Penetration testing and red teaming use different methods to test different things. If you’re testing a specific app or system, penetration testing will help you identify the weak points and how they could be exploited. If you’re testing the overall security of your organisation to find out where it needs to be improved, red teaming will be the better option.
Some organisations, such as banks, government departments and utility providers must carry out red teaming to be compliant with their regulator. But for everyone else it comes down to whether you want to check something is secure to get sign-off, or you want to put the security of your organisation to the test to see what needs to be improved.
More mature organisations are likely to gain more from red teaming because they’re likely to have technology, processes and personnel in place. We’ll eke out the vulnerabilities that get overlooked or fall through the cracks with large estates, multiple physical sites, complex supply chains and siloed departments.
The maturity of your Security Operation Centre (SOC) plays a big role in how much your organisation will benefit from red teaming. The more experienced your SOC is, the more creative our red team will have to be to breach your systems.
Red teaming aims to test how well your organisation responds to a threat. We’ll compromise your business through any means possible, which could include physically gaining access to your premises and server rooms, as well as digitally compromising your assets.
At the end of a test, our red team will report back on how they were able to breach your security and show you how to protect your firm better going forward.
Purple teaming is when some of our experts join your blue team (your SOC or incident response team) to defend against a red team attack. We will coach your team through the exercise so that they learn what to look out for and the best ways to respond.
During a penetration test (also called a pen test), we will interrogate a specified service and uncover any vulnerabilities or misconfigurations. We will then exploit anything we find to show how it could lead to an attack and how far into your business an external actor could get.
After the test, we’ll put together a report to show you what we found and what action you should take. Penetration testing is useful to show that you’ve undertaken due diligence.
Scenario-based penetration testing sits in between red teaming and penetration testing and is a very popular option for many organisations. Just like with red teaming, we’ll carry out several different attack scenarios – the difference is in how you respond to the attacks.
Unlike red teaming, where your blue team is unaware of the engagement and will be trying to shut any attacks down, everyone will be aware of a scenario-based pen test. Your blue team might try to track what we’re doing across the network, but they won’t try to stop our attacks because the purpose of the test is to find as many vulnerabilities as possible.
At 6point6, we have a team of full-time researchers working in our cyber lab. They come from a wide range of backgrounds, including ex-British Intelligence and military personnel, and are some of the world’s leading cyber professionals. When we carry out red teaming, our researchers can embed themselves within your blue team to support your response and help train your staff.
When we’re not testing, our researchers carry out dedicated work developing new methods and tools in cybersecurity. We’ve recently created a Mass File Inspector. This is an open-source tool written in Python that’s able to quickly analyse large numbers of documents to try and automatically detect whether they are malicious.
Our cyber lab is key to keeping us ahead of the game when it comes to the ever-changing risks in cyber and helped us win Consulting Practice of the Year at the Cyber Security Awards 2019. You can read more about what our cyber lab gets up to here.
Written by Misha Newman, Head of Red Team
If you’d like to find out more about how we could help you secure your business, contact get in touch.