Pentest or Red Team? Pirates against ninja

Who will win the battle of pirates and ninjas? I know you think: “What the hell does this have to do with security?” Read on to find out, but first choose: Pirates or Ninja?

Before you make such a choice, you need to know their strengths and weaknesses:

Pirates
Strengths	Weak sides
Powerful	Loud
Good at brute force attacks.	Drunk (some believe this may be an advantage)
Good at robbery	May be careless
Long-range
Ninja
Strengths	Weak sides
Fast	No armor
Secretive	Little ones
Called to teach
Melee Masters

It all comes down to what is more useful in a given situation. If you are looking for treasure on the lost island and risk running into the fleet of Her Majesty, you probably won't need a ninja. If you are preparing an assassination attempt, the pirates are not the ones you can rely on.

The same story with pentest and redtiming. Both approaches have both strengths and weaknesses, which makes one of them more preferable depending on the conditions. For maximum impact, you need to define goals, and then decide what best suits them.

Penetration testing

Pentest is usually confused with other methods of security assessment: vulnerability search and redtiming. But although these approaches have common components, they are still different and should be used in different contexts.
')
In fact, this Pentest is to identify the maximum number of vulnerabilities and configuration errors in the allotted time, as well as their operation to determine the level of risk. This does not necessarily have to include a search for zerodeev, most often - it is a search for known open vulnerabilities. As in the case of vulnerability search, Pentest is designed to detect vulnerabilities and check for errors of the first kind (false positives).

However, when conducting a pentest, the verifier goes further, trying to implement the exploitation of the vulnerability. This can be done in a variety of ways, and when a vulnerability is exploited, a good pentester does not stop. He continues to seek and exploit other vulnerabilities, combining attacks to achieve the goal. All organizations set these goals differently, but they usually include access to personal data, medical information and trade secrets. Sometimes this requires access at the domain administrator level, but you can often do without it, or even access at this level is not enough.

Who needs pentest? Some government agencies require it, but organizations that already conduct regular internal audits, trainings and security monitoring are usually ready for such a test.

Red Team Assessment

Redtiming is much like pentest, but more directed. The goal of the red team is not to find the maximum number of vulnerabilities. The goal is to test the organization’s ability to detect and prevent intrusion. Forwards gain access to sensitive information in any way they can, trying to stay unnoticed. They emulate targeted attackers like APT . In addition, redtiming is usually longer than pentest. Pentest usually takes 1–2 weeks, while redtiming can last 3–4 weeks or longer, engaging several people.

In the course of redtiming, a heap of vulnerabilities is not searched for, but only those that are needed to achieve the goal. The goals are usually the same as with pentest. In the course of redthing, such methods as social engineering (physical and electronic), attacks on wireless networks, external assets, etc. are used. Such testing is not for everyone, but only for organizations with a mature level of information security. Such organizations have usually already passed pentests, patched most of the vulnerabilities and already have experience in successfully counteracting penetration tests.

Redimming can proceed as follows:

A member of the red team under the guise of a postman enters the building. Once inside, it connects the device to the organization’s internal network for remote access. The device establishes a network tunnel using one of the allowed ports: 80, 443 or 53 (HTTP, HTTPS or DNS), providing a C2 channel for the red command. Another team member, using this channel, begins to advance through the network infrastructure, for example, using unprotected printers or other devices that will help hide the network penetration point. Thus, the red team investigates the internal network until it reaches the goal, trying to stay below the radar.

This is just one of many methods that the red team can use, but it is a good example of some of the tests we performed.

So ... Pirates or Ninjas?

Let's go back to the pirates against the ninja. If you assumed that pentesters are pirates and redtimers are ninjas, you guessed it. Which one is better? Often they are the same people using different methods and techniques for different surveys. The real answer in finding the best is the same as in the case of pirates and ninjas: not necessarily someone better. Each is more useful in certain situations. You do not need pirates for clandestine operations, as well as ninjas in order to surf the seas in search of treasure. It is also not worth using Pentest to assess incident response and redtimization in order to find vulnerabilities.