In a vulnerability test, imagine the tester is thinking: “Well, I know 17,240 possible problems that might exist on a network. Let me check every system here for every one of those vulnerabilities and see what issues exist.” This is normally the first type of security testing that an organization performs as it seeks to develop a prioritized list of issues to remediate. Security teams also normally configure periodic scans to automatically run against their environments to detect new vulnerabilities that might arise.
However, this highly automated approach is prone to false positives, or reports of errors that don’t really exist. That’s because automated systems lack the nuanced skill set and follow-up capabilities of a trained analyst.
The Next Level of Security Testing
Penetration tests overcome this limitation by introducing trained security professionals into the equation. These experts are well-versed in the tactics used by real attackers and bring this “hacker mindset” to their work.
The testers analyze the vulnerability scan carefully, looking for chinks in an organization’s security armor that might provide hackers with an opening. The testers then exploit those vulnerabilities and attempt to gain access to systems and data. After all, there’s no better way to prove that a vulnerability exists than to actually exploit it. Penetration tests can be time-consuming, but they’re also highly productive. Their focused results provide organizations with a deep dive into how an attacker might target them.
Red team tests operate with a similar mindset and tools but a different goal. Instead of attempting to enumerate and explain vulnerabilities, red team tests evaluate an organization’s security incident response process. The red team tester often works at the behest of management, without the knowledge of operational security teams. The tester carries out the activities of an attacker, with a focus on doing so stealthily to avoid detection. The red team tester operates as a sophisticated adversary, assessing the preparedness of the security team to identify and respond to a real attack.
Begin Security Testing with Baby Steps
While organizations might be tempted to jump right to the most advanced test and engage in red team testing out of the gate, this is not normally an effective approach.
The reality is that most organizations simply aren’t ready for a red team test. It’s quite common for them to have glaring vulnerabilities in their systems or underdeveloped incident response procedures that would quickly fall victim to a red team test, limiting the value of that engagement.
Instead, organizations should view the three types of security testing as a set of tools to incrementally add to their security programs as they advance in maturity.
Vulnerability scanning is the first step in this approach, helping an organization identify the low-hanging fruit that requires attention. Teams may use the results of vulnerability scans as a roadmap to improving their security posture, working through the list and remediating vulnerabilities until all high-risk issues are corrected.
Once the organization thinks it has successfully addressed the issues that arise in a vulnerability scan, those scans may be put on autopilot and the organization can move on to the next level of testing.
At this stage of maturity, a penetration test might identify more subtle issues that an advanced attacker could exploit. Running periodic penetration tests focused on different areas of the organization can help keep defenses primed for evolving attack types.