Criminals are highly creative and persistent. It’s their job to develop new ways to breach your defenses and steal something of value, and they work hard at it. They are, unfortunately, exceptionally good at their jobs, costing the world more than $1 trillion in 2020 alone.
To secure your organization and protect your assets, the best approach to security is to take many different approaches. But it’s important to know the strengths and capabilities of each tactic so you can ensure an overlapping and complete blanket of coverage.
Two such security staples are penetration tests and red teaming. These terms are often used interchangeably, but they are decidedly different approaches. To clear up the confusion, let’s dig into the details of these two essential components of every security program.
Penetration Tests Evaluate Security Methods
Penetration tests, or pen tests, are security testing methods performed to evaluate the effectiveness of security controls. The goal is to identify as many vulnerabilities as possible within a given timeframe and scope.
Pen tests simulate common attack tactics, either manually, with software, or both, to identify security vulnerabilities. After testing, the results are then typically presented in a formal report detailing the methods and discovered vulnerabilities. Organizations use these findings to improve security efforts and close security gaps. Periodic pen test reports are also often required by customers, governing agencies, and to achieve and maintain compliance with frameworks such as SOC 2, ISO 27001, and others.
Since pen tests are a deliberate and common testing method, little or no effort is made to disguise the attacks or evade detection. Those conducting the pen test also tend to focus on known security vulnerabilities, such as unpatched bugs or vulnerable software versions.
In short, pen tests evaluate the security methods you use to protect your organization. They find areas where security protocols haven’t been followed, known gaps haven’t been closed, and common attacks haven’t been considered. If pen testing finds significant gaps, your security processes, controls, and execution are usually to blame.
Red Teams Evaluate Security Defenses
Red teaming is a targeted security testing method performed to evaluate specific security controls. The goal is to identify vulnerabilities in targeted surfaces or scopes, and using creative attack methods to simulate an actual breach attempt.
Red teams generally use focused attack methods or entry points, from technical to physical, to assess the complete effectiveness of a security program. They can use various methods, such as attempting to steal a worker’s laptop, creating counterfeit ID cards, social engineering, or phishing. Red teams also attack with little or no awareness by security teams to further test controls and response processes.
In short, red teams evaluate how your organization defends against real attacks. They use their creativity, experience, and skills much like real criminals to evade your defenses, outwit your teams, and test your overall security strategy. Red teams often do find significant security gaps, which provide valuable information you can use to further harden your defenses against potential attacks.
You Need Both
While pen testing offers a broad evaluation of security controls and methods, red teaming offers a more targeted, more realistic evaluation of your defenses against a potential attack.
Think of pen testing as a periodic requirement, like going to the dentist. Twice per year, the dentist checks your teeth, pokes at your gums, maybe takes an x-ray, and tells you that you aren’t flossing enough. Red teaming, on the other hand, is like going to the doctor when you just don’t feel right. The doctor might run some tests, draw some blood, hook you up to a machine, or send you to a specialist. You don’t know what they’re going to do or what they’re going to find, but the goal is to keep you healthy.
For a comprehensive approach to security, you need to consider every form of attack on every potential attack surface, and constantly test your defenses to find and close any gaps. That means performing both pen tests and red teaming. They offer different methods that evaluate different components of your security program, and both are essential.
