Which one do you need?
Criminals are highly creative and persistent. It’s their job to develop new ways to breach your defenses and steal something of value, and they work hard at it. They are, unfortunately, exceptionally good at their jobs, costing the world more than $1 trillion in 2020 alone.
The best approach to security is to take many different approaches. But you need to know the strengths of each tactic so the coverage overlaps into a complete blanket.
Two such security staples are penetration tests and red teaming. The terms get used interchangeably, but they describe decidedly different approaches. Let’s dig into the details of these two essential components of every security program.
Penetration Tests Evaluate Security Methods
Penetration tests, or pen tests, are security testing methods performed to evaluate the effectiveness of security controls. The goal is to identify as many vulnerabilities as possible within a given timeframe and scope.
Pen tests simulate common attack tactics, either manually, with software, or both, to identify security vulnerabilities. The results land in a formal report detailing the methods used and the vulnerabilities found. Organizations use these findings to close security gaps. Periodic pen test reports are also required by customers, by governing agencies, and to achieve and maintain compliance with frameworks such as SOC 2, ISO 27001, and others.
Since pen tests are a deliberate and common testing method, little or no effort goes into disguising the attacks or evading detection. Testers also focus on known vulnerabilities, such as unpatched bugs or vulnerable software versions.
In short, pen tests evaluate the security methods you use to protect your organization. They find areas where security protocols haven’t been followed, known gaps haven’t been closed, and common attacks haven’t been considered. If pen testing finds significant gaps, your security processes, controls, and execution are usually to blame.
Red Teams Evaluate Security Defenses
Red teaming is a targeted security testing method performed to evaluate specific security controls. The goal is to find vulnerabilities in targeted surfaces or scopes, using creative attack methods to simulate an actual breach attempt.
Red teams use focused attack methods or entry points, technical and physical, to assess how well a security program holds up as a whole. They might steal a worker’s laptop, forge ID cards, run social engineering, or phish. They also attack with little or no awareness from the security team, which tests controls and response processes at the same time.
Red teams evaluate how your organization defends against real attacks. They use creativity, experience, and skill much like real criminals do, to evade your defenses, outwit your teams, and test your overall strategy. Red teams find significant gaps, and those gaps tell you exactly where to harden.
You Need Both
While pen testing offers a broad evaluation of security controls and methods, red teaming offers a more targeted, more realistic evaluation of your defenses against a potential attack.
Think of pen testing as a periodic requirement, like going to the dentist. Twice per year, the dentist checks your teeth, pokes at your gums, maybe takes an x-ray, and tells you that you aren’t flossing enough. Red teaming, on the other hand, is like going to the doctor when you just don’t feel right. The doctor might run some tests, draw some blood, hook you up to a machine, or send you to a specialist. You don’t know what they’re going to do or what they’re going to find, but the goal is to keep you healthy.
A comprehensive approach means considering every form of attack on every attack surface, and constantly testing your defenses to find and close gaps. That means doing both pen tests and red teaming. They evaluate different components of your security program, and both are essential.