Pentesting and Red Team services differ in scope, how objectives are met, the need for concealment and execution time
In a field as complex and constantly evolving as cybersecurity, it is normal for conceptual confusion to arise. However, one of the most common confusions revolves around two key services to help companies protect themselves against the malicious actions of cybercriminals: pentesting and Red Team.
While cybersecurity specialists know the difference between one service and the other, many decision-makers need clarification about the differences between pentesting and Red Team. Why is this important?
The decision as to whether a company hires one service or the other is not only in the hands of professionals specialised in the fight against cyber-attacks but also involved business-focused managers with basic knowledge of the subject.
For this reason, it is essential to use clear and coherent language that helps to differentiate between pentesting and Red Team, highlighting their usefulness for companies, depending on the objectives to be achieved and the characteristics of each company.
In this way, when making cybersecurity decisions, companies can choose the services that best meet their needs and objectives, combining security and business.
We will now explore the similarities and differences between Tarlogic’s pentesting and Red Team services. Two disciplines that fulfil different but complementary missions in fortifying companies (and their customers) in a landscape full of dangers.
1. Pentesting: Meeting predefined objectives
Advanced pentesting or penetration testing services consist of offensive security tests against a limited set of assets.
These technical security tests seek to meet various objectives defined before the start of the tests, from testing the effectiveness of the security measures protecting a given asset to the possibility of escalating user privileges by exploiting the weaknesses detected in the security measures.
This implies that, when contracting pentesting services, companies must have, from the outset, knowledge of their IT infrastructure, intuit in which areas they may have security problems and know where their core is and which assets are critical at the business level.
Otherwise, they will need help precisely defining the pentesting’s purpose. And therefore, this service will not be useful.
In addition to meeting the established objectives, pentesting lists all the vulnerabilities detected in the process to help companies know their weak points and be able to remediate and mitigate the risks.
The pentesting methodology is based on five main phases:
- Reconnaissance. Gathering all possible information in an initial phase.
- Identification. Detection of vulnerabilities that can be exploited to meet the objectives.
- Exploitation. Exploits are executed against the detected vulnerabilities.
- Post-exploitation. Objectives such as persistence or exfiltration of confidential information are realised.
- Preparation of pentest reports. All the work performed is documented, the vulnerabilities detected are listed, evidence is collected, and measures are proposed to remedy the weaknesses.
The pentesting has a limited scope and a determined duration, and the professionals in charge of the system’s defence know the work.
2. Red Team: Improving resilience to attacks
Like pentesting services, Red Team is an offensive security exercise based on the simulation of a real cyber-attack. However, Red Team doesn’t need to be articulated around specific objectives but rather seeks to evaluate the security measures of an organisation as a whole.
What is the purpose? To improve the company’s resilience in the face of real attacks by contributing to rapidly detecting aggression, responding effectively and maintaining business continuity. Thus, Red Team’s services are used to:
- First, detect transversal vulnerabilities.
- Second, optimise the response to attacks.
- Third, improve the detection and analysis of security incidents.
- Finally, train the Blue Team to improve its capacity to respond to cyber-attacks.
The Red Team is carried out over long periods; the scope is the whole organisation and must go unnoticed by the professionals in charge of the defence systems.
3. The four keys to differentiating between pentesting and Red Team services
Given the above, we can elucidate the keys to differentiating between pentesting and Red Team: scope, objectives, stealth and time.
3.1. Scope of work: concrete vs flexible
Pentesting services start from a clearly defined scope. For example, a website, an app, a network, a set of assets, or a series of IP addresses.
Thus, the professionals running advanced penetration tests will not look at the entire IT infrastructure of a company but only at the stipulated elements.
On the other hand, the scope of the Red Team is the entire organisation. In other words, the Red Team professionals can scrutinise any corporate asset to search for attack vectors that can breach the company’s security measures. All this, of course, within the attack scenario agreed between the company and the cybersecurity professionals.
In the Red Team, the professionals can enter the system by any means; in the pentesting services, they must adhere to the stipulated scope.
This means that the Red Team acts with greater freedom and flexibility, being able to make decisions throughout the service and modifying the approach and strategy.
The pentesting services are carried out within a fixed scope to meet the objectives set.
3.2. Objectives and how to achieve them
One of the key elements in differentiating between pentesting and Red Team is precisely the objectives of each one. And, above all, the way to achieve them.
3.2.1. Pentesting is not a vulnerability assessment
In some cybersecurity companies, pentesting services are limited to discovering vulnerabilities, listing them and checking whether they are exploitable. In reality, the key to pentesting services lies in detecting vulnerabilities and achieving a specific goal. For example, compromising the security of a certain system or jumping between networks and reaching a specific system. This allows us to differentiate advanced penetration testing from vulnerability assessment and Red Team.
In achieving the set objective, the professionals in charge of pentesting exploit the vulnerabilities they detect. In vulnerability assessment, the focus is on identification. On the other hand, in pentesting the identification phase is followed by exploitation and post-exploitation.
Thus, although pentesting services list the vulnerabilities found, they are not limited to this but seek to fulfil a clear objective, which is of great interest to the company. For example, to check whether a critical asset can be successfully attacked and what measures can be implemented to prevent it.
Unlike pentesting, the Red Team discards vulnerabilities that do not serve to advance the pursuit of the objective: to compromise the security of the organisation. For example, obtaining sensitive information, sabotaging products or deploying ransomware.
If we think of the Cyber Kill Chain, it is enough for the Red Team to find an exploitable vulnerability at each stage to move on to the next one. However, we should also consider what we discussed in the previous subsection: it enjoys greater freedom and leeway than pentesting services to achieve its goals.
3.3. Flying free or under the radar
The tables are turned between pentesting and Red Team in one crucial aspect: stealth and knowledge about offensive security services.
Normally, the Blue Team or those responsible for managing the organisation’s security are informed before advanced penetration tests are carried out so that they are aware of the work. For this purpose, they are provided with the specific dates on which the pentesting services will be provided and the IPs that will be used.
So, they detect unusual activity coming from those IPs. In that case, they know that they are not suffering a real attack executed by malicious actors but that it is a professional job. This means that, for pentesting services, generating noise in the network and monitoring systems is not a problem. All the actors involved in security are alerted; there is no need to act stealthily.
On the other hand, in Red Team services, stealth is essential. Therefore, professionals must act with the utmost discretion to be able to go further in the attack phases.
Moreover, if the defensive layers detect the Red Team’s activities, they must be indistinguishable from a real attack. Hence, the Blue Team is expected to activate all necessary defences and respond as if it were a real attack.
As mentioned above, the Red Team is focused on the resilience of organisations. In testing whether a company can detect an attack, build a defence against it, expel the attackers and act effectively during a security incident.
3.4. Execution time: Weeks vs Months
The fourth issue that allows us to differentiate between pentesting and Red Team is the duration of the services.
As far as advanced penetration testing is concerned, the duration is usually weeks, depending on the scope and objectives stipulated.
This is because, as we have pointed out throughout the article, pentesting services focus on identifying and exploiting vulnerabilities with a well-defined scope and a limited time frame.
In the case of Red Team, however, the execution time is measured in months since, to simulate what a malicious actor can do against an organisation as a whole, it is necessary to work for several months. As a result, Tarlogic’s Red Team only provides services for up to three months.
Some companies hire Red Team services on an ongoing basis to constantly evaluate the effectiveness of their defences against new attack techniques and methodologies that are constantly emerging.
4. Pentesting vs Red Team: Which is better?
In light of the differences between pentesting and Red Team that we have just described, some people may wonder which of the two services is better.
4.1. What stage is the company in?
Each company is different, and its needs and objectives vary according to its stage.
Companies with a lower level of cybersecurity maturity are not ready to undergo pentesting services or hire a Red Team. Instead, they should start by performing a vulnerability scan and, from there, build their layers of defence.
From there, they can hire pentesting services to check, for example, if their critical business assets are well protected or if a network can be breached. With this information, it is possible to improve defences and implement cyberattack detection tools.
In this sense, it is not advisable to implement a Red Team without first having detection tools since Red Team professionals will manage to enter the company’s systems and complete attacks without the company being able to detect them and activate its defences.
Suppose effective defensive layers are already in place. In that case, the Red Team evaluates the people, technologies and procedures that comprise them and shows points for improvement at all three levels.
4.2. Offensive security at important moments and on an ongoing basis
As mentioned above, some companies contract annual Red Team services. Thus, the professionals that make up the team are constantly looking for vulnerabilities and weaknesses to attack the organisation, monitoring changes in the attack surface and taking advantage of the windows of opportunity that a punctual information leak or new 0-day vulnerability may provide.
Continuous monitoring in Red Team services makes it possible to anticipate other adversaries and warn about the need to deploy additional protection measures in the company.
On the other hand, pentesting services, being limited in time and scope, are more suitable for performing a specific security test on a specific asset.
Consider, for example, a bank about to launch a new application for dealing with its customers. Before making it public, submitting it to an advanced intrusion test would be advisable to check whether it can successfully attack the application and the infrastructure to exfiltrate users’ banking information.
Companies have critical assets that require additional security measures. Pentesting services can be very useful in simulating real attacks and testing malicious actors’ level of impact and ability to succeed. Protecting assets is an essential issue for any company.
Otherwise, they can be exposed to security incidents that seriously affect their business.
5. The Tarlogic formula: Differentiated, but not exclusive, pentesting and Red Team services
The confusion surrounding pentesting and Red Team arises from the fact that in many companies and cybersecurity departments, the teams that carry out advanced penetration tests are the same as those that provide Red Team services.
At Tarlogic Security, this is different. Both services are completely differentiated within the catalogue and are performed by different teams, highly specialised in the specificities of these offensive security methodologies.
Although there are many communication vessels between pentesting and Red Team, their differences mean that professionals must have different skills and knowledge since the ways of working are different. For example, looking for weaknesses in an organisation for months at a time is different, as it is to intrude on a specific asset with a specific objective and a reduced time frame.
The fact that pentesting and Red Team services are different does not mean we are dealing with exclusive jobs, far from it.
As indicated above, a company can contract Red Team services on an annual basis and, in addition, choose to perform a penetration test on an asset to achieve a series of objectives of great added value for the organisation.
This combination of offensive security services would substantially improve a company’s resilience and optimise its security measures to safeguard its critical assets.