Red Teaming and how it is different from Pen testing ?
In Today’s time ,Given the rising threat of cybercrime, it’s clear that Cyber security is a never-ending journey, not a final destination. An organization has to always look at external security threats as well as Insider threats too which remains a prevalent vector through which internal cyber incidents occur. Organizations ,therefore can use two security assessments : A penetration test or a Red team assessment. These two are often used interchangeably ;but they are actually different .
What is Red Teaming ?
The dictionary definition of Red Teaming is:
“Red Teaming is the process of using tactics, techniques and procedures (TTPs) to emulate a real-world threat, with the goal of measuring the effectiveness of the people, processes and technologies used to defend an environment.”
Now lets understand what exactly this means : Most of the times , Organisations and eventually the Blue teams /Defenders make assumptions ( although they have Valid proofs) that organisations are safe from Cyber attack because they have put all the necessary controls in place : for example
a) A crown jewel for eg a financial server database is accessed by only few people who are supposed to access it. ASSUMPTION IS -WE ARE SAFE
b) Our Windows environment or entire Windows Stack is Safe because we have already installed the patch which ,otherwise if not can lead to a major vulnerability leak .ASSUMPTION IS -WE ARE SAFE
c) A Firewall can stop a a certain type of Threat.ASSUMPTION IS -WE ARE SAFE
Red teaming is a process to challenge these assumptions . The Goal here is not defeat any Blue team but the Goal is to IDENTIFY AREAS OF IMPROVEMENT and INCREASE THE EFFECTIVENESS OF CYBER DEFENCE OPERATIONS.
Now lets understand What is Penetration Testing :
Goals: Pen testing goal is to identify as many vulnerabilities as possible, demonstrate (in a report) how they can be exploited, and provide some contextual risk ratings.
Focus: A penetration test often focuses on a single technology stack — for example Network Pentest , Application Pent test , Mobile app pentest etc . Pentest is often necessary for compliance requirements.
The focus is not on any Detection capability or Response capability or eventually PPT but the focus is to find and exploit the vulnerability.
Reporting : The output is typically a report which contains information about each vulnerability and what remediation actions to be taken , for example a particular CVE can be fixed by installing a patch.
Time and costs : These are two other important factors .Pen testing usually has shorter time windows to complete and costs involved are comparatively Cheaper depending upon objectives and Client Budget .
Contrary to this , Lets understand the same points as mentioned above in relation with Red Teaming
RED TEAMING
Goals : Organisations define the objective for Red teams very clearly and explicitly ,for example — gain access to a particular system, a file share or email account.
A red team will also emulate a real-life threat to the organisation. For example, a Government organisation be at risk from known APT groups or a financial company at risk from FIN groups
Focus :A red team put heavy emphasis of being remain stealthy and undetected without being caught by Defenders . They are not after an highly privileged admin account . If a user account is compromised they stop because the purpose is achieved .They study and re-use (where appropriate) the TTPs of the threat they’re emulating. This helps the organisation to build detections and processes designed to combat the very threat(s) they expect to face. Red teams look holistically at the overall security posture of an organisation and not be laser-focused to one specific area — this includes people and processes as well as technology.
Reports : Red Teaming provides insight into the overall security posture of the organisation (covering strengths and weaknesses) including detection and response capabilities, logical and physical security, security awareness and culture and also Includes recommendations for key issues identified.
Cost and Time : Red teaming exercise is comparatively expensive, and it takes longer as it requires using multiple tools and techniques to help avoid detection.
