The Offensive Trident

The Offensive Trident
Photo by Lance Reis / Unsplash

The unique approach:

While engaging in numerous conversations within the great community of offensive security enthusiasts, as well as with those on the blue side of the fence, I have found that there is often confusion about the terms "Red Teaming", "Pentesting", and "Vulnerability Scanning". I had assumed that these distinctions were common knowledge, but I didn’t specifically notice the issue until after having a few conversations.

The issue seems to differ depending on which side of the fence I am speaking to:

  • On the red side, I see "Red Teaming" and "Pentesting" used fairly interchangeably, while "Vulnerability Scanning" is generally kept separate.
  • On the blue side, unfortunately, I have seen all three terms used interchangeably.

While this might seem like a minor issue, the differences have still caused confusion about what is actually meant by the information being interpreted.

Before I begin, I highly suggest reading this post on the Red Team Guide as a great reference:

Red Team Engagement vs Penetration Test vs Vulnerability Assessment | Red Team Development and Operations
Red Team Engagement vs Penetration Test vs Vulnerability Assessment
REDTEAM.GUIDE

Vulnerability scanning:

Let’s start with good old vulnerability scanning. Most people have heard of common scanners like Nessus, OpenVAS, Nmap, and Horizon.ai. There are plenty of options out there, and I’ve personally seen new ones pop up quarterly, all operating under the same principle.

The scan requires no hands-on keyboard interaction and runs through a defined set of arbitrary checks and signatures to determine if a risk is present. These scans can be performed with or without credentials and can be configured to simulate some activity, such as running basic commands to validate remote code execution (RCE) capabilities.

Let’s get down to brass tacks: vulnerability scans are NOT the same as pentests or red team engagements. These scans are limited in scope and will not provide a true representation of what a specific threat actor might emulate.

The source of this confusion likely stems from the fact that a vulnerability scan can be conducted during a pentest or red team engagement to provide a more comprehensive overview.

Penetration testing:

Penetration testing, often referred to simply as "pentesting", involves comprehensive testing of a network, application, or machine at a lower level in a more overt manner. Contrary to popular belief, getting caught is not a problem; the goal of pentesting is to be noticeable and help the client identify low-level vulnerabilities.

This testing involves hands-on keyboard work performed by a pentester or a team of pentesters. It cannot be fully automated, as no current technology can match the creativity and critical thinking of human testers.

The duration of the testing can range from one day to one month. However, in most cases, a single week is sufficient for most tests. This is often followed by a reporting period and a retesting phase.

The main confusion arises from the misleading promotion of automated pentests, which are not a real concept. Automated tests are essentially just modified vulnerability scans.

The confusion surrounding red team engagements often comes from the misconception that "red team" as a role is synonymous with any form of offensive testing, rather than understanding red teaming as a specific concept.

Red teaming:

The elite side of offensive security! This concept elevates penetration testing to a new level. Red team engagements focus on emulating specific threat actors targeting an organization. These engagements are much more stealthy and use advanced tactics and tools to gain access and maintain persistence.

The duration of these engagements can vary widely depending on multiple factors; however, they commonly last around three months from start to full completion.

The main confusion arises from grouping all types of security testing under a single term, such as "pentest" or "red team" engagement.

Summary:

This is a high-level overview and does not delve deeply into these concepts. The main goal of this article is to provide a general understanding of the concepts and their differences.

Vulnerability Scanning:

  • No hands-on interaction
  • Automated
  • Limited to predefined checks

Penetration Testing:

  • Hands-on
  • Short duration
  • Not stealthy

Red Teaming:

  • Hands-on
  • Long duration
  • Stealthy with emulation of specific threat actors