Red-teamers find the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls. For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer.
As a red teamer, I am frequently asked, “Should I do a pentest or hire a red team?” My response is always the same: that’s not entirely the right question. Each organization is different, and to get to the answer, security leaders should be asking, “What can I do to make it more expensive for an attacker to exploit my system?”
Expense for an attacker is defined by many factors: time to break in, cost for an exploit, complexity, time spent sitting in a network waiting, etc. Expense is increased by forcing an attacker to go through many “hoops” to get to the crown jewels and meet their objective.
Both pen testing (short for penetration testing) and red-teaming can identify ways to make your environment more expensive to hack, but doing both is not possible for everyone. In many cases, both may be a waste of resources. Mature security programs who’ve tested their controls and have visibility are typically ready for a red team. Younger security programs need to test their controls, and will make it more cost prohibitive for an attacker by starting with a pen test.
Whether your particular system requires a pen test or a red-team depends on which questions your defense team needs answered.
An example: Testing the EDR Solution
Let’s say Moose Inc. put a new EDR solution in place, and the CISO wants to confirm it was set up correctly. Basic alerting was set up to trigger when new admin credentials were made, or anything related to the domain controller. If pen testers were charged with breaking into this EDR, they’d try to create new admins or perhaps mess with the domain controller, but fortunately, in this case, the security organization put the right alerting in place. After this pen test engagement Moose Inc’s CISO would feel confident the EDR control is in a good spot. And, yes, the EDR was set up well. But what about the controls and configurations adjacent to the EDR?
If Moose Inc. hired a red-teamer, they would go beyond testing the EDR controls, and perhaps pull from an active directory tree and identify logins that already had admin controls. From that point forward the red-teamers have inherited permissions to mess with the EDR, without generating alerts.
The red-teamer finds the gaps between security controls and visibility, whereas the pen test typically surfaces problems within specific controls.
When to penetration test
Now, don’t hear what I’m not saying: just because you have a red team working for you doesn’t mean you should never run pen tests. It can still be just as useful in making things more expensive for the hacker.
Pen-testing aims to find flaws, across a broad range of things; it has the breadth, but not the depth. It does a good job proving a protection is working, but not if the program behind it is working. Or, like in our example, if a CISO puts in a new security control, they should have the pen tester confirm the control was put in place according to plan.
But a pen test has its shortcomings. Once you’ve disclosed how you designed something, you’ve tainted it. Pen-testers go broad. They use a comprehensive public corpus of techniques, but they won’t stress a program. And, typically a pen tester doesn’t go super deep because they have a narrow scope of goals and bounded methods which are mostly limited to the periphery of a network.
When to hire a red team
Red teaming helps you understand if the entirety of your security program is working. It’s typically carried out with a single goal or destination in mind, near the heart of the network. They have objectives like get administrative access to the network or assume compromise and try to pivot from a laptop. It is therefore far less bound by time or prescriptive methods than pen testing. A red teamer typically isn’t trying to get through your main defenses, but find a more subtle way in. They may not be totally comprehensive, but they go deep. They find systemic problems, from failures in training to technical execution, and can even change the way business is done.
Don’t jump to bringing on a high-end red team unless you’re ready for high-end learnings. If you’re still focused on blocking and tackling, maybe you’re not ready to get a high red team to beat you up.
For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer. And always remember that at the end of the day, the game is all about making it harder and more expensive for an attacker to get in and achieve their goals.