Vulnerability Assessment vs Penetration Testing vs Red Teaming

Understanding the differences between security testing services
Vulnerability Assessment vs Penetration Testing vs Red Teaming

Vulnerability assessments, penetration testing, and red teaming are all attack simulation services designed to provide insight into your organization’s weak points, and how to thwart attacks before they happen. Each service plays a different role in testing your environment, building a stronger understanding of your security posture with each phase.

  1. Vulnerability Assessment – Finds vulnerabilities. (Breadth of vulnerabilities) “Wide”
  2. Penetration Testing – Exploits vulnerabilities. (Provide Proof of Concepts) “Deep”
  3. Red Teaming – Post exploitation. (Attack like an actual hacker) “Real”

Vulnerability assessments and penetration tests are the most requested services, likely because they are required for compliance standards like PCI DSS, SOC 2, ISO 27001, and GDPR. The two are sometimes confused, but a penetration test is not the same as a vulnerability assessment. Vulnerability assessments are predominantly automated scans designed to find all known vulnerabilities in your network. Pen testing looks to combine the vulnerabilities found during a vulnerability assessment into attack patterns for exploitation. Red Teaming takes the simulation even further. For companies ready to mature their security protocols to include proactive measures (offensive security), Red Teaming dives deep to truly simulate an attack on your program.

Vulnerability Assessment

Vulnerability assessments, or vulnerability scans, aim to find all known vulnerabilities of a given target, thus is broad by nature. Breadth of coverage is achieved using automated tools such as Nessus, Qualys, Acunetix or Burp Scan. Automated tools and scanners can only find vulnerabilities recorded in the vulnerability database, and the accuracy of results are largely dependent on the rules input by the tester, such as whether credentials were provided for authenticated testing of an application or a network domain.

A vulnerability assessment encompasses three phases to find as many vulnerabilities as possible on the target web application or network service.

  1. Pre-Engagement – Understand the objective.
  2. Vulnerability Scan & Analysis – Find and validate threats by removing false positives.
  3. Reporting – Presents a baseline of issues and allows to track changes and fixes between iterations.

During a vulnerability assessment, the vulnerabilities found are not exploited, just validated to avoid reporting false positives. As a result, true impact cannot be determined.

For example: If a web scanner finds and reports back certain input fields that get reflected on the HTTP response with no apparent sanitization. It is the responsibility of the tester to validate and make sure all of the instances of a potential XSS issue are actually real by potentially abusing this injection point to try to pop-up an alert box using JavaScript on the victim’s browser. This way, you are validating the issue is real, but not abusing it with the intention to steal credentials as a real attacker would do.

Penetration Testing

A penetration test begins with a vulnerability assessment, then leverages the creativity and criminal mindset of an experienced cyber professional to provide Proof of Concepts (PoC) for the vulnerabilities found. A penetration test is often used to target web applications and APIs, network services and cloud infrastructure, or applications running on mobile devices.

Penetration testing can encompass all seven phases of the penetration test methodology and covers the OWASP Top 10. However, most companies do not choose to include Post Exploitation, because it may impact their day-to-day operations if testing against production services.

  1. Pre-Engagement – Understand the scope and define objectives for the exercise.
  2. Reconnaissance – Research the target.
  3. Threat Modeling – Prioritize risks to your organization.
  4. Vulnerability Analysis – Find and Validate Vulnerabilities.
  5. Exploitation – Develop actual Proof of Concepts (PoCs).
  6. Post-Exploitation – Assess the impact of exploited vulnerability.
  7. Reporting – Show proof of exploitation by presenting compromised data or obtained access (PoCs), along with recommendations for each vulnerability.

Penetration testing digs deeper into the broad amount of vulnerabilities provided by a vulnerability assessment, demonstrating the true impact of a compromise should the vulnerabilities remain open.

Red Teaming

Red Teaming provides a real-world view into what an attacker would do to compromise your organization’s assets. Red Teaming takes the simulated attack further than a penetration test, truly mimicking an actual attack. Post exploitation is the primary differentiator for Red Teaming, going well beyond PoCs to demonstrate the real-life damage that could occur if your company were to be compromised. Post Exploitation can include exfiltrating sensitive data (PHI/PII/Intellectual Property), obtaining persistence, elevating privileges within the network domain, pivoting from the compromised host to other trusted networks, and so much more.

Which Type of Security Testing is Right For You?

Each security testing service is designed to meet different security goals within your organization. Vulnerability assessments and penetration testing focus on breadth, rather than depth and are constrained to the given component being tested, like your network infrastructure or web applications. In contrast, Red Teams will identify potential weak points and string together seemingly unrelated vulnerabilities to create composite attack scenarios, exposing vulnerabilities and risks encompassing your technology, people, and/or physical assets.

For more information on vulnerability assessments, penetration testing, or red teaming, reach out to our security analysts for a consultation.

PASTA Threat Modeling: The Process for Attack Simulation and Threat Analysis

VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.