As anticipated here, my short paper on pentesting and red teams is finally out. It was a fun paper to write as it follows a new model for us, GTP analysts: a faster cycle of research and writing, producing a “to the point” paper. This one is about clarifying the roles of pentests, vulnerability assessments and red teams in a security program, including answers of when to use each and how to work on defining scope, selecting service providers, etc.
A few nice bits from the paper:
“Organizations still don’t have a clear understanding about the different security assessment types and when each one should be utilized. Penetration tests are often contracted by organizations expecting the type of results that would come from vulnerability assessments”
“The confusion about the different types of security assessments is the most common reason for dissatisfaction with test results. Assessments differ in many aspects, from objectives to methodologies and toolsets. Thus, understanding the differences between each type of assessment is crucial to properly select the most appropriate option for each case.”
On Vulnerability Assessments:
“Vulnerability assessments (VAs) are usually the best option for organizations looking to perform their first assessment. Performing a VA first allows an organization to find obvious technical issues, such as missing patches and poor configuration items, including default passwords.”
“A vulnerability assessment doesn’t involve exploiting vulnerabilities or trying to obtain sensitive data or privileges, so it shouldn’t be used to answer the “What could happen if someone tries to break in?” question (which is a typical question answered by a pentest).”
“Pentests are mostly manual in nature because exploitation usually requires more human analysis. The test also involves moving from one asset to another while looking to achieve the test objectives, so identifying how to do it and which assets to attack is by nature a manual, creative and iterative activity. During some steps of the test, the assessor may rely on automated tools, but no penetration test can be completely automated from beginning to end.”
“Pentests are often requested by organizations to identify all vulnerabilities affecting a certain environment, with the intent to produce a list of “problems to be fixed.” This is a dangerous mistake because pentesters aren’t searching for a complete list of visible vulnerabilities. They are only looking for those that can be used toward their objective”
“The real benefits from having a red team are primarily linked to its continuous operation. Apart from the findings of each exercise, a healthy competition with the red team can also be used to keep the blue team alert and engaged. Organizations planning to contract point-in-time exercises instead of a continuous service should keep in mind that the continuous planning, scenario and objectives definitions for the exercises will still have to be done internally. Otherwise, contracting a red team exercise will not be any different from procuring high-quality pentests.”
Which one to use? Go there and read the paper 😉
P.S. Don’t forget to provide your feedback here!
P.S.2. This is actually my first “solo” Gartner paper! Nevertheless, Dr. Chuvakin provided a lot of good insights and feedback too
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.