Red Teaming and Penetration Testing: what’s the difference?

Posted by Rudy Mitra on Sep 29, 2020 8:35:24 AM
Rudy Mitra
Find me on:

Red Teaming and Penetration Testing: what’s the difference?

Never heard of Red Teaming? Put simply; Red Team exercises simulate a real threat actor actively operating against your organisation. Red Team exercises allow you to assess your ability to thwart real attacks, identify gaps in your defences, and understand security risks accurately and in context. But isn’t that the same as Penetration Testing?

Unlike Penetrating Testing, which focuses on identifying vulnerabilities in your technology stacks, Red Teaming also challenges your security personnel and processes and gives you an opportunity assess how effectively you can detect and respond to a threat actor in your operational environment.

Penetration Tests are typically short engagements focused on identifying misconfigurations and vulnerabilities at scale, but they do not represent real-world attacks. For example, real-world threat actors are unlikely to run automated vulnerability discovery tools or off-the-shelf exploits inside environments due to the high risk of detection. In contrast, Red Team operations are executed over weeks or months with finesse and sophistication. Red team operators work slowly, carefully planning and executing each phase of the operation to achieve predetermined goals, such as to gain access to intellectual property or financial data.

The great thing about Red Teaming is that at the end of the process, you will know how prepared your organisation is to respond to a real-world attack and you will have clear recommendations on how to harden your environment and boost your defences further.


Red teaming in a nutshell

Red Team operations involve hackers - ‘The Red Team’ – executing an attack plan tailored specifically for your operational environment, while the ‘Blue Team’ attempts to detect and respond to the attack. Your organisation’s Blue Team may be the internal IT operations and physical security staff, it may also be a dedicated internal team of cybersecurity experts, or an external security provider.

At a high-level, there are two flavours of Red Team exercises, which can be tailored to your needs and your security maturity level.

The first is a full-scale Red Team operation. This is as close as you’ll get to a real-life attack, and it generally commences without your Blue Team knowing anything about it. Your Blue Team will only become aware of the Red Team when the Blue Team detects malicious activity in your environment. Once the Red Team is detected, the Blue Team will try to remove the Red Team from the environment before the Red Team achieves its objectives. At the same time, the Red Team will actively attempt to persist in the environment and continue pushing forward to complete their mission.

Then there’s what we like to call Purple Teaming, which is a more open approach and suits organisations that want to test the effectiveness of specific controls or are more interested in the emphasis on exercising their response capabilities rather than detection. It is also an excellent option for organisations that have never undertaken a full-scale Red Team exercise and would like to ease into it with guidance from experienced experts. Purple Teaming occurs with the Blue Team’s knowledge. In these exercises, the Red Team aligns with the Blue Team in real-time, providing them full visibility of the offensive activities, helping the Blue Team identify indicators of compromise in the environment, understanding the impact of the Red Team’s manoeuvres within the context of the attack chain, and devising a response to contain and eradicate the threat effectively.


What are we looking for?

While The Missing Link’s Penetration Testers perform limited-scope assessments of specific applications or infrastructure to identify vulnerabilities in systems, our Red Team operators look at the bigger picture, to deliver a realistic assessment of your organisation’s defences.

Our Red Team will thoroughly research your infrastructure, your people, premises, and processes before designing an operational approach and putting together a detailed plan to infiltrate your organisation to steal your ‘Crown Jewels’ in the way that a real adversary would.

Many organisations don’t realise that a real hacker often gets their foot in the door through social engineering rather than exploiting a vulnerability on an internet-facing server. This is the most significant difference between Penetration Testing and Red Teaming. The Red Team scope can include phone calls and spear-phishing emails in an attempt to weasel usernames and passwords from your staff or get them to open a malicious file, all so they can gain that initial foothold into your network. Then, once they’ve gained initial access, they’ll carefully study your environment to obtain situational awareness, and make educated decisions as they adapt their tradecraft to blend-in with regular activity, which will open up the pathway to lateral movement within your environment. Ultimately, they will seek a path to elevate their access and take control of your ‘Crown Jewels’ that they’ve been tasked to compromise.

Once the exercise is complete, the Red Team will deliver detailed documentation around the attack chain, the techniques and artefacts used, any vulnerabilities or gaps that they identified and abused, and an assessment of your Blue Team’s response. In the end, the Red Team will provide a debrief in which they will acknowledge your Blue Team’s successes and highlight the most critical gaps that must be addressed. And, most importantly, the Red Team will provide recommendations to help improve your detection and response capabilities going forward.


Why do you need Red Teaming?

Most organisations today invest in cybersecurity and physical security solutions. But how can they ensure these investments are effective? When was the last time your organisation tested its security posture as a whole, and not in parts? Would you rather discover how effective your organisation’s controls and procedures are before or after a real attack?

Organisations around the world are increasingly under threat of cyber-attacks and the attackers - be they terrorists, state-sponsored actors, organised crime gangs, corporate spies or any other type of criminal – are increasingly sophisticated.

They might be trying to steal your data or your money, damage your reputation or destroy critical infrastructure. They might also be trying to infect your computers with malicious software so they can use them in further attacks against other organisations while remaining anonymous and shifting the blame onto you!

That’s where we come in. We’ve got a team of dedicated award-winning Red Team operators – among the most qualified in the world, ready to put your organisation to the test in more ways than you can imagine. And, as a CREST approved company, you can be assured of our professional, ethical approach to information security testing.

At The Missing Link, we recognise that Penetration Testing and Red Teaming require different sets of skills and expertise. Our Red Team operators are well-versed in the art and science of adversary tactics and are specially trained to run Red Team operations, and conduct cutting-edge security research and development used by Red Teams throughout the industry, both in Australia and globally.

It’s always better to be tested by a friend than an adversary… call us today, we’d love to chat through the options.


If you liked this article, you may also like:

Should you outsource your Red Team operations?

Red Teaming: getting down to basics

Red Teaming: what does success look like?


Rudy Mitra

Marketing Specialist


If your network future-proofed?


The end of trust?

Trust no-one! The ‘Zero Trust’ approach sets up a ...

Why cyber security is not just the IT department's job

When it comes to cyber security threats, the obvio...

On the hunt: Finding 8 vulnerabilities in 8 weeks

Jack Misiura, our Application Security Consultant,...