With more than a third of enterprises experiencing a targeted cyberattack in 2020, it’s important for companies to understand how their security operations would hold up if they faced similar sophisticated threats. Arguably, one of the best ways to achieve this is to look at your organization from a threat actor’s standpoint and this equates to conducting a security assessment.
For security leaders that outsource the security assessment process, however, the challenge is that there are a variety of service offerings available, and oftentimes, marketing of these terms adds to the confusion.
There may also be some confusion as to what security assessment services are and their purpose. Oftentimes, security leaders and organizations need more clarification about the types of cybersecurity assessment services: vulnerability assessment, penetration testing and red teaming.
To demonstrate how vulnerability assessment, penetration testing and red teaming differ, we’ll consider three basic criteria: the goal of the service, its scope and methodology.
What’s out there?
Vulnerability assessment (VA), the most common service of the three, is an automated or semi-automated approach to the identification of security issues. Its goal is to discover as many publicly-known vulnerabilities as possible among a strictly defined set of systems, ideally minimizing false positive results. The methodology is quite simple and boils down to pattern matching data received from a network service against a database of known security issues. Such a straight-forward approach allows for a great level of automation, thus gaining the advantage of speed and repeatability. Disadvantages are quite obvious too as the results from a vulnerability assessment is a list of existing well-known exposures.
This is not to say that VA is not the right service for an organization as it is a crucial part of the vulnerability management program in any security-mature organization, alongside asset inventory and change management processes.
It is important to keep top of mind that VA has nothing to do with any kind of simulation of adversarial behavior, so it is important to speak with service providers to see if they are mostly relying on automation vulnerability scanning as this may not be the solution for your organization.
Now with vulnerability assessment addressed, let’s take a closer look at penetration testing.
As the name implies, penetration testing (pentest) aims to demonstrate how a security boundary could be breached, allowing a threat actor to get from point A to point B inside an organization’s network. Unlike a vulnerability assessment, pentest goes beyond plain enumeration of potential security weaknesses. Proper penetration testing engagement, applied to an external perimeter, corporate network, or both, would show how a malefactor would behave if targeted to compromise a company’s IT infrastructure.
Methodology-wise, pentest is mostly a manual service that relies more on the knowledge and experience of an expert team performing it rather than on tooling and automation. Typical engagement might take anywhere from 30 to 60 business days for the practical part and reporting. Since reporting is the key deliverable of the whole exercise, it’s important for security leaders to pay close attention to what would be included in the report. Most established vendors will have a sample report that can be requested to evaluate whether the final product would match your expectations.
Finally, a red teaming service is focused on the assessment of a company’s operational security capabilities via conducting a sophisticated attack simulation exercise and evaluating detection and response reaction of defending SOC specialists (blue team). Though it may look similar to penetration testing, there are significant differences behind testing security operations (OpSec) and looking for attack vectors.
The methodology and scope of each red teaming exercise are heavily dictated by threat intelligence (TI) gathered prior to the engagement. During penetration testing, a service provider is trying every attack vector that would aid in breaching IT infrastructure security. During red teaming, the customer and service provider develop a set of goals to be reached via a corresponding set of attack scenarios. These would be the most relevant for the company based on the results of a deep TI research. In most cases the scope would not be limited by any particular IP addresses or domains, instead covering the whole organization, including people and processes. These kinds of exercises also last longer than others — half a year or even longer — due to the need to simulate low-profile behavior of a real attacker.
Given the aforementioned insights, security leaders looking to outsource any portion of their cybersecurity assessment programs can determine what time of security assessment service is right for them by thinking strategically and asking the right questions.