There still seems to be a lot of confusion regarding the differences between vulnerability assessments, penetration testing and red teaming, thus I thought it deserved a little explanation. Ultimately I don’t care about arguing semantics, if you want to refer to a penetration test as a CupCake assessment then by all means, have fun.
The real catalyst for this blog post is that even people in our industry (including those who ‘sell’ these services) don’t understand the differences and why or when you would choose one test type over the other. Here is a broad definition for each:
Vulnerability Assessments – You are seeking to identify ALL vulnerabilities (or as many as reasonably possible) in a target. You take a systematic and investigatory approach to do this.
Penetration Test – You are seeking to identify the efficacy of your preventative and detective controls against the actual tools and techniques of real world adversaries that your organization is likely to face. This is generally done in a simulated way in coordination with the target organization.
Red Team Test – You are seeking to identify your end users and specifically your security staff (Blue team/Defenders) capabilities to identify and respond to a real world security incident. Red Team attacks, Blue Team defends and specifically Responds! The key here is the response, this gives you a way to test your detective controls and your incident response capabilities that no other assessment can provide.
Another way to look at the differences is with an analogy to developing your fighting skills:
Vulnerability Assessment – Studying your strengths and weaknesses in preparation for a fight. Defining strategies (policies) and tactics (controls) based on your studies.
Penetration Testing – Sparring with a partner. Working in a simulated way to develop and hone your skills. Specifically probing for weaknesses and working to develop solutions for those weaknesses.
Red Team Test – This ain’t no sparring match, get ready to get punched in the face. We try to attack your organization and you respond exactly as you would during a real incident.
The differences between these three services, real world examples and methodologies are a common topic for us. We plan on expanding on these thoughts with future posts. In the mean time keep in mind that the name of any particular test is not nearly as important as WHY you are performing the work and WHAT data and value you are seeking to get from the test.