As with any industry, with jargon comes confusion and misunderstanding. 2022 saw a huge rise in the popularity of the buzz-word “Red Team”, but what is the essence of a Red Team? Popular opinion on social media may say “it’s a pentest with no scope,” but that’s a dangerous statement and far from reality. Instead, let’s examine what goes into a Red Team engagement and draw out the differences so that your organization can choose the right path.
Red Team Engagements
Red team engagements involve simulating real-world attacks that test the effectiveness of an organization’s security measures. There is an emphasis on the organization, not just the network or technology. The types of tactics, techniques, and procedures (TTPs) used are those utilized by real-world attackers. Often we will mimic a particular threat actor or APT that the organization has identified. The goal is to test an organization’s security posture, which can include:
- testing the monitoring and detection capability,
- testing the effectiveness of security controls,
- testing processes triggered by an intrusion,
- providing a realistic assessment of the organization’s security posture,
- facilitating continuous improvement with repeat testing.
A final point here is that often red teams operate in a stealthy manner. They move slowly, with engagements sometimes spanning months rather than weeks. Again, this is generally to mimic an adversary that will look to persist undetected in an environment for as long as possible.
Penetration Testing
Penetration testing is somewhat similar to red teaming. It is goal-oriented and mimics real-world attacks. However, the focus is often on the technology rather than the organization. For example, a typical penetration test may evaluate if an attacker can gain Domain Admin privileges starting from a low-privileged user account. In this scenario, the Pentesters are left to do their work and are not hindered by anything other than the deployed technical controls (e.g. AV solutions, EDR, IPS). Though it sounds more straightforward, penetration testing is still complex and highly technical. Nevertheless, it enables organizations to identify vulnerabilities and weaknesses within their environments and fix them.
Side by side comparison
These are typical representations to help us draw comparisons. Of course, no two engagements are the same, and there is a lot of scope for customization. Penetration testers and red teamers will help you plan accordingly before your engagement begins. This may be a useful reference for you to decide which your organization should lean towards.
| Penetration testing | Red team engagement | |
| Time | 1 to 3 weeks | 2 weeks to 2 months |
| Cost | Due to the time, typically cheaper. | Due to the time, typically more expensive. |
| Objectives | Identify and exploit vulnerabilities to achieve the goal of the test. | Emulating an adversary or threat actors TTPs and goals. |
| Typical scenarios | Internal assessmentExternal assessmentWeb application pentestWireless pentest | External adversary emulationInternal adversary emulation (also known as “assumed breach”) |
| Follow-up actions | Actions generally include remediating the findings based on the recommendations provided. | An organization can see holistically how well they have stood up to their chosen adversary or scenario. Actions generally include improving processes, tuning tools for detection, and fixing vulnerabilities within their environment. This could also include culture-changing activities and training. |
Which is right for your organization?
In the end, there are many things to consider when deciding between the two – assuming your organization is not in a position to consider both.
First up, have you previously carried out penetration testing? If not, this is an excellent place to start, as it will likely be less disruptive to your organization. If your organization is confident with penetration testing, the results are being remediated promptly, and as an organization you have become more resilient from repeat testing, then it’s logical to consider stepping up to a red team engagement. This will address specific threats to your organization and enable you to focus on wider security processes, such as response time and the effectiveness of your response playbooks. Furthermore, if your organization outsources its monitoring and incident response, this can be a way to verify that the service is up to scratch.
Finally, we need to consider the scope of the assessment you choose. For example, a red team engagement may be a better option if you are looking for a comprehensive (and often more eye-opening) assessment of your organization’s security posture. However, if your current concern is strengthening your infrastructure or testing new security solutions deployed, you likely want to lean more towards a penetration test.
Still need help deciding?
Get in touch if you need help on choosing what your organization needs most.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com