Penetration Testing Vs Red-Teaming – What’s The Difference?

No time to read? Listen to this episode here:



Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:


  • NVIDIA fixes critical flaws in their chipsets. The world-renowned graphics card maker, NVIDIA, has released software updates to fix 26 high-severity flaws that hackers could (and would) abuse. The flaws which were present in Jetson Linux products could've led to information disclosure and DDoS attacks.

  • Wegmans suffers a data breach. A major supermarket chain in the US, Wegmans Food Markets is the latest victim of a data breach. In a statement, Wegmans confirmed that at least two databases containing customer names, email addresses, phone numbers, and login passwords were harvested due to a misconfiguration. Wegmans also noted that they're working with a forensic firm to determine the full scope of the attack and fix the problem.

  • US Government launches VDP for federal civilian agencies. Through the Cybersecurity and Infrastructure Security Agency (CISA), the US government has launched the first-ever vulnerability disclosure program (VDP) for federal civilian agencies. In addition, the government has teamed up with IT contractor, Endyna which will provide a software-as-a-service (SaaS) platform for the endeavor. The VDP program aims to set a new precedent for enterprise-wide security tracking and improvement.


And now to the topic of the day.


Penetration Testing Vs Red-Teaming – What’s The Difference?


There are at least two productive ways to fairly quickly ascertain your organization’s resilience to both internal and external cyber threats: Penetration Tests and Red Teaming exercises. A common misconception, however, is that these are interchangeable - we're here to clarify.


From both risk and budgetary perspectives, it is essential that you know the difference between the two before selecting the approach that fits your business' goals best. Let’s start with the basics.


What is Penetration Testing?


Whether an Intelligence-Led Penetration Test, or its more conventional alternative, PenTesting focuses on assessing your systems, web apps, mobile devices, and networks to identify the weaknesses in your infrastructure that can be exploited by a malicious threat actor.


Penetration Tests typically come in three flavors:


  • Black box, where the testers have little to no initial knowledge of your infrastructure.

  • Grey box, where the testers have some knowledge of your infrastructure - for example, the types of servers you're running, or your basic network topology. Both grey and black box tests are well-suited to providing a comprehensive view of how an external attacker might exploit the discovered weaknesses.

  • White box, where the testers have extensive knowledge of your internal infrastructure and processes. White box tests can demonstrate how an internal threat (for example, a disgruntled employee) might go about attacking your organization.


What is Red Teaming?


Red teaming is a scenario-driven attack simulation focused on target objectives - typically, critical business assets, also called Crown Jewels, that would damage the organization the most if compromised.


Red Teams would typically start by defining these objectives by sitting down with you during kick-off. This is also when the rules of engagement are laid out and agreed upon: which methods and courses of action the testers are allowed to take, which are not recommended, and which are strictly forbidden.


What’s the Difference Between Penetration Testing and Red Teaming?


The main difference lies in the objectives of each: while Penetration Testing aims to discover all possible weaknesses that a threat actor can exploit if your company is targeted, Red Teaming exercises have no such goal.


While the Red Team will discover and exploit the weaknesses that a PenTesting team would find as well, they would do so with the goal of simulating how a real threat actor would attack your organization as closely as possible, specifically going after your key assets and giving you a different perspective of your cybersecurity shortcomings across people, processes, and technology within your organization.


So Which One Should I Do?


Both, ideally. A sensible course of action would be to conduct a vulnerability assessment or a Penetration Test, address the discovered weaknesses to the furthest extent possible at the time, and then initiate a Red Teaming exercise to confirm the effectiveness of the measures. Rinse and repeat at least annually, or whenever any major changes to your attack surface (infrastructure, software, supply chains, web presence, etc.) occur.


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

36 views0 comments