ordered a proper pentest?” If your answer is akin to: “oh, well now I’m unsure if we’ve ever conducted one” or “actually we don’t have a dedicated security operations team right now”, then you probably won’t get the bang for your buck that a red teaming engagement would cost and you may get better value from hiring an expert penetration testing team. Just remember to ask them to keep a timestamped track of all the indicators of attack and compromise. If, on the other hand, your answer would include such cryptic terms as, “threat hunting”, “MTTD”, “MTTR” or similar – then chances are you’re good to go for a red teaming adventure.