Offensive security measures like penetration testing can help enterprises discover the common vulnerabilities and exploitable weaknesses that could put an them at risk of costly cybersecurity incidents. By pitting white hat hackers against an organization's deployed infrastructure, organizations can gain a better understanding of the flaws they should fix first—namely the ones most likely to be targeted by an everyday criminal.
However, over the years penetration testing services have evolved to be extremely automated and limited in scope. Armed with scanning tools and limited rules of engagements, pen testers tend to focus purely on the technical vulnerabilities within a given system, platform, or segment of the network. Pen tests are usually conducted over short durations of time and their resultant reports offer up recommendations on fixes that architects or developers can make to code and configuration.
According to many security experts, while these exercises definitely hold value for organizations—and certainly satisfy many compliance requirements--they may not be enough. Organizations may still not get a full picture of their attack surface, including how attackers can utilize social engineering and stealthy attacks to compromise a single asset, pivot on the network, and run roughshod over the organization's most vital digital assets and data.
Regular red team exercises—whether run by an internal team, external service, or combination of both—are meant to fill this visibility gap.
We recently talked to a number of security veterans to explain the role red teaming plays in a maturing security program and why it is necessary to take penetration testing to the next level. Here's what they had to say.
Red teamers behave like an adversary
"The ultimate goal of a red team exercise is to behave as closely as an adversary as possible and to leverage weaknesses inch by inch in order to achieve the principle goal. Instead of looking to report as many vulnerabilities as possible, a red team looks for weakness that get them where they want to go.
"This is what a real-world attacker does – look for weaknesses, test them, see how far they can go and then pivot to find new weaknesses that allow them to go further."
Marc Rogers, Executive Director Of Cybersecurity, Okta.
"Red Teaming is a boundaryless approach where you can test all phases of the Kill Chain as well as going into the physical realm to gain access into the building and systems. You need to put yourself in the enemy’s shoes and approach your objective like they would."
Amyn Gilani, Vice President of Product, 4iQ,
Pen testing and red teaming each serve a purpose
"Choosing between pen testing and a red team engagement all depends on the preferred outcome. If the intent is to test network systems and infrastructure for known vulnerabilities - especially to determine if those vulnerabilities can be exploited - then a pen test could serve as value-add.
"If the goal is to learn more about the security posture of an enterprise, such as workforce susceptibility to phishing or to test controls around physical security, then a red team can definitely yield valuable data to enterprise stakeholders."
Armond Caglar, Principal Consultant, Cybeta
Testing physical, social, and technical issues
"If done correctly red teams can find issues that cross different areas of your organization--physical, social, and technical--and show how these can be combined to cause an incident. For example, on one red team engagement we breached a facility due to a disguise one of the team was wearing, they socially engineered their way into the building, plugged into the network, reached a target and exfiltrated data."
Mark Stamford, founder and CEO, OccamSec
Finds process weaknesses
"Whereas a penetration test might be limited to a phishing attack or credential spraying to find vulnerabilities, the red team engagement will use that as the starting point, and then see how far they can go inside the client network, with very little time restrictions.
"Oftentimes red teams will find gaps in visibility or a broken internal process that allow lateral movement or access to sensitive data. It also provides a great opportunity for the SoC and IR processes as they triage alerts or hunt on indicators caused by the red team."
Justin Elze, Director Of Research And Advanced Testing, TrustedSec
Addresses why you have problems
"Red teaming is complementary to penetration testing. While penetration testing focuses on very tactical issues – the symptomatic issues, red teaming addresses the causes of why you’re having vulnerabilities in the first place.
"Keep in mind security is not just a technical problem, it’s operational/procedural and strategic as well. There are multiple ways you can address these other ‘domains’ through red teaming by conducting advanced scenario-based adversary simulation, red vs. blue war gaming, doing table-top exercises or specific and controlled exploitation through scenario development and execution."
Dan Wood, Associate VP of Consulting, Bishop Fox.
Adds the human touch
"One thing a red team adds is the human touch. Unfortunately, a large part of many pen tests, even ones from good auditors, are automated scans. While those can find unpatched software, which poses obvious risks, they sometimes report false positives.
"Worse, they do not have the creativity to find the more subtle issues caused by a chain of failures. Human auditors are better at catching those. A red team implies a much more human, customized test to your defenses, which may go beyond a simple automated pen test."
According to Jayant Shukla, CTO and Co-Founder, K2 Cyber Security:
Red team and blue team collaboration are crucial
"Another added benefit of the in-house red team is that they can easily interface with and advise the blue team of network defenders on a regular basis, rather than once or twice a year. This may simply mean more hands-on discussion and review of findings, but it also enables the facilitation of regular purple-team exercises where the red and blue teams actively collaborate with each other and share information to make both teams better. This collaborative testing helps drive continuous improvement throughout the organization's security program, which is essential when preparing for real threats and incidents."
Curtis Fechner, technical director, threat management, Optiv Security
"Red teams gain familiarity with the people, applications, systems, and technologies they are targeting and how they interrelate. They can take learnings from one part of an organization and apply them to another part. This allows cross-pollination of TTP as well as security learnings and improvements that can be made."
Samuel Bucholtz, co-founder, Casaba Security
Identify logic flaws
"Organizations with an operational and tuned SOC can use such engagements to help identify flaws in processes and logic as opposed to software and hardware. More advanced techniques such as data exfiltration, establishing command and control (C2), and evading detection are more commonplace in red teaming than in penetration testing. Unlike a penetration test, red team engagements may last weeks or months as opposed to days or a couple of weeks."
Joe Gray, Senior OSINT Specialist, QOMPLX
Keeps business risk in sight
"Organizations should consider having an in-house red team because this team will only get better at not only finding issues within the environment over time, but also (do it with) an intimate understanding of business risk and impact. They can also proactively come up with new attacks and build automation to regularly simulate what real-world attackers could potentially do against the organization’s environment."
Nabil Hannan, Managing Director, NetSPI. NetSPI is a Minneapolis-based pentesting/PTaaS firm
Finds monitoring gaps
"In large networks, where there is great complexity and a concern about gaps in monitoring capabilities, an in-house red team can help to identify gaps and assist in making security monitoring more comprehensive. Where gaps are identified, they can be addressed to through the proper alignment of resources against threats."
--Ted Wagner, CISO, SAP National Security Services
An award-winning writer, Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Chickowski’s perspectives on business and technology have also appeared in dozens of trade and consumer magazines, including Consumers Digest, Entrepreneur, Network Computing and InformationWeek.View all posts
Don’t miss out on exclusive content and exciting announcements!