By Kim Crawley

As technology is becoming more complex and smarter, attackers are growing increasingly sophisticated and cunning. That’s why it’s important to take an offensive approach to security and to hunt for vulnerabilities with the same adversarial mindset, approach and tools that malicious hackers use to carry out attacks.

Two of the most common approaches to offensive security are red teaming and pentesting, disciplines in which specialists simulate real-world attacks, conduct rigorous vulnerability assessments, stress test networks with hacking tools and look for more than just the most common digital flaws.

It’s also important to understand the differences between red teaming and pentesting as well as where the Venn diagram between the two overlaps. Let’s take a look. 

Pentesting: Striking Like the Attacker To Find Vulnerabilities

A penetration test is essentially an engagement that simulates a cyberattack to find weaknesses in systems and networks. Pentesters will mimic malicious hacks to test security preparedness, patches and upgrades to systems. This can also apply to physical security, too (can a criminal break into the building?) and social engineering. 

Pentesters can be part of external, third-party vendors that an organization hires to test from an outsider’s perspective or internal employees who regularly test their employer’s network with insider knowledge. Traditional pentests often provide a small number of testers on site for two weeks once a year and testers are compensated for their hours spent on the target.  Furthermore, pentesters must respect the legal contracts they’ve signed with clients or employers and they must work within the scope defined in the contract. If breaking physical locks or running vulnerability scans on a network segment is outside of the defined scope, they won’t test those targets.

Red Teaming: Laser-Focused on Infiltrating Targets

Red teamers also conduct pentests, but they aren’t looking to find every single vulnerability or weakness. They are more focused on infiltrating intended targets, and often by any means necessary. They want to find the most effective way into an organization or system and see how much damage they could do once inside. 

Red teams will also tailor-make attack methods to their intended targets. So, red teams are often less constrained in the types of attacks they can use to breach an organization. They have more freedom to get creative and use their skills how they see fit. 

Red teams also often compete against blue teams that will run defensive operations simultaneously. Because of the depth of the red teaming exercises, these engagements tend to last much longer than pentesting. 

Synack Experts on Pentesting and Red Teaming

Ryan Rutan, Senior Director of Community for the Synack Red Team, has first-hand experience of how crucial both effective pentesting and red teaming can be when performed  effectively.

Here’s what he had to add: 

“Pentesting can uncover a large swathe of vulnerable attack surfaces at once. Once all the CVSS (Common Vulnerability Scoring System, a standard for understanding vulnerabilities) sorting pans out, you have a list of things you can fix in the next day, week or month. That is often enough time for the next pentest to roll around to start the process all over again. Maintaining that actionable cadence can be difficult, but important for DevSecOps fluidity, and, let’s face it, blue side (cyber defensive) morale.  

In my opinion, red teaming starts once many iterations of this cycle have been completed, and the target organization has made conscious countermeasures to threats identified in the pentesting results. Red teaming goes after specific critical objectives and typically has a much stricter scope or defined success criteria. The scope is often overlayed on top of past known vulnerable attack surfaces to test proper patching and mitigation.

In both cases, pentesting and red teaming, ethical hackers imitate adversaries to bolster blue side defences, but how they go about the process and to what degree makes all the difference. To sum it all up, pentesting helps tell you where you are vulnerable. Red teaming helps tell you what is safe. These two offensive security tactics work hand in hand to solidify a better defense in-depth posture that is tailored to meet the needs and capabilities for a given organization.”

Tim Lawrence, a solutions architect at Synack, describes pentesting and red teaming this way: “Penetration testing is the act of actively looking and trying to exploit vulnerabilities on authorized systems to evaluate the security of the system.

Red teaming is when an authorized team looks for weaknesses in an enterprise’s security by conducting simulated attacks against the target. The outcome is to improve the security of the enterprise by showing the impact to the business, and also to learn how to defend and alert against attacks.”

Duration, Domain and Adversary Emulation

Daniel Miessler is a well regarded expert on security testing methodologies and also how to approach cybersecurity from the defensive side. His website and podcast are definitely worth checking out. He now works as the head of vulnerability management and application security for Robinhood. 

When I asked him for his views on pentesting versus red teaming, he directed me to something he’s already written. In “The Difference Between a Penetration Test and a Red Team Engagement,” he summarizes the distinctions between penetration tests and red teams:

“Duration: Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment.

Multi-domain: While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.—a good Red Team almost always does.

Adversary Emulation: The item that separates a random Penetration Test from a real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink.”

I recommend reading his entire post for more context.

The Synack Approach to Pentesting and Red Teaming

Synack knows that today’s cyberthreat landscape requires continuous pentesting for effective defense because traditional pentesting habits are frequently slow, disruptive and often can’t scale across an entire organization. 

The Synack Platform combines the best aspects of pentesting and red teaming with a pentest that harnesses the best human talent and technology and on-demand security tasks from a community of the world’s most skilled 1,500 ethical hackers. Synack focuses on finding vulnerabilities that matter, so organizations can find and fix new, exploitable vulnerabilities faster. 

Learn more about the Synack difference here: Synack365.

The post Red Teaming and Pentesting: Understanding the Differences and Values of Both appeared first on Synack.

Lessons From a Synack Security Analyst

By Aigerim Kikabayeva

Security teams inside your organization can’t be the only ones guarding against cyberthreats. But that’s all too often the case. Many of us may think what we don’t know, can’t hurt us, and we tend to focus on business issues rather than the potential impact of cyberattacks. However, every line of business is vulnerable, and, in many cases, successful breaches will affect LOB executives the most due to lost revenue or brand damage. 

In Part 1 of this article, we’ll discuss four of the eight biggest threats facing businesses and describe common scenarios for how malicious hackers might exploit vulnerabilities to carry out an attack.   

Threat No. 1: Access Control Violation

Access Control vulnerabilities are among the most commonly found flaws on the Synack security testing platform. This is a major issue as this kind of vulnerability can give privileges to unauthorized users. 

Although researchers are able to find numerous vulnerabilities through automated scanner tests, scanners cannot catch Access Control vulnerabilities. This requires an actual researcher to go through the application logic and corresponding roles, testing various scenarios.

One recent Access Control vulnerability discovered using the Synack platform could have allowed an attacker to place orders without any validation on a payment processing platform.

Threat No. 2: Code Injection Attacks 

Code injection attacks are simply attacks that happen when malicious hackers insert code into an application and then manipulate it to cause some damage or gain control. These attacks take advantage of vulnerabilities that allow unauthorized users to inject code into programs. These are not common flaws and often require skilled adversaries to exploit, yet Synack researchers find them all too often.

File upload services are commonly known to be especially vulnerable to Code injection attacks. Attackers are often able to bypass extension restrictions on sites and upload dangerous files into systems that can then give them the ability to execute arbitrary commands to access other parts of the network and sometimes steel or manipulate data across entire systems.   

Threat No. 3: SQL Injection Attack 

This is another data manipulation attack that occurs when an attacker inserts an unvalidated SQL query into an application. This will give an attacker the ability to manipulate and steal data, spoof identities and generally wreak havoc inside a victim’s inside databases. These can be prevented by making sure user input validation and parameterized queries are in place and up to date so that unauthorized use isn’t allowed.

Since SQL injection provides full access into the database and its data, an attacker can take advantage of further database misconfigurations. One such critical vulnerability was a PCI violation revealed through SQL injection where hundreds of credit card accounts had expiration dates and cvv numbers stored in cleartext.

Threat No. 4: Business Logic Flaws

While these often appear to be low impact flaws, they can actually allow attackers to interrupt business operations by taking advantage of poorly designed processes. Business Logic Flaws aren’t technically vulnerabilities, but are operational glitches that can allow malicious hackers to manipulate the process for financial gain or cause other damage. And because these aren’t vulnerabilities in a technical sense, scanners aren’t going to catch them and traditional testers could miss them or down play them.

A simple example of a very basic Business Logic Flaw was discovered in movie theater booking systems that allowed customers to hold seats for 10 minutes before actually buying seats for the next show time. If someone wanted to get a whole theater to themselves, they could carry out an attack on a  ticket seller and they could select all the seats and hold them every 10 minutes and prevent other customers from buying any seats at all. The result would be total financial loss for the ticket seller. 

The post The Eight Most Dangerous Cybersecurity Threats Facing Your Business – Part 1 appeared first on Synack.