Pentest or Red Team? Pirates against ninja

Original author: Kirk Hayes
  • Transfer

Who will win the battle of pirates and ninjas? I know you think: “What the hell does this have to do with security?” Read on to find out, but first choose: Pirates or Ninja?

Before you make such a choice, you need to know their strengths and weaknesses:


StrengthsWeak sides
Good at brute force attacks.Drunk (some believe this may be an advantage)
Good at robberyMay be careless


StrengthsWeak sides
FastNo armor
SecretiveLittle ones
Called to teach
Melee Masters

It all comes down to what is more useful in a given situation. If you are looking for treasure on the lost island and run the risk of running into the fleet of Her Majesty, you probably will not need a ninja. If you are preparing an assassination attempt, then the pirates are not the ones you can rely on.

The same story with pentest and redtiming. Both approaches have both strengths and weaknesses, which makes one of them more preferable depending on the conditions. For maximum impact, you need to define goals, and then decide what best suits them.

Penetration testing

Pentest is usually confused with other methods of security assessment: vulnerability search and redtiming. But although these approaches have common components, they are still different and should be used in different contexts.

In fact, this Pentest is to identify the maximum number of vulnerabilities and configuration errors in the allotted time, as well as their operation to determine the level of risk. This does not necessarily include the search for zerodeev, most often - it is a search for known unsecured vulnerabilities. As in the case of vulnerability search, Pentest is designed to detect vulnerabilities and check for errors of the first kind (false positives).

However, when conducting a pentest, the verifier goes further, trying to implement the exploitation of the vulnerability. This can be done in a variety of ways, and when a vulnerability is exploited, a good pentester does not stop. He continues to seek and exploit other vulnerabilities, combining attacks to achieve the goal. All organizations set these goals in different ways, but they usually include access to personal data, medical information and trade secrets. Sometimes this requires access at the domain administrator level, but you can often do without it, or even access at this level is not enough.

Who needs pentest? Some government agencies require it, but organizations that already conduct regular internal audits, training, and security monitoring are usually ready for such a test.

Red Team Assessment

Redtimming is in many ways similar to pentest, but more directed. The goal of the red team is not to find the maximum number of vulnerabilities. The goal is to test the organization’s ability to detect and prevent intrusions. Attackers gain access to sensitive information in any way they can, trying to stay unnoticed. They emulate targeted attackers like APT . In addition, redtiming is usually longer than pentest. Pentest usually takes 1–2 weeks, while redtiming can last 3–4 weeks or longer, engaging several people.

In the course of redtiming, a heap of vulnerabilities is not searched, but only those that are needed to achieve the goal. The objectives are the same as with pentest. In the course of redtiming, such methods as social engineering (physical and electronic), attacks on wireless networks, external assets, etc. are used. Such testing is not for everyone, but only for organizations with a mature level of information security. Such organizations usually have already passed pentests, patched most of the vulnerabilities and already have experience in successfully counteracting penetration tests.

Redimming can proceed as follows:

A member of the red team under the guise of a postman enters the building. Once inside, it connects the device to the organization’s internal network for remote access. The device establishes a network tunnel using one of the allowed ports: 80, 443 or 53 (HTTP, HTTPS or DNS), providing a C2 channel for the red command. Another team member, using this channel, begins to advance through the network infrastructure, using, for example, unprotected printers or other devices that will help hide the network penetration point. Thus, the red team investigates the internal network until it reaches the goal, trying to stay below the radar.

This is just one of the many methods that the red team can use, but it is a good example of some tests that we performed.

So ... Pirates or Ninjas?

Let's go back to the pirates against the ninja. If you have assumed that pentesters are pirates and redtimers are ninjas, you guessed it. Which one is better? Often they are the same people using different methods and techniques for different surveys. The real answer in finding the best is the same as in the case of pirates and ninjas: not necessarily someone better. Each is more useful in certain situations. You do not need pirates for covert operations, as well as ninjas in order to surf the seas in search of treasure. It is also not worth using Pentest to evaluate incident response and redtimization in order to find vulnerabilities.

Also popular now: