Editor’s note: In the article, Uladzislau explains what red team penetration testing is and when your company may need it. He also shares the tips on how to choose a well-versed red team pentesting vendor. And if you think your organization needs this or other types of penetration testing, you are welcome to check how our penetration testers can help.
Does your business require to put corporate network security to an arduous test? Then, red team penetration testing is just the thing.
In our previous articles, we discussed the types of penetration testing and compared it to vulnerability assessment. Now, it’s time to study the features of red team penetration testing and its value for corporate security protection.
In short, red team penetration testing is a multi-layered, full-scope cyberattack simulation employed by a company to see how their security system can resist real-life attacks. Red team penetration testing checks the overall security of a company and, therefore, covers three domains: technology (networks, applications, switches, routers and other devices), staff and physical assets (offices, data centers and other buildings).
Red team penetration testing is an advanced security measure that should follow the basics: vulnerability assessment and penetration testing. The two latter give first aid and provide your security specialists with a mature cyber-security strategy. Once you have identified critical vulnerabilities with the help of social engineering and network penetration testing as well as implemented relevant defenses, your company is ready for a big-scale red team crusade.
Sometimes, information security vendors pass off penetration testing with a slightly extended scope as a red team pentest. In reality, the latter is more than that. This type of security assessment is marked with the following features:
- Broader scope
Red teamers not only perform a multi-layered attack simulation (physical, network penetration testing, social engineering), but also execute a deep-dive penetration on every layer. For example, the scope of network penetration testing may eventually become the entire network. Ethical hackers penetrate, maintain persistence, pivot and exfiltrate, examining what a real enemy can do. The finishing point of the process comes either when pentesters own the whole network or when they get caught by network security administrators of the customer.
- Wider variety of tools
Apart from an extensive range of standard penetration testing tools, red teamers use techniques that one may not anticipate. This outside-the-box approach allows a pentester to act like a motivated hacker, rather than replicate the most likely attack methods.
- More specialists
Each assessment area requires specific tools, as well as dedicated specialists who use their skills to dig deeper into one security area. For instance, a red team specializing on network penetration testing may be made up of several specialists, each focusing on one of these checks: network surveying, port scanning, service identification, firewall and ACL (access control list) testing, IDS (intrusion detection system) testing, password cracking, DoS (denial of service) testing, performing legal assessments on remote/foreign networks.
Unless one of penetration testing purposes is to assess the response of the customer’s security team to hacks, security vendors ensure that the management and IT staff are well informed about the details of the upcoming operation. Red team penetration testing, in its turn, is designed to mimic a real-world adversary, so pentesters attempt to remain undetected. Therefore, the group of people aware of this security assessment is usually limited to high-level executives.
Red teaming is in vogue today, and lots of security service vendors call themselves experts in this domain. Yet, their red teaming maturity varies from a simple penetration test to an advanced all-covering security assessment of a customer’s security posture.
How to determine the maturity of a vendor? Study the vendor’s service page dedicated to red team penetration testing, look at the company’s pedigree and read their customers’ testimonials. If you find proof that the red team possesses the following attributes, it’s worth cooperating with.
- Attacker imitation.
The golden rule for a good red team is to mimic a real attacker in every respect: tools, techniques and an uncontrolled manner those tools and techniques are used.
Red team penetration testing implies acting with no restrictions from the customer in the scope, tools and techniques.
Red teaming is not just finding holes in a company’s defense. After completing the testing, red teamers help to remedy the situation and tune the company’s security staff into a continuous improvement mode. The value of a red team is questionable if they are effective on their own but don’t share their knowledge with the customer’s security specialists.
Usually, red team penetration campaigns last for weeks or months, placing the customer under constant rolling security attacks from the pentesters’ side, which is different from short penetration-style engagements. These long campaigns teach a customer’s security team to remain well-armed at all times to withstand attacks.
If your company already has a mature security policy supported by the results of penetration testing and vulnerability assessment, then you are ready for a red team exercise. Still, a single campaign won’t guarantee you security once and for all. Information security is a process, so make sure to allocate a budget for red team penetration testing once every two years at the least.