A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing’ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment ? ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. These can be, for example, pending patches, weak passwords or a misconfiguration. These scans should be done periodically as the result of a one-time scan may be irrelevant after the next patchday. In the end, there should be a process of vulnerability management which prioritizes and documents the detected problems accordingly.
A vulnerability assessment should continuously identify as many vulnerabilities as possible in a short period of time in order to find and fix “simple” security vulnerabilities as quickly as possible.
In contrast to vulnerability assessments with automated procedures, penetration testing is primarily using manual techniques to detect more complex vulnerabilities that could not be detected by scanners. These can be both logic errors in the implementation of some software, as well as problems in organizational regulations of a company.
In addition, the vulnerabilities in a penetration test are validated and exploited to achieve a predefined target. This goal may be acquiring domain administrator rights or accessing an email from a specific user of the company.
More complex vulnerabilities are sought which can not be found by automated scanners and the effectiveness of the security measures taken at the technical, organizational and personnel level is checked.
These types of assessments use state-of-the-art attack and obfuscation techniques (such as MITRE ATT&CK) to penetrate a business and achieve a specific goal. At the same time, the “defense team”, the so-called BlueTeam, should detect the intrusion and react accordingly. For more information on this new type of assessment, I recommend this blog, which published a number of sources at the end of 2018 that provide additional information about redteaming.
Of course, redteaming is also about uncovering vulnerabilities in all levels of the goal, but training the BlueTeam is clearly in focus.
This can not be answered on a flat-rate basis, as this depends on the security level of the company/target.
If security assessments have not yet been carried out, then only vulnerability scans should be used to determine how the security level basically looks and to raise this to a satisfactory level.
After a company performs vulnerability scans and closes the detected gaps, penetration testing can be used to uncover more complex gaps.
If the company already uses aspects such as SOC, SIEM and Blueteam in the company, then at this stage these elements should be trained and optimized through redteaming assessments.