There are several approaches that organizations can take to better understand where their Software Systems are most vulnerable to attack.
While there is no universally accepted nomenclature for each approach, the goals of such assessments typically include:
Penetration testing, attack simulation, and red teaming are often used to describe similar assessment techniques; however, each as tactical variance and may yield different results, which I’ll describe below. Your test objectives may lead you to favor one approach over another.
During a Penetration Test, Security Engineers focus on a piece or suite of software within a well-defined scope to find as many security vulnerabilities as possible during the agreed upon timeframe. This software may reside on any platform: desktop, mobile, server, embedded, etc. During this time Security Engineers use our tools, methodologies, and an attack surface analysis to discover software vulnerabilities unique to the software. Commonly known as “0-Days” these are previously unknown vulnerabilities that are exploitable against the system under test. The testing resembles an audit of the application’s attack surface and aims to be exhaustive and extensive to cover as much of the scope as deep as possible.
To dig a little deeper into Penetration Testing, check out our 19 Attacks for Breaking Software Applications.
An Attack Simulation aims to answer the question of “what does my organization look like from the perspective of a malicious attacker.” This usually is less about the team’s responsiveness and more about their overall security posture. This differs in scope from a penetration test, an attack simulation looks as your organization as a whole, while a penetration test focuses on a specific application or system. During an Attack Simulation we may attack the software of the system in order to fulfill the goals of the assessment. This is a no-holds-barred, everything-in-scope attack that typically starts with goal setting, reconnaissance (network scans, physically building surveys, war-driving, social engineering, and casting a wide net to discover as many hosts and services as possible), then attacking each server and service to uncover soft spots in the network. The final step is usually attacking the network to discover what could be breached by a malicious attacker. This may require social engineering phishing simulation, and data exfiltration testing.
A side benefit to an attack simulation is the ability to uncover unknown hosts (aka “ghost IT”). These are systems that are spun up for short-term testing and inadvertently left running, or completely unauthorized systems. For example, we once uncovered an IT administrator who was hosting his personal Wordpress site from inside a financial company’s data center.
After this test an organization will have a solid picture of what they look like from the perspective of an external attacker and their ability to withstand these types of attacks. These tests are generally not as thorough, but they give an excellent broad overview of attack surface and security posture that can’t be gained any other way.
Red Teaming is an opportunity for our customers to understand goal-based attacks in order to test the responsiveness, alerting, and defenses of security response teams.
Red/Blue Team Exercises originate in the military where a “Red Team” would attack the “Blue Team’s” base in order to identify weaknesses in the Blue Team’s defenses. The Red Team may or may not have internal information about the base or procedures. The Blue Team may or may not be aware of the start, timing or duration of the attack. In a worst-case scenario (for the Blue Team and the organization), it’s possible for the entire attack to happen without the Blue Team knowing anything.
Red Teaming is usually a point in time attack to help a customer understand how their IT team will react to a “live attack” - to test their defensive readiness. This is typically done by a small group or even a single person who coordinates without staff being aware. Generally speaking, the goal is not to find a broad range of vulnerabilities, but rather a successful breach and exfiltration via any single point of attack to assess their attack and breach detection and response. An active attack to test active and passive defenses.
Which technique does your team or organization tend to favor and why?