DOES YOUR LAST PENETRATION TEST HAVE YOU SEEING RED?
Maybe it should.
As security-minded but business-forward individuals, it’s all too easy to fall into a vulnerability management rut.
Does this situation sound familiar?
On a routine basis, you or your company hires a security firm to perform penetration testing on the latest server/application/network or other important doo-dads to ensure it’s not exposed to unnecessary risks from security vulnerabilities and meets all pertinent industry regulations or guidelines. The testing completes but fails to find any new or significant issues. You or your company address the remaining lower severity issues, often through risk transference or risk acceptance, and move on to the next project. When the next compliance due date circles around, the cycle repeats with similar results.
If so, it’s time for a change. And a meaningful change at that.
Forget chasing an unending cavalcade of vulnerabilities, or listening to those snarky, profess-to-know-it-all pundits who hypothesize, usually from the sidelines or the comforts of an extra-plush chair, that penetration testing is dead and adds little to no value. You know the ones – the ‘let’s just let the attackers inside because they are going to get in anyhow’ crowd. They are all very dramatic and often involve very time-consuming efforts, not to mention tend to be ineffectual, misdirected, and unhelpful reactions. They will also always be there. Unlike your enervated outlook.
Instead, breathe new life into your security and project by moving to the proactive. Consider a Red Team engagement in place of your next scheduled penetration test.
Think you know what a Red Team is, or maybe you’ve never heard of one? Read on.
Red Team often means different things to different people, particularly when technical acumen and nuance are inflected. Regardless of one’s definition, the goal of a Red Team is almost always the same – to attack and gauge the target’s ability to detect and defend against said attack. Does this sound too far-fetched for your penetration testing requirements? Or wondering how this has a bearing on the next round of compliance testing and quarterly scanning? The reality is, it’s closer to the actual mark than you might think.
Replacing your next penetration test with a Red Team engagement can help you directly determine what is possible with the vulnerabilities present in the asset(s) to be tested (e.g., server, application, network, etc.). The benefit of a Red Team engagement is that it’s designed to take advantage of the vulnerabilities and exploits present by actively circumventing security controls similar to how a traditional penetration test operates. But where a penetration test often stops at the technical level, a Red Team engagement extends to encompass attacks against people (e.g., think phishing and social engineering here), process (e.g., breakdowns or gaps in procedures and policies) and utility (e.g., physical aspects such as location, facility, and physical security) that provides a more holistic, and thereby more realistic, view of the target’s security posture and the controls deficiencies present. An added upside to Red Teaming is the benefit of testing company defenses and Blue Team (i.e., teams tasked with defending company assets and resources, including people,