They say character isn’t gained in a crisis; it’s displayed in one. By the time the disaster hits, the time for preparation has passed. But what if you could go through that earth-shattering event beforehand so when the time came, you’d be ready?
Well, in security, you can. And it's not called cheating – it's called Red Teaming. It’s done differently, it provides a different outcome, and it tests a part of your security infrastructure that may never get tested otherwise; your team.
Red Teaming might be the logical next step to successful pen testing, but it’s a beast all its own. Here’s what you need to know.
Let’s get clear: Red Teaming vs. Pen Testing
Red Teaming gets mixed up with pen testing all the time, but the two are not interchangeable.
Pen testing is the act of vetting a system for vulnerabilities specifically. It takes a company that feels fairly confident in their security posture and says, “Missed a spot.” The company is then aware of the vulnerability and can decide how to get ahead of it.
That might be an oversimplification, but in essence, pen testing revolves around getting a foothold into a vulnerability and exploiting it for all its worth. The bounds are set, the rules are known, and within that context, pen testers are pretty free to “go anywhere” or “try anything” to exploit those vulns.
However, the key takeaway is more in the atmosphere of what is done. Pen testers do their thing and then deliver a nice, typed-up report to the company saying which weaknesses exist and what kinds of trouble the testers were able to get into because of it. The security team discusses the findings, makes efforts to remediate them, and thanks the pen testers for their time.
Red Teaming is where security hits the fan. It can best be described as ‘war games’ and involves an all-hands-on-deck, Code Red type of craziness in which an organization gets professionally attacked for several days – or several weeks – on end. This is where things get messy.
Ain’t nothin’ like the real thing
Red Teamers aren’t just politely looking for bugs in the system; they’re looking for any sign of weakness, and when they can’t find one, they make one. It’s a no-holds-bar, and everything goes. From scouring online databases to stealing executive credentials to plaguing the website with injection attacks, malware exploits, and everything but the kitchen sink, attackers give the company a real taste of what a compromise in the wild might feel like.
As Marvin Gaye used to say, “Ain’t nothin’ like the real thing, Baby.” And there isn’t. Red Team exercises give teams a heart-pounding, up-all-night sense of adventure that prepares them for how they might react if such an exploit were to truly occur. Criminal hackers don’t play nice, and they don’t deliver a list of vulnerabilities. Red Teaming tries a security posture for all it’s worth.
Pen testing your team
And that’s the key difference – pen-testing tests the system, and Red Teaming tests the team. Yes, it tests technical defenses as well, but the real value-add is that internal security teams get to see how they (and their teammates, and their bosses, and their processes) would react in real time. While simulated, these exercises feel like the real thing. Teams need to be battle-tested to get used to the heat. As any psychologist would tell you, how a person reacts under stress and how they react under a mere heat lamp are two different things. Pen testing hardens the security posture; Red Teaming hardens the team.
A packaged deal
Differences aside, it is important to note that the two offensive exercises – pen testing and Red Teaming – go hand in hand. What will typically happen is an organization will prepare for the Red Teaming event by conducting a pen test beforehand. That way, they can shore up any vulnerabilities before all secure shell breaks loose. Red Teaming then comes in behind and lets the company know how effective their preparations really were. And that means policy, playbook, mean time to recovery (MTTR), and personnel preparations as well – the whole thing.
CISOs need to know that the technology they invested in is doing its part, and SOCs need to know how well they are able to do their job in a real-world scenario. Fortra’s Core Impact is an automated pen testing tool that puts enterprise-level techniques in the hands of whoever uses it. Intuitive and easy to use, it can walk junior testers through their first engagement (without sacrificing quality) and automate tried-and-true techniques that save experienced testers time. Following up, Fortra’s Cobalt Strike provides threat emulation software that mimics the techniques of a stealthy, advanced adversary. Now, teams can take offensive security into their own hands and repeat an engagement as many times as it takes to get it right.
The real world may not give the chance to dry-run an emergency, but with pen testing and Red Teaming solutions from Fortra, organizations can be as prepared as they need to be for their next cyber crisis.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.