As businesses are increasingly requiring anywhere, anytime access, strategic turmoil has erupted for security leaders from a data protection standpoint. The influx of tools and technology to facilitate these demands has increased the attack surface, bolstering the need for testing.
While it’s wise for every business to conduct security testing, some have no choice as its required by law, like healthcare organizations obliged to do so because of the Health Insurance Portability and Accountability Act (HIPAA), or any business that accepts or processes payment card data that must comply with the Payment Card Industry (PCI) standards.
By now, you’re likely familiar with the terms “penetration testing” and “red teaming,” but if it’s time to decide which option is best for your organization, we’ve provided a concise breakdown, with the help of Ed Williams, EMEA Director at Trustwave SpiderLabs, of what each actually is and how to make the best decision based on your business’s needs.
What it is: Human-led penetration tests employ techniques that a threat actor may use to exploit an insecure process, weak password, configuration or other lax security settings. Based on the confines of time, you see how far you can take that specific vector of compromise. You’re not just testing a flaw to see if it’s exploitable, you exploit it and see how far you can get within the allotted time of the engagement.
Areas of Focus:
- Mass Network Vulnerability Scanning
- Web Application Vulnerability Scanning
- Electronic social engineering
- Password spraying and password brute-forcing
- Conduct network layer and legacy protocol attacks
Penetration testing provides you with a great base level of security. “If you consider some of the major breaches that have occurred, many could have been prevented with a simple penetration test,” Williams says. It’s important to remember that the overall goal of a penetration test is to obtain some sort of domain credential, he adds. That’s why testing technical controls are crucial to ensuring fundamental coverage for your organization.
What it is: This is a no-holds-bar focused engagement that is an inch wide but a mile deep. The sole intent of red teaming is to make an organization’s nightmare come true in a simulated attack. The business will provide a set of goals to the red team and the entire operation is built around accomplishing those goals without being detected. Rather than focusing solely on the technical controls, red teams aim to find flaws in people, processes and technology.
Areas of Focus (Goal Oriented):
- Open Source Intelligence Gathering
Understanding the organization’s infrastructure, facilities, and employees.
Methodically and quantitatively assess the human factor of security by determining the susceptibility of the target workforce to phishing attacks.
Creating custom file payloads, trojans, or even false online personas to use for their attacks.
- Social Engineering
Following the intelligence gathering (reconnaissance) phase, red teamers will conduct both physical and virtual social engineering tests on the organization, which opens up opportunities for exploitation.
Red teaming is all about looking beyond just the technical controls. It’s about analyzing the people and the processes as well. This allows a red team to get real oversight as to what the organization looks like. “If the baseline of security maturity is met in your organization, you should then look into red teaming based on your overall risk tolerance,” Williams says. “It’s all about creating an attack simulation that mimics what the bad guys may do. The best way to do it is by aiming those attacks at the people, processes, and of course, the technology.”
So…Penetration Testing or Red Teaming?
At the end of the day, penetration testing is for all, but red teaming should really only be enlisted by businesses that have a mature security program in place. How do you reach that state? Through continuous penetration testing.
“It’s not worth it for an organization to conduct red teaming if their current security programs don’t feature consistent pen testing and the vulnerability scanning,” Williams says.
Determining your organization’s overall cyber risk tolerance is the first step for any security leader. For organizations with a low-risk tolerance that have secured their technical controls, if they feel they need to be more repellant against sophisticated attackers that have an eagle eye on their organization’s critical assets, it’s then time to enlist the help of a red team.
Security testing is a critical component of any cybersecurity program aiming to continuously improve an organization's overall security posture. But your business's cyber risk tolerance will determine how deep you want to go. This Trustwave SpiderLabs infographic helps illustrate the depth at which you can test your security.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor. This article was written by Marcos with supplemental information provided by Trustwave SpiderLabs Principal Consultant, John Cartrett.