Penetration Testing – Ethical Hacking, Red Teaming and Capture the Flag
by Robert Bond
The variety of penetration tests that have surfaced over the past several years can easily be confused by organizations. The differences between penetration tests, ethical hacking, and red teaming are important to understand for IT security organizations seeking to evaluate their cybersecurity posture and performance.
Penetration testing is a common way for organizations to test their security maturity and identify potential vulnerabilities in their environment. In today’s market, however, there are a growing number of options. The terminology surrounding penetration testing can be confusing to even the most educated cybersecurity professionals. With new types of testing available every year, it is important to know the latest and most effective ways of assessing cybersecurity performance. Commonly confused terms include penetration testing, ethical hacking, red teaming and capture the flag exercises.
What’s the Difference Between Penetration Testing and Ethical Hacking
Penetration testing and ethical hacking are two similar types of cybersecurity testing that are often blurred. Penetration testing is a specific type of security testing assessment focused on identifying vulnerabilities and risks on systems and across an environment. A penetration tester assesses a target environment, seeking to compromise and take control of the targeted systems. The purpose of the test is to find vulnerabilities in the environment and deliver a report to the organization being tested. In many cases, the scope is not limited to systems or techniques – the penetration tester can direct his attack throughout the target organization’s systems and infrastructure. Commonly, testers find systems on the targeted network using discovery scans and network traffic to identify potential weak links or systems that may be compromised. Attackers then exploit the systems remotely. The tests can be either internal (within the target’s facility) or external (over the Internet).
Ethical hacking is similar to penetration testing but has several key differences. The term ethical hacking is a broader term for hacking techniques used by ethical hackers. While a penetration tester might discover flaws and vulnerabilities and deliver a report, an ethical hacker will likely conduct a longer-term assessment, using a greater variety of attack types and more fully exploring the environment.
While a penetration tester is usually focused on identifying vulnerabilities, an ethical hacker will usually pursue a full scope of hacking techniques in an attempt to find as many security flaws as possible. It is less of a point-in-time assessment and more of a holistic security evaluation of a target environment. Ethical hackers also deliver more remediation assistance, commonly working with the organization to ensure the security of the target system with the permission of the system owner.
What Is Red Teaming – A More Advanced Assessment Process
A red team assessment is another type of security testing tactic that is more defined and focused than penetration testing. The goal of a red team assessment is to test the target organizations detection and response capabilities. The main difference is the great lengths taken by the red team to simulate an actual attack.
Organizations are typically not informed of the test, and the red team proceeds to attempt to access critical and sensitive data leveraging a variety of attack methods; essentially simulating the tactics of an actual attacker. The assessments are usually a longer process and a more thorough investigation into security vulnerabilities and their corresponding impact. Methods may also be more extensive, including social engineering, wireless testing, and physical security testing.
White Box vs. Black Box Penetration Tests
Another important distinction regarding penetration testing is between white box and black box tests. A black box tester does not have any knowledge of the internal structure and workings of the targeted system. White box testing is performed by a tester with a working knowledge of the internal structure of the targeted system. White box testers might provide more detailed results as they are familiar with the code, architecture, and configuration of the targeted system and have a better idea of where to look for security vulnerabilities. However, black box testers provide a more accurate simulation of an external malicious attacker.
Capture the Flag Penetration Test Exercises
Another penetration test-related exercise is a capture the flag (CTF) exercise. Testers are assigned a specific goal (capturing the flag), which might be exfiltrating a specific data file or accessing a specific system. CTF exercises are often set-up in a competition environment with teams competing to accomplish the goal first. Contests with prizes and open competition are often used to recruit new employees, build security skills, and test systems. CTF exercises are different from a traditional penetration test in that they often use test environments or third party environments, like the Michigan Cyber Range, as the event is more of an evaluation of the testers’ skills than production systems.
Other Types of Penetration Tests
There are several other types of penetration tests that are important to consider. They include the web application penetration test, war dialing, wireless security penetration test, and social engineering testing. During a web application penetration test, a tester will focus on a web applications hosted by the targeted organization. Also known as a web application security assessment, the test can use automated tools like Burpsuite or scanners like Grabber to find security holes – including the OWASP Top 10.
A war dialing assessment looks for vulnerable modems in a target environment, seeking to find an unsecure access point or brute force guess a way to access the environment. Recent testers have even found ways to access target environments through unsecured fax machines. A wireless security assessment tests the security of a client’s Wi-Fi systems, looking for easily accessible access points and common vulnerabilities like WEP encryption.
A social engineering test tests the security awareness of a targeted organization’s personnel. This could involve phishing emails, phone calls, and physical access attempts.
Security Audits versus Penetration Tests
One final difference to highlight is the difference between a security audit and a penetration test. A security audit differs from a penetration test in that it measures cybersecurity performance against a set standard, like the NIST CSF. Usually involving a detailed checklist of security controls, a security audit is more comprehensive, assessing the entirety of a security program – while the penetration test seeks just one vulnerability to access and compromise the environment.
Many options are available for organizations seeking to assess their cybersecurity posture. Whether they choose a common penetration test or a more advanced red team assessment; or more focused services like a web application assessment. The most important thing is for organizations to be actively identifying vulnerabilities in their environment and remediating before they are targeted by external attackers.
January 6, 2021