A Guide to pen testing and red teaming: What to know now This blog post was authored by Jon Medina - Managing Director, Security and Privacy, Manny Gomez - Manager, Security and Privacy and Abdoul Cisse - Senior Consultant, Security and Privacy on the technology insights blog.Penetration testing and red teaming are essential cybersecurity practices that bolster an organisation’s security posture by uncovering vulnerabilities within their systems, networks, and people or business processes. These methodologies have distinct objectives, scopes, approaches and technologies employed. Topics Cybersecurity and Privacy Despite the significance of both penetration testing and red teaming to bolster an organisation’s cybersecurity programme, organisations are often unfamiliar with the differences between the two. Penetration testing is a targeted simulated attack on a particular system or network, aiming to discover and report vulnerabilities susceptible to exploitation. This type of testing is designed to evaluate primary controls such as patch and vulnerability management, system configuration and hardening, encryption, application security, network segmentation, privileged access management and security policy enforcement. The scope of this engagement is defined, and the cost varies based on the extent and depth of the assessment. Alternatively, red teaming offers a targeted evaluation of an organisation’s security posture, often focusing on a threat actor’s ability to gain unintended access, along with testing detective and preventive controls. Detective controls include intrusion detection systems (IDS), endpoint detection and response (EDR), security information and event management (SIEM) systems, log analysis and anomaly detection. Preventive controls involve firewalls, access control lists, intrusion prevention systems (IPS), multi-factor authentication (MFA) and network segmentation. The objective is to identify and exploit vulnerabilities in a manner akin to an actual attacker, while also gauging the organisation’s capacity to detect and prevent attacks. Red teaming is an objective-based exercise aimed to simulate real-world threat actors targeting an organisation. Such objectives typically include compromising the internal environment starting from an external perspective, sensitive system access, or business process disruption. Attack paths or attacker methodologies leveraged during red team exercises support in evaluating an organisation’s resilience against various threat actors, including nation-states, organised crime, and insider threats. This approach necessitates highly skilled testers who must work slowly, deliberately and quietly to evade detection, which can result in a higher cost to execute compared to penetration testing. The complexity and sophistication of the exercise, the need for extensive research and reconnaissance and the requirement for a higher level of coordination among testers and the organisation are some of the factors that contribute to the higher cost. Either…or? When choosing between penetration testing and red teaming, organisations should base their decision on their specific objectives and risk tolerance. For red teaming in particular, companies should tailor the scope and objectives to focus on areas of key risks. For example, a healthcare system might prioritise protecting medical records, an R&D organisation could emphasise safeguarding intellectual property and organisations with large or complex procurement processes might concentrate on securing financial data. By aligning the testing methodology with these critical risk areas, organisations can effectively address potential vulnerabilities and their impact on the organisation’s reputation, compliance and financial well-being. In terms of technology, both practices employ various tools and techniques such as automated vulnerability scanners, manual penetration testing utilities and bespoke scripts to assess the target networks and systems. Red teaming aims to simulate real-world threat actors. All tools and techniques are typically considered within scope but may not necessarily be used. Red teaming may also incorporate social engineering tactics and physical security assessments to evaluate employee security awareness and adherence to security policies. Vital cybersecurity practices Penetration testing and red teaming are vital cybersecurity practices that aid organisations in pinpointing and addressing potential vulnerabilities in their systems, networks and business/people processes. Engaging external, unbiased experts for these assessments can offer fresh perspectives and uncover issues that internal teams may overlook. It is crucial to not only identify vulnerabilities but also to prioritise timely remediation and validation to strengthen the organisation’s overall security posture. By considering findings that are developed as part of a red team or penetration test, senior leaders can make informed decisions on how to effectively protect their organisation’s assets and maintain a strong security posture. Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War. To learn more about our cybersecurity solutions, contact us. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Hanneke Catts Hanneke is a director in Sydney with over 15 years’ experience focusing on technology consulting, including privacy, technology risk, project management and assurance, IT controls and security compliance, enterprise risk management, and internal audit and regulatory ... Learn More Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Featured insights BLOGS Developing a security function during a CISO’s first 100 days These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks,... BLOGS Inclusive culture starts with contract language Anyone who wins business via competitive bid may have noticed that requests for proposals (RFPs) increasingly feature instructions to adopt inclusive language in responses. Over the past several years, more and more potential customers are seeking... BLOGS Embrace DEI intersectionality for effective cybersecurity The role of a cyber incident responder is more critical than ever as these professionals are tasked with protecting organisations from cyber threats, mitigating risks and minimising the impact of security incidents. As cyber threats continue to... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... BLOGS Enhancing cyber capabilities using a threat-driven strategy Senior leaders focused on cybersecurity recognise there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programmes should design defensive capabilities. In addition, depending on the day, the various... BLOGS The Evolution of Attacker Behavior: 3 Case Studies This blog post was authored by Mike Ortlieb, Director, Security and Privacy andChris Porter, Associate Director, Security and Privacy onThe Technology Insights Blog. Threat actors are an ever-evolving species. Portrayed in popular... Button Button