Same, Similar or Completely Different?
We’ll also help you decide which is the best approach for your organisation.
The first thing to acknowledge is that both red team testing and penetration testing have certain similarities – both are designed to uncover weaknesses in your security defences.
However, they do differ considerably in scope, goals and approach.
Let’s begin with scope:
The scope of a red team test is much more comprehensive. Not only will the test attempt to uncover vulnerabilities in your electronic defences, your physical perimeters can also be attacked. Your users may be targeted in an attempt to socially engineer them into giving the red team access to your systems.
A penetration tester’s goal is to uncover security issues in a specific target system.
A red team test takes this several steps further in an attempt to steal confidential data such as financial information, lists of clients and intellectual property.
In both cases, the tests are highly controlled. A penetration tester will liaise with your IT department to carry out the test.
By contrast, a red team will take on your in-house personnel to gain covert access to your systems and confidential data. To make the test even more real, it may be that only a very limited number of people in your organisation are made aware that a test is in progress.
A RED TEAM AGGRESSIVELY ATTACKS YOUR DEFENCES
Using the same hacking strategies, tools and tactics as genuine cyber-criminals, a red team will aggressively attack your organisation’s perimeters and systems. This means you’ll get a true indication of the strength of your defences.
In the process, your IT department will be put under intense pressure. Their ability to identify, prioritise and deal with the threats will be thoroughly tested.
You’re only as strong as your weakest link, and the red team will look for any opportunity to crack your defences wide open.
At Perspective Risk, we have a 100% success rate breaching physical perimeter defences. During one red team test, our security consultant disguised himself as a delivery driver to get into our client’s offices. It only took him a couple of minutes to gain access to their unlocked server room.
He also entered the company’s meeting room and was able to access the teleconferencing system with the manufacturer’s default login. It hadn’t been changed. (You can read more about the dangers of default credentials in our blog.
At the beginning of this short article,we posed the question “Red Team or Penetration Testing – Which is More Effective?”
We’ve evidenced that red team testing wins out in all three areas we discussed – scope, goals and approach.
There’s one proviso however, and it relates to your organisation’s current security posture.
A red team test is a highly efficient way of challenging the effectiveness of established security policies and systems. It can also have the benefit of testing assumptions regarding security readiness – based on real, independent data.
On the other hand, if your security defences are still being developed and matured, a red team test may not be cost effective for you right now. It might be better to focus on your most critical assets with a view to fully securing them as quickly as possible.
If you’d like a chat about any aspect of your security and would welcome some friendly advice, click here to contact us.