What is the difference between redtim projects and pentest?

[Father]

Ethical hacking has been actively developing in recent years. Training programs for such specialists receive support from regulators, and the demand for pentester services increases. Draft laws protecting and regulating the activities of security analysis specialists are being discussed at the State level.

This is largely due to three factors:

• increased regulatory burden;
• raising business awareness about information security issues;
• the growing aggressiveness of cyberspace.

Cybersecurity experts predict that the number of hacker attacks on companies and government organizations will grow in 2024. At the same time, the attackers will target not only extortion, but also violation of the activities of organizations.

Andrey Shabalin
Data Analysis Specialist NGR Softlab

The ultimate goals pursued by "organized cybercrime" are diverse, but most often consist in a long and hidden presence in the infrastructure of the victim for cyber espionage. Public sector and industrial enterprises are often the ultimate targets – each of them accounts for almost a third of information security incidents related to APT. These state and industrial organizations are actually the main drivers of growth and development of red-timings in Russia. Now services for modeling the actions of "cyber-organized criminal groups" are in demand, and the trend of growing interest in them will continue.

In such conditions, an increasing number of customers are applying for security analysis services. In this article, we will understand what a pentest is and how it differs from redtim projects.

Redtiming and pentest: common features​

Both Red Team and Penetration Testing are methods for analyzing and evaluating the security of a company's infrastructure.

A pentest or penetration test is a set of measures to analyze a company's security. It is quite variable in a number of parameters, the main ones are:

1. Scope. The customer determines the limits within which pentesters can work.
2. Format. Depending on their own tasks, the customer can provide the full amount of information about the infrastructure being tested, or order testing in black box format.
3. Methods, types, and techniques. At the stage of coordination with the pentester team, it is determined whether the customer needs, for example, attacks using social engineering.

At the same time, it is important to understand that a pentest is not just scanning the infrastructure with various tools in order to "collect" more vulnerabilities for generating a report. The task of the pentester team is to find chains of actions that can lead to business-sensitive consequences, within the agreed methods and scope.

Redtiming in this context can be called a "maximum pentest".

Sergey Zybnev
Awillix Pentester

Imitation in Red Team is very natural and most close to reality, nothing restricts performers in achieving the goal. For the duration of the project, Red Team is a hacker group that collects information from open sources and the darknet, finds any, even the most complex security vulnerabilities, breaks the company by any means and tries not to give itself away in any way. The goal may be to get administrative access to the infrastructure, withdraw a database or money, or get access to 1C.

Redtim projects are often associated with a pentest. As a rule, any team of pentesters also offers redtiming services. From this, a potential customer may get the feeling that redtim is a "marketing name" that allows you to sell the same service twice. But this is not the case at all.

What is the difference between these services from the point of view of performers?​

The most important difference is that the pentest is more focused on analyzing the security of the infrastructure. In most cases, the pentester does not need to hide its actions from the customer's security service — it may even be aware of the pentest.

In the case of redtim projects, the specialist is confronted not only by "soft" but also by the entire information security staff of the company. Since the team is most often unaware of the project, they react to redtimer's actions as a full-fledged attack.

Kai Mikhailov
Head of Information Security at iTPROTECT

The most obvious difference is the tools/methods used and the course of the attack. Pentest mainly uses well-established methods and tools for assessing security, as well as those tools that allow you to perform an attack with a "wide coverage" of targets. Thus, in a short time (project scope), you can get a large amount of information about the degree of infrastructure security and prepare a report.

Red Team is not limited by a time frame and can act more precisely, for example, when a new vulnerability appears in software/hardware that has proven applicability. In such a situation, the Red Team may well try to use it and draw a conclusion about the reachability of the attack vector. However, RedTeam does not apply zero-day vulnerabilities and does not develop new attack methods.

Also, an important difference can be called the minimum restrictions in the methods used when conducting redtim projects. Since redtim is as close as possible to real cyber attacks, specialists can use almost any methods, including implementation and recruitment of employees.

We should also mention redtim projects that are held within the framework of cyber polygons. They are more focused on training specialists to respond to cyber attacks. For this purpose, an environment is built that is close to the real infrastructure of the company.

This method is used in sensitive areas where the consequences of an incident can have too serious consequences, and it is impossible to conduct redtim projects on the "combat" infrastructure.

Artem Brudanin
Head of Cybersecurity at RTM Group

The main difference for the contractor is the ability to implement undesirable risks for the business. Within the framework of the pentest, ethical hackers adhere to the restrictions imposed by both the methodology of conducting and the technical task. Redtim specialists, on the contrary, use" real "TTPs, which are used by real APT groups, in order to maximize and comprehensively assess the level of security of the organization: not only technical attacks on system and application software are used, but also active social engineering (not just to check employee awareness, but specifically to" capture"data), as well as testing physical security measures — penetration into a controlled area, eavesdropping, opening locks, etc.

Imitating the activities of real intruders, redtim specialists collect information in all available ways and use not only technical skills, but also a creative, non-standard approach to get into the system and stay unnoticed in it for as long as possible.

Differences through the customer's eyes​

An important difference is that the pentest is a much more controlled process that can be flexibly configured even at the stage of initial agreements. Drawing an analogy, a pentest is a training sparring, and a redtim is a full-fledged duel in the ring, which differs from a regular fight only by the presence of gloves.

Artem Brudanin
Head of Cybersecurity at RTM Group

During the pentest, the Customer is almost always aware of the methods and scenarios of attack implementation, the exploitation of vulnerabilities is coordinated with them, and the addresses for sending phishing messages are coordinated. Redtim attacks can cause quite significant damage to the organization's assets if the qualifications of the information security service employees (in particular, those responsible for rapid response to information security incidents, administrators of information security tools) are insufficient. For this reason, the order to simulate targeted attacks requires an appropriate level of maturity of the information security system in the organization, otherwise the results may not improve processes and approaches at all, but on the contrary — only harm.

Redtim projects are usually ordered by large companies and organizations with an already mature internal information security system to check the possibility of implementing undesirable events.

Relatively small companies that have built their information security at a certain level can also resort to the pentest and can palpably assess it and identify new areas for work.

Zarema Shikhmetova
Security Analysis Specialist, Gazinformservis

For specialists of the SOC center, the redtim project is like a real-time camera with filters that focus the specialist's attention on those events in the system that seem suspicious to him.

The difference between the SOC specialist and the pentester is that the latter only indicate vulnerabilities in the system and give recommendations for their elimination, when the former, in addition to monitoring the infrastructure, also solve emerging information security incidents.

Another important difference is that holding a pentest in one form or another may be mandatory for the company. For example, this practice exists for the banking industry both in Russia and in many foreign countries.

Redtim projects are already a purely independent desire of the company to assess its level of security in conditions that are as close as possible to a real attack by a professional hacker group.

Modeling APT Group Attacks​

Among the popular services that redtim teams offer are modeling attacks of APT groups (Advanced Persistent Threat), as well as assistance in developing scenarios for responding to such threats.

Artem Brudanin
Head of Cybersecurity at RTM Group

In fact, redtim is an imitation of an APT attack. As already mentioned, the experts of the red team do not use strict and structured methodologies, but tactics, techniques and procedures of real hacker groups (often according to the MITRE ATT&CK matrix). If you take, for example, a financial organization for which critical assets will be systems related to transactions or personal data of customers, specialists will use the TTP of related hacker groups that attack such systems (for example, Cobalt or Carbanak).

APT groups often have their own handwriting: their favorite methods, tools, and "specialization" and choose similar goals. For example, attackers can attack banks and financial companies, government websites, industrial infrastructure, etc. Members of redtim teams learn the specifics of groups ' activities and can simulate their attack.

This is an important difference between a specialist who participates in redtim projects and an ordinary specialist in security analysis — they should have a higher level of awareness of how companies are attacked by real attackers, what tools and techniques they use.

Andrey Shabalin
Data Analysis Specialist NGR Softlab

Analytical reports for 2023 show that almost 40% of the investigated information security incidents were caused by publicly known APT groups. This is partly why there is an increased interest among Russian companies in modeling the activities of specific hacker groups.

APT groups have a high level of training both in terms of technical means and in terms of professional training. Their activity is difficult to detect, and the techniques and tools used are improved with each subsequent attack. Therefore, one of the key aspects in the Red Team's activities is the constant updating of the analytics used in the work. In other words, the team's work should be inextricably linked with Threat Intelligence (TI) and Threat Hunting (TH), as well as with the classic pentest. Therefore, when choosing an organization that provides modeling services, it is a good idea to pay attention to how well these areas are developed in it.

The peculiarity of APT groups is that their malicious activity is often directed at certain sectors of the economy, for example, the notorious Space Pirates with their focus on the aerospace industry and the military-industrial complex.

Interest in effective security in our country has increased relatively recently, but redtim teams are already demonstrating a good level of training. Cybersecurity experts agree that the practice of modeling attacks by APT groups will continue to spread.

Results​

Pentest is a modular service in which the customer can choose for himself what level of" pressure " from attackers will be optimal for solving his tasks.

Both redtim projects and pentests can use different methodologies, for example: MITRE ATT&CK, OWASP, PTES. However, in the case of redtiming, a non-standard approach and adaptation of methodologies to the "wild nature" and actions of cybercriminals are especially important.

Redtiming is more focused on identifying individual problems and comprehensively assessing the level of information security in the company in all areas at once, from the settings of the SPI to the degree of awareness of employees about information security threats.