It is a fairly common occurrence that organizations approach us unsure what type of security testing they need because a particular security framework, best practice, or compliance requirement states they need quarterly scanning or a penetration test. While these security frameworks serve an important purpose of ensuring a standard set of expectations and requirements for organizations, the language surrounding various technical controls or Security Testing Services can be confusing, generic, or all sound very similar to one another. I hope to provide you with a better understanding of the distinctions between the various security testing services and to arm you with the knowledge necessary to know what type of service you need, based on your security program’s maturity and goals.
Vulnerability Scans
Vulnerability Scans are exactly what they sound like. Scans are performed with a vulnerability scanning application such as OpenVAS, Qualys, Nessus, Nexpose, etc., can be directed at external- or internal-facing system, and are generally performed monthly or quarterly. The output for a vulnerability scan is generally an Excel spreadsheet or PDF report. More mature organizations incorporate these results directly into a change management or bug tracking system, thus automating patch management workflows. Periodic vulnerability scanning is imperative to create a defensible environment. If you are not performing regular scanning, you are probably not prepared for a more comprehensive engagement such as a penetration test. Vulnerabilities by themselves are not the entirety of a penetration test. However, not patching is like leaving your front door open and unlocked while leaving for vacation.
Vulnerability Assessment
A Vulnerability Assessment is designed to give a snapshot of an organization’s vulnerability management program and assess its effectiveness against the current threat landscape. It generally consists of discussion with your security team regarding your vulnerability management workflow, as well as detailed reviews of both authenticated internal and unauthenticated external vulnerability scans. One key distinction is that this type of assessment usually does NOT include exploitation, as the focus is on threat management, rather than a more attack-focused engagement. Vulnerability assessments produce an in-depth report that provides overall risks associated with the vulnerability management program, along with detailed threats susceptible from a potential attacker’s point of view. The report lists the most critical identified vulnerabilities and the dangers/risks they pose to your environment. A more mature assessment, like the ones performed by True Digital Security, will categorize them using a framework such as the MITRE ATT&CK framework to provide context into where the identified vulnerabilities could be exploited in the attack chain. This assessment is the best option for organizations that are performing periodic vulnerability scanning but do not have a clear picture on their overall threat profile and how systems and application may be vulnerable.
Penetration Test
A Penetration Test is an assessment that is designed to fully test an environment’s security defenses. The penetration test is intended to test your environment using real attack tools and techniques used by malicious actors. You can expect network identification, vulnerability scanning, and automated and manual exploitation that includes password hash interception, database hardening testing, pass-the-hash, password cracking, vulnerability exploitation, and more. All findings are validated, and exploitation results are included to provide insight into what was done and what level of compromise was possible. The report lists the most critical of the identified vulnerabilities and the dangers/risks they pose to your environment. The narrative section provides a step-by-step review of the process performed by the Red Team and how security flaws were chained together to achieve the goal. Understanding how vulnerabilities can be used together and evaluating their impact to your organization is one of the primary distinctions between a penetration test and a vulnerability assessment or vulnerability scan as neither of them allow for exploitation. Penetration Tests grant a more realistic expectation of what a malicious actor could accomplish within your environment and provide assurance your security defenses are working.
Red Team Engagement
A Red Team Engagement is also known as an “attack simulation” or “adversary emulation”. In these engagements, the TRUE Red Team will take on the role of a malicious attacker with no internal knowledge of the organization and use all the tools/methods that would be used by one. The Red Team would perform external network exploitation and phishing attacks of various types to include malicious attachments and links to credential gathering websites and use the resulting compromise or access to attempt internal vulnerability exploitation and compromise. Physical social engineering or physical penetration tests may be included in these engagements in an effort to gain access to sensitive data via physical facility compromise. While penetration tests are focused primarily on tools and techniques used to compromise networks/systems, and Red Team Engagement is focused on operating within your environment, evading detection, and exfiltrating data. Purple teaming is often associated with attack simulations and is something you should consider during your next engagement. A Purple Team Engagement is simply a Red Team engagement in which TRUE’s Red Team is in constant contact with your organization’s defenders (i.e. the Blue Team). In this way, the Red Team can walk the Blue Team through the attack and determine what the attack looks like from a defensive point of view in real time. Red/Purple Team engagements are most effectively utilized by organizations that have a mature security program with multi-layered security measures and have consistently received clean penetration test reports.
How can we help?
If you need quarterly Vulnerability Scanning, a Vulnerability Assessment, a Penetration Test, a Red/Purple Team Engagement or just want to find out more about our services, we would be happy to help. Request a consultation today!