Redteaming vs Penetration Testing
Various types of cyber security assessments can be done to enhance the security of a given subject but when it comes to red-teaming, things get much more intense, severe and sophisticated.
Red team Operations
While performing this operation the red team brings various aspects of information security to the table. They include Social Engineering, Open Source Intelligence and deep reconnaissance in their arsenal when approaching targets. The reason behind the red team's versatility is the team members. Members of a typical red team will be having solid and deep knowledge, as well as skills in a particular domain in information security and each of them, contribute equally to a red team operation.
When an organisation goes for a red team operation, the team first try to gain an initial foothold in their network, then escalate their privileges and perform lateral movements, the path is not simple as the team encounters various defence mechanisms deployed by the organisation which they have to bypass. The teams are very advanced in the way they simulate an adversary and are very keen while performing anything into the target network so that they don’t trigger the defences of the blue teams. The more customised we are the fewer chances of detection.
Red team Operations realise an organisation about the way they detect, respond and prevent a sophisticated attack, this gives an insight to them as to where to focus and learn lessons after completion of such operations, which are being done in a controlled manner by a red team.
Red team vs Penetration Testing
Red teams are often viewed under a grey shade due to their way of testing and sophistication. Let’s see how it is different from Penetration testing.
- The operational approach of pentesting is often target-driven, by stating this we mean to say that the approach of conventional pentesting is often narrowed down based on the target (Web App, Mobile App, Networks etc).
- In pentesting, we often look for vulnerabilities and misconfigurations that can be used for further escalations, as part of the pentest.
- When it comes to Red team Operations, the main purpose of a red team is to stage the attack on a target similar to how an APT(Advanced Persistent Threat) would do and the scope of the target of these operations is much larger than pentests.
- Red teams are often hired by scientific facilities, institutes, corporate, and government organisation's to perform these operations.
Who should go for red team campaigns?
- Red team Operations are not only limited to gaining access to sensitive data but also gaining physical access to places in the premises where only authorised persons are allowed, therefore any organisation who is also willing to get their physical security tested along with their present cybersecurity posture tested can also go for a red team campaign.
- Red team campaigns are not only for IT companies, they can be performed in organisations/companies with mature security implementations, also a completed Penetration testing could give an insight into an existing security posture.
- Having the right security budget and defined scopes are also very crucial, generally, red team engagements have a broader scope.
- Before we could start an engagement, the first thing is to have the right mindset to approach the client, which is an adversary’s perspective.
- We first start by performing reconnaissance, which is indeed the most important phase even in penetration testing, with this we identify as much information about the target as possible, employees working in the assets and much much more.
- We then target to get initial access to their network, this is then used for further escalations, to gain initial access we go for a series of highly sophisticated social engineering attacks because the weakest link is the employees working there.
- After gaining an initial foothold in their network, maybe by a sales or an HR person’s system, we then maintain persistence and move laterally in the network, thereby escalating our privileges, so that we get to the most privileged asset where they have the most sensitive data present.