With the prevalence of cyber attacks in today’s world (over 467,000 complaints were received by the FBI’s Internet Crime Complaint Center in 2019 alone), it’s no surprise that organizations are investing more and more resources into effective security measures. Their everyday operations rely increasingly on digital technologies and an ever-growing amount of critical systems are being deployed on the internet. As organizations become dependent on these technologies, global spending on information security products and services have increased to $114 billion in 2018, and is projected to exceed $133 billion by 2022.
Three crucial tests are used by these organizations to test and validate their company’s security infrastructure: penetration tests, vulnerability assessments (or scans), and red teaming. Many of them don’t fully understand the difference between these three techniques, as they share some similarities. In this article, we’ll discuss each test’s primary objective, how they differ from each other and when to use them.
Unlike penetration testing, which requires human involvement at every level, a vulnerability assessment (or scan) is largely automated. It is designed to check for common and known vulnerabilities associated with specific technologies used by a company. For instance, vulnerability scans are often employed by IT teams to identify misconfigurations and unpatched systems with vulnerabilities. They tend to be confused with penetration tests, as they both perform various checks based on the CVE framework, but automated scans deliver a much less detailed assessment that do not contextualize the existence of the vulnerabilities within the targeted environment. Vulnerability scans are generally used on networks only, including firewalls, routers, switches and servers, but some types of scans are also used on applications, although they are much less efficient.
Due to their automated nature, they often create false positives or provide risk levels that are inaccurate, which should always be validated by an experienced specialist, as they could result in a lot of wasted resources. These false positives may lead your IT team to spend time fixing vulnerabilities that either don’t exist, or pose no significant threat to your company. It is also important to note that this validation by a specialist does not increase the depth of the analysis and does not aim to validate their existence within the environment through their exploitation. More information on the depth of a vulnerability scan can be found here.
Vulnerability scans can be run on a regular basis on any number of assets to periodically identify misconfigurations and insecure implementations. In most cases, network administrators or security specialists with good networking knowledge run these assessments. The cost associated with a vulnerability scan is significantly lower than that of a penetration test, as it does not require as much experience and can be performed much faster. While they should not be neglected and it is still recommended to perform periodic scans, companies should not rely on this type of assessment alone if their objective is to protect their systems from potential incidents.
The primary objective of a penetration test is to identify and provide evidence for each vulnerability existing within a company’s security infrastructure and the tangible impact they could have on the organization or its users. Unlike vulnerability scans, there is always a human factor involved in penetration testing. Penetration testers act as de facto “hackers” for the purpose of uncovering systemic weaknesses within a targeted scope, replicating techniques used by hackers and safely exploiting vulnerabilities to determine exactly what could happen if a hacker used each vulnerability. For example, a tester may exploit flaws in business logic (the way an application handles a given action) to bypass authorization mechanisms, allowing him to determine what an attacker could potentially access when taking advantage of this specific flaw. By exploiting each vulnerability, the pentesting specialist will be able to attribute a risk level based on how easily hackers can exploit them and their potential impact on the company.
Penetration testing helps organizations outline and answer key questions, such as:
- Where would an attacker likely target us?
- Which flaws and security gaps might they exploit?
- What could the attacker achieve by exploiting each vulnerability?
- Could they access sensitive data?
For the most part, penetration tests are designed to discover new vulnerabilities, or the ones specific to the company’s environment, while ensuring that there are no “false positives”. Organizations can rely on the recommendations provided by pentesting specialists to allocate their resources efficiently while implementing measures that secure their systems properly. In comparison with vulnerability assessments, this type of test is much more in-depth and provides an accurate benchmark in regards to cybersecurity risks faced by the organization. It leverages manual techniques combined with specialized tools to help optimize their time, delivering the real perspective of an attacker.
Penetration testing may take anywhere from a few days to several weeks depending on the scope of the assessment. Considering the human factor behind pentesting, it should have no effect on the integrity or the availability of the targeted systems, as the use of automated tools is limited and well configured to avoid any inconveniences. In addition, penetration testers are highly skilled and experienced IT professionals. Therefore, penetration testing is generally more costly than a vulnerability assessment, but provides a much more detailed representation of your cybersecurity as it stands.
Red teaming is very similar to penetration testing in the sense that it makes heavy use of the “human element” to discover security weaknesses. However, unlike a penetration test designed to identify and exploit architectural vulnerabilities, a red team assessment’s main objective is to test the organization’s overall detection and response capabilities, as well as all of their security measures in place. In other words, red team attack simulations do not merely test a company’s IT controls, but also determine the security readiness of its personnel, processes, and facilities. It targets any assets the specialist can find during the assessment and replicates a full blown real-life cyberattack.
Red teaming is typically coordinated with a single key stakeholder in the company, such as the IT director or a VP, without the stakeholder informing their IT team that an exercise is underway. Without time to prepare for an attack, the IT team must respond to the simulation as it would to a real event. This enables company leadership to determine how robust their current security measures and practices actually are. One common use case for a red team simulation is during a business merger, where the buying company wants to assess the new subsidiary’s cybersecurity without their IT team’s knowledge.
While penetration tests are usually better suited for organizations still in the infancy of their security program, red teaming is often initiated by corporations with long-standing, mature security processes and infrastructure in place. These companies may already have positive penetration test results, and a culture of alertness with regard to potential cyberattacks. However, a red team attack simulation can determine how strong such security measures would be in a real-life situation.
In summary, all three tests discussed above play a crucial role in keeping your IT infrastructure secure from malicious attacks, but should be used in different contexts. For instance:
- Penetration tests uncover vulnerabilities that hackers could exploit in the real world and prove their impact with concrete evidence
- Vulnerability scans provide an overview of your misconfigured and unpatched systems with common vulnerabilities associated with their technologies
- Red team simulations determine how effectively your systems and IT staff members and security measures will respond to a real-life attack
Each one of these assessments feeds into the holistic cyber risk analysis process, and can help you to determine the controls best suited for your business or department, as well as the best policies and practices to implement. Thus, it is critical to understand the differences between these techniques, and combine them into a consolidated risk management strategy to use each of them efficiently. By doing so, you’ll greatly reduce the odds of an attacker compromising your system while maximizing your cybersecurity budget.