Offensive Security: Vulnerability Assessment vs Penetration Testing vs Red Teaming

Key Takeaways

  • Offensive security is the practice of testing security measures from an adversary’s perspective.

  • Offensive security testing can be broken down into: Vulnerability Assessments, Penetration Testing, and Red Teaming.

  • Each of these assessments differ in breadth and depth and choosing one depends on the goals of your testing.

What is offensive security? Why use it?

First off, what is offensive security? One simple definition is: The practice of testing security measures from an adversary or competitor’s perspective.

In today’s ever-evolving threat environment, offensive security is absolutely critical for helping organizations find cracks in their defenses before the bad guys do. By engaging in offensive security activities, security teams can generate more contextualized metrics of vulnerabilities to present to stakeholders. 

The security testing market was valued at USD 5.36 billion in 2020 and expected to reach USD 22.9 billion by 2026 and grow at a CAGR of 27.2% over the forecast period (2021-2026).

Offensive security assessments are usually all rolled into one big umbrella term, usually the most popular term that people have heard of, “penetration testing”. In reality there are really three types of offensive security assessments: a Vulnerability Assessment, a Penetration Test, and a Red Team Assessment. While each of these assessments may have similar components, each one is different and should be used in different contexts. This blog will cover those differences so readers can better understand this fast growing market.

Vulnerability Assessment

While not technically an offensive security strategy, a vulnerability assessment is usually a foundational element to any red-team exercise or penetration test. A typical assessment identifies flaws and categorizes them by severity based on the criticality of the asset and other factors. It then provides advanced analysis to help security leaders decide whether it is worth the investment to patch the vulnerability.

A vulnerability assessment involves the use of automated network security scanning tools, whose results are listed in the report. As findings reflected in a vulnerability assessment report are not backed by an attempt to exploit them, some of them may be false positives.

Penetration Testing

In contrast to vulnerability assessment, penetration testing involves identifying vulnerabilities in a particular network and attempting to exploit them to penetrate into the system.

The purpose of penetration testing is to determine whether a detected vulnerability is genuine. If a pentester manages to exploit a potentially vulnerable spot, he or she considers it genuine and reflects it in the report. The report can also show unexploitable vulnerabilities as theoretical findings.

At its core, real Penetration Testing is testing to find as many vulnerabilities and configuration issues as possible in the time allotted, and exploiting those vulnerabilities to determine the risk of the vulnerability. This does not necessarily mean uncovering new vulnerabilities (zero days), it's more often looking for known, unpatched vulnerabilities. Just like Vulnerability Assessments, Penetration Testing is designed to find vulnerabilities and assess to ensure they are not false positives. However, Penetration Testing goes further, as the tester attempts to exploit a vulnerability. This can be done numerous ways and, once a vulnerability is exploited, a good tester will not stop. They will continue to find and exploit other vulnerabilities, chaining attacks together, to reach their goal. 

A Penetration Test is a good way to test the technical implementation of your security tools. For example,  a test may seek to determine if the whitelisting application implementation is effective or the anti-phishing software works as intended.

Red Teaming

A Red Team Assessment is as real as it gets. A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization's detection and response capabilities. 

The red team will try to get in any way possible, as quietly as possible. The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT). Red Team Assessments are also normally longer in duration than Penetration Tests. A Penetration Test often takes place over 1-2 weeks, whereas a Red Team Assessment could be over 3-4 weeks or longer, and often consists of multiple people. 

Anything goes for the red team. A typical red team process will include Penetration Testing (network, application, mobile, device), Social Engineering (onsite, telephone, email/text, chat), and Physical Intrusion (lock picking, camera evasion, alarm bypass). For example, a red teamer may impersonate a FedEx delivery worker to get inside your doors to plant a device for easy remote access. 

A Red Team Assessment is NOT for everyone though and should be performed by organizations with mature security programs. These are organizations that often have penetration tests done, have patched most vulnerabilities, and have generally positive penetration test results.

Conclusion

When considering investing in red-team services, it’s essential to understand the goal you hope to achieve. If you need an in-depth analysis of the vulnerabilities in your environment, a vulnerability assessment is a good start. If you are a mature organization that is passing penetration tests and really want to put your security staff to the test, you could be ready for a red team assessment.

In general, in order of breath the tests are: Vulnerability Assessment, Penetration Test, Red Teaming. And the opposite order for depth. Vulnerability assessments can be as often as monthly (with additional testing after major network changes). Penetration testing can be conducted annually. Red teaming can be conducted at the discretion of the CISO. 

Hopefully this demystifies offensive security by breaking down the services offered. Not all security tests are the same. None is better than the other. It all depends on the goals of your organization.