top of page
AdobeStock_318867985_edited_edited.jpg
Writer's pictureJohannes Schönborn

Red Teaming vs. Penetration Testing: Beyond the Buzzwords

Updated: Feb 28

Have you caught up with the latest buzz? While penetration testing has long been a staple in cybersecurity, Red Teaming has emerged as the new frontier. Yet, the line between these two disciplines often seems blurred. Dive into most definitions, and you'll find the terms are practically interchangeable, leading to confusion about their distinct roles.


But is Red Teaming simply "penetration testing without boundaries"? Does it extend beyond IT systems to include acts like badge theft or infiltrating offices armed with nothing but a ladder?


The answer is both yes and no. While penetration testing does encompass such scenarios, it's not as if these practices were unheard of before the term "Red Teaming" began its ascent. According to the German Federal Bureau of Information Security, penetration testing's definition comfortably embraces social engineering, advocating for an approach that mirrors the full spectrum of a threat actor's tactics.


However, trends do emerge. Most penetration testing projects are executed with a narrowly defined scope – a reflection of the market's perception of the term, much like the debate over "hacker" versus "cracker," a battle long conceded.


In our penetration tests, requests typically include:

  • Evaluating the security of external perimeters.

  • Assessing the security posture of new mobile apps.

  • Testing the readiness of a new golden build for an Operating System.

  • Reviewing the security of cloud tenants.

  • The more adventurous requests involve simulating supply chain attacks, which invariably excites everyone involved.

NATO, drawing on insights from the Department of Defense, distinguishes between Cyber Red Teaming and Penetration Testing, emphasizing a crucial point that we wholeheartedly agree with and often cite:


"The main purpose is to test the blue teams that are supposed to defend the networks rather than to focus on vulnerability assessments."


Red Teaming steps beyond the IT-centric scope of penetration testing, addressing broader concerns that include previously unidentified dependencies and issues.


Oftentimes we ask: What are the cricital business functions? More often than not this cannot be answered straight away. The next question is: Who runs these? Where do these run? How? Next: we map out a Red Team Attack Plan against these critical functions.


It's not just IT that falters in crisis situations; communication is often the Achilles' heel. Consider the challenge of aligning your executive board with major clients and authorities when it becomes publicly known your business might collapse.

Who's responsible for communications?

This confusion is not something to address during a live incident but possibly through a board game following a technical Red Team engagement.


These considerations are encapsulated in the newly released Threat Intelligence Based Red Teaming/Penetrating testing frameworks.


CBEST, initiated in 2014 by the Bank of England, was a pioneer, offering intelligence-led penetration tests for the financial sector, akin to what is now widely recognized as Red Teaming. It aimed to bolster resilience against cyber-attacks. Similar frameworks include the HKMA Cyber Resilience Assessment Framework's iCAST, the Association of Banks in Singapore's Red Team: Adversarial Attack Simulation Exercise, and the European TIBER-EU program: Threat Intelligence-based Ethical Red Teaming, adopted individually by countries like TIBER-DE, TIBER-NL, and TIBER-DK.


In the ever-evolving cyber landscape, advanced cybersecurity testing tailored to specific threats is undoubtedly the way forward.


But is all this a bit much?


For the "average" company without a seven-figure cyber defense budget, there are more suitable engagement types, such as the "Assumed Breach".


But that's a story for another day :)


References:

12 views
bottom of page