Comparing the blue and red teams
The blue team is the defense team, the one in charge of the policies, processes, methods, and technologies aimed at preventing a cybersecurity incident (which is probably you).
On the other hand, the red team is a team of professionals trained to find vulnerabilities. They will use their skills to find a way to gain access to a given system or data.
They will basically follow the same steps that an attacker would, but instead of exposing your data or selling it to the highest bidder, they will create a beautiful report that you can use to detect your vulnerabilities and create strategies to correct them.
Some big companies may have their own red team, but this is very expensive, and resources may be underutilized, so most of the companies just hire them on a regular basis to test their infrastructure and gather valuable data to improve.
Like many other topics in cybersecurity, there is an open debate about red teams and pentesting, so to make things easier for the reader, pentesting will be defined as one of the tasks carried out by a red team.
As a defensive security professional, there are many factors that you must know about in relation to pentesting, such as the types of testing, pentesting services, and their benefits.
Types of pentesting
A pentest is classified based on the level of knowledge and access that you grant them prior to the test. The categories are as follows:
Black box
In this type of testing, the red team is not provided with any information about the target. This is commonly used when testing an entire infrastructure to find global vulnerabilities. Here, the red team will have to start by performing an initial discovery phase and move across layers to find any vulnerable spots.
This kind of testing is more generic and normally involves no collaboration between the teams. In fact, this is regularly performed as some type of audit in which just senior management knows about the execution of the test. This is normally done to perform a real test and without the security team being on alert.
This is normally the most complex, resource-intense, and extensive test of the three.
Gray box
Here you provide the red team with some details about the target while obscuring others. For example, you may ask to test a given application and provide the architecture of said application, but more detailed information, such as the source code and users, will be obscured.
White box
In this type of testing, you provide the red team with a lot of data about the tested system/infrastructure, including blueprints, users, code, and any other document related to the system/infrastructure being tested.
While this may seem as making life easier for the red team, this type is more about a collaborative environment between the blue and red teams to perform more targeted testing.
Pentesting services
You can pretty much test anything; however, here is a list of the most common types of pentesting offered:
- Network services
- Databases
- Web applications
- Web services
- APIs
- Wireless networks
- BYOD
- VPN
- Social engineering
- Physical intrusions
- Code/applications
Benefits of pentesting
Many organizations are still reluctant to perform some type of pentesting on their environments, so let me share with you some benefits to motivate a company to use this great asset:
- External feedback about your infrastructure, including weak points, vulnerabilities, and improvement areas
- An opportunity to close security gaps before they are exploited by criminals
- Objective evaluation
- Support of your continuous improvement initiatives
- External validation of your hard work!!!
Tips
Hiring a dedicated red team may be expensive; however, if you have someone in your team with offensive skills, you can leverage that experience to perform mini testing (like a mini purple team).
Having a purple team does not replace the need for a red team as the inputs from an external "unbiased" tester provide additional insights and value.
Be careful when hiring a red team as they will handle very sensitive information about the company. Here, the rule is that you should always work with a partner that you can trust.
Involve your legal team and make sure that a confidentiality and data privacy contract is signed with the red team.