Penetration testing vs red team assessment

Penetration testing vs red team testing

June 8th, 2021 Posted in Information Security

There’s no better way to test the strength of your cyber security posture than to simulate an attack on your systems. This is where penetration testing vs red team testing comes into the equation. 

Despite some similarities, these assessments are two very different ways to evaluate your cyber security posture. However, the terms are often used interchangeably. Because they have contrasting objectives, methods and outcomes, it’s important for your company to know the difference between them, and to ensure you are using the right one.  

Here’s what you need to know. 

What is a penetration test?

Penetration testing is a type of security assessment, where a suitably skilled tester uses a combination of tools and manual exploit techniques to identify real-world security vulnerabilities within your IT infrastructure. Whereas a vulnerability scan identifies weaknesses using automated tooling, a penetration test goes several steps further. It tests exploits, using a combination of tactics and techniques, to really understand the security strengths and weaknesses of the target systems.  

At the end of the test, the penetration tester will then talk the client through the vulnerabilities identified, the risk associated with them and provide recommendations for remediation. Penetration tests are typically conducted at least annually. However, if you undergo internal changes to your IT estate – such as adopting a new system or onboarding new applications – a penetration test should also be conducted then, to ensure a secure integration.  

For organisations of all sizes, penetration tests are an invaluable tool for improving cyber security. They help to find unpatched vulnerabilities in your systems, application and network and provide independent validation that your security defences are sufficiently resilient. This is increasingly important for organisations that work with a range of suppliers. Many organisations now mandate penetration tests in order to work with a new provider. 

Moreover, security standards such as PCI DSS, policies within an ISO 27001 ISMS and regulations such as GDPR might require regular penetration testing and security assessments for security assurance and resilience purposes.  

This recent blog helps you determine when you need a penetration test or you can learn more about penetration testing in our extensive guide. 

What is a red team assessment?

On the surface, a red team assessment looks similar to a penetration test, but it goes further. The aim of a red team assessment is to mimic a real-life attacker, without time limitation. It uses combinations of tactics, techniques and tools together to access target systems or data.  

Whereas a penetration test is based around agreed testing windows and is communicated to IT or security personnel, a red team test is stealthier and typically plays out over an extended period of time to make it less obvious. It will often consist of multiple stages. For example, it may include social engineering attacks to harvest account credentials and access systems or even physical attacks, during which testers seek to gain access to offices, systems and data held onsite.   

While the goal of a penetration test is usually to uncover as many exploitable vulnerabilities as possible, the goal of a red team assessment is to achieve a specific objective – typically to access target data or systems. Because the wider IT or security team is kept in the dark, a red team exercise tests the ability of the defenders (the ‘blue team’) to detect the attack and respond to it.  

Such detection might come from intrusion detection alerts, indicators of compromise flagged by monitoring systems or manual identification (such as a sudden increase in the number of targeted phishing emails reported). Physical access tests also help test security awareness and culture – for example, not allowing tailgating through access-controlled doors and being willing to challenge strangers if they are not recognised as having permission to access a specific area. 

In essence, the red team emulates a real-world cyber attacker, looking to avoid detection and attempting to manipulate policies, procedures and people along their way.  In this way, red teaming can be seen as more holistic than penetration testing, because it tests the strength of a company’s security culture, not just it’s systems.  

However, while the test might be more holistic, it doesn’t offer the breadth of penetration testing. Red teams are solely focused on reaching their goal – getting to sensitive data or systems. If they get access by exploiting some vulnerabilities, they aren’t worried about finding other vulnerabilities which may exist. A penetration test, by contrast, is focused on identifying all the exploitable vulnerabilities that might exist.  

An organisation might have 5 or 6 exploitable vulnerabilities that a penetration test could find. If the red team gets access with the first one, they don’t care about the rest. If you fix the exploited vulnerability after an attack, though, an attacker may try the others next time around – hence needing to identify and remediate all vulnerabilities. 

Decoding the differences

A helpful analogy is to think of a red team test as a burglar trying to access high-value items within a house. The burglar starts with the door and if it’s open, they walk in without caring whether other doors and windows are open or not. Their next objective is to find the room with the high-value assets and get access to that.  

By contrast, the penetration tester will test all the doors, windows, check under the doormat for a key and test the strength of the locks.  That way, they identify weaknesses that attackers could exploit irrespective of their ultimate objective. 

In truth, the differences are not always black and white. Complex penetration tests move closer to red team exercises. Below, you can find a chart that lays out the differences between the two assessments side by side.  

 Penetration testing Red team assessment
Time Shorter testing windows, from days to a few weeks typically.Several weeks and potentially more than a month.
Objective Identifying exploitable vulnerabilities such as missing patches, misconfigurations and user access management weaknesses to identify security risks to be remediated. Accessing specific systems or data by exploiting vulnerabilities, behaviours and circumventing technical controls with the aim of testing detection, response and security awareness and culture.
Tactics Depends on the scope of the test – for example: external infrastructure, web application, mobile application and remote desktop breakout tests will follow different best practice methodologies and use different tools and techniques. Combination of real-world tactics, tools and procedures including detailed open-source intelligence gathering, social engineering, distraction techniques, technical vulnerability identification and exploitation and data exfiltration.
Outcome Identification of exploitable security vulnerabilities – assessed on their level of risk to the organisation – together with remediation advice and technical recommendations. Provides insight into the overall security posture of the target organisation (covering strengths and weaknesses) including detection and response capabilities, logical and physical security, security awareness and culture. Includes recommendations for key issues identified.
Cost Usually cheaper, because a limited window for testing is agreed based on the client’s objectives and the available budget. Usually more expensive, because more consultants are involved, and it takes longer using multiple tools and techniques to help avoid detection.

What’s right for my business?

Because penetration tests and red teaming have different focuses, they can’t be directly compared – and shouldn’t be chosen as one over the other. Penetration tests are excellent for an assessment of the security posture of target applications or systems. However, unlike red team assessments, they don’t assess your defences – including detection and remediation, or the human / behavioural elements of security. 

For this reason, the two tend to be used in loose succession. As a general rule, red teaming should be reserved for organisations who consider themselves to have a mature cyber security posture or a much larger attack surface that could be exploited by a capable adversary. If the organisation’s cyber security defences are weak, it makes little sense to start with a red team test. Instead, the organisation should begin with the basics of vulnerability identification and management.  

Therefore, for most organisations, we tend to advocate continuous vulnerability scanning and regular penetration testing as the best approach. Vulnerability management is a basic security hygiene step and penetration testing provides a more detailed assessment and identification of issues.  

As your security posture becomes mature and regular penetration identifies few vulnerabilities, you can consider layering in red team assessments to understand the strengths and weaknesses in your security defences and culture that need to be addressed.  

Need help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. For organisations further along in their cyber security journey, we also offer red team assessments. For both tests, we can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat. 

Free download

Click on the image below to get your free pdf download.

Pen Test vs red team

Thomas O Donnell 250 x 250

Written by Thomas O'Donnell

Thomas is one of our penetration testers, specialising in IT infrastructure and web application testing. He started his career as a creative media and software developer before moving into security consulting, centred around Cyber Essentials certification services. His qualifications include CREST Practitioner Security Analyst (CPSA) and he is working towards gaining his CREST Registered Tester (CRT) qualification.