An attacker’s perspective on choosing a red-team or pen-test engagement
Sitting on the frontlines as a red-teamer, people regularly ask me, “Should I do a pentest or hire a red team?” But that’s not the question they should be asking.
Security leaders should be asking, “What can I do to make it more expensive for an attacker to 'pwn' me?”
Expense for an attacker is defined by many factors: time to break in, cost for an exploit, complexity, time spent sitting in a network waiting, etc. Expense is increased by forcing an attacker to go through many “hoops” to get to the crown jewels and meet their objective.
Pentesting and red teaming can identify ways to make your program more expensive to hack, but doing both is not a reality for everyone, nor is every security program ready for both. Mature security programs who’ve tested their controls and have visibility are typically ready for a red team. Younger security programs need to test their controls, and will make it more cost prohibitive for an attacker by starting with a pentest.
A pentest will tell you if a security system and/or control is working as it was designed to work. Red-teaming tells you if you’ve adequately secured the most important things to protect. (Note the word adequately, nothing is completely secure.)
Questions a pentest will answer:
- Does my program function as it was designed to function?
- Is my security program doing the things I expect it to do?
- Does this security control I put in place work as expected?
Questions a red team engagement answers:
- Is my program doing the things that need to be done to protect my environment?
- What happens if my controls fail?
- Is my team and program prepared to respond under pressure and realism?
Let’s say Moose Inc. put a new EDR solution in place, and the CISO wants to confirm it was set up correctly. Basic alerting was set up to trigger when new admin credentials were made, or anything related to the domain controller. If pentesters tried to crack this EDR, they’d try to create new admins or perhaps mess with the domain controller, but fortunately, in this case, the security organization put the right alerting in place. After this pentest engagement Moose Inc’s CISO would feel confident the EDR control is in a good spot. And, yes, the EDR was set up well. But what about the controls and configurations adjacent to the EDR?
If Moose Inc. hired a red-teamer, they would go beyond testing the EDR controls, and perhaps pull from an active directory tree and identify logins that already had admin controls. From that point forward the red-teamers have inherited permissions to mess with the EDR, without generating alerts.
The red-teamer finds the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls.
When to pentest
Just because the red-teamer finds gaps between systems, doesn’t mean a pentest isn’t important. It’s great at answering the question: “Does this work as I asked it work?” And that’s just as important for making things more expensive for the hacker.
Pen-testing aims to find flaws, across a broad range of things; it has the breadth, but not the depth. It does a good job proving a protection is working, but not if the program behind it is working. Or, like in our example, if a CISO puts in a new security control, they should have the pentester confirm the control was put in place according to plan.
But a pentest has its shortcomings. Once you’ve disclosed how you designed something, you’ve tainted it. Pen-testers go broad, they use a comprehensive public corpus of techniques, but they won’t stress a program. And, typically a pentester doesn’t go super deep because of time, budget and scope.
When to hire a red team
When a CISO wants to answer the questions “Does this work?” or “What happens if this fails?” or “is my team ready?” -- it’s time to bring on a red team. Red teaming helps you understand if the entirety of your security program is working. It’s typically goal oriented, not time bound. Typically a red teamer won’t go through your main defenses, but will still find a way in. They may not go wide, but they go deep. They find systemic problems, from failures in training to technical execution, and can even change the way business is done.
Don’t jump to bringing on a high-end red team unless you’re ready for high-end learnings. If you’re still focused on blocking and tackling, maybe you’re not ready to get a high red team to beat you up.
For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer. And ultimately, it’s all about making it harder and more expensive for an attacker to get in and achieve its objective.