Episode 36: Pentest vs Purple Team vs Red Team

Introduction

In this section, the speakers introduce themselves and the topic of discussion. They also highlight the importance of understanding the differences between penetration testing, purple team exercises, and red team engagements.

Understanding Penetration Testing, Purple Team Exercises, and Red Team Engagements

• The lack of standardization in the industry contributes to confusion around these terms.
• The goal is to educate listeners on what each engagement entails and their respective goals.
• Not everyone is ready for a purple team or a pen test yet.
• Standardization of terminology and offerings across the industry is necessary to reduce confusion.

Introduction to Penetration Testing

In this section, the speakers discuss the importance of providing value to clients during penetration testing engagements. They also highlight the need for a step-by-step maturity process when it comes to conducting penetration tests.

Defining Penetration Testing

• A simulated attack on a computer system, network, or application conducted by a pen tester in order to identify and exploit vulnerabilities that an attacker may use to do harm against that target.
• The goal is to determine what an attacker could do to obtain unauthorized access to systems or data.
• During a pen test, the tester is attempting to penetrate the defenses of a network in order to get access to things that are important or sensitive or of value to that organization.

Key Elements of Penetration Testing

• The biggest differentiator between pen testing and other types of security testing is that there’s a human being trying to break into your environment.
• Tools are used by testers in order to discover and attack the surface of the environment that’s in scope.
• The goals of a pen test are very different from other types of security engagements as they aim at finding as many vulnerabilities as possible within a limited time engagement. Remediation recommendations and retesting advice are provided after ranking vulnerabilities by severity.

Deliverables of Penetration Testing

In this section, the speakers discuss the difference between a vulnerability scan and a pen test. They explain that while a vulnerability scan can identify vulnerabilities, it cannot provide information on how those vulnerabilities can be used in combination to create larger risks for an organization.

Importance of Human Brain in Penetration Testing

• A pen test is different from a vulnerability scan because it provides artifacts that layer vulnerabilities that can be used in sequence or combination to create a larger set of risk for an organization.
• The kind of thing that requires a human brain is finding vulnerabilities that present risk of things that could adversely impact the organization.
• A pen test finds vulnerabilities that present risks to the organization such as reputational risk which cannot be found in Nessus.

Reconnaissance and Information Gathering

• As part of a pen test, there’s reconnaissance which involves information gathering by the pen tester to learn how the application works or how the target is operating.
• Vulnerability assessment and exploitation are also part of penetration testing.
• The outcomes are risks to the organization such as material things that could materially impact their ability to operate and do business.

Targeting Organizations through Public Information

In this section, the speakers discuss how public information about organizations can be used by attackers to target individuals within those organizations.

Examples of Public Information Used for Social Engineering

• Law firms list everyone on their website including attorneys and staff with their email addresses and phone numbers which provide attackers with information they can use to target individuals.
• Universities list athletes on their websites with personal information such as their birthdays, favorite foods, and TV shows which can be used to social engineer those organizations out of information or to do things that attackers want based on that public information.

Extracting User Information from PDFs and LinkedIn

In this section, the speakers discuss how they extracted user information from PDFs hosted on a website and used it to gather more information about the users on LinkedIn. They also highlight the importance of context in social engineering attacks.

Extracting User Information

• Extracted users’ information from PDFs hosted on a website.
• Used the extracted information to find a user’s internal username and system name.
• Gathered metadata perspective and had a great deal of information about her.
• Emphasized that while some aspects of reconnaissance can be automated, context is crucial in creating a target package for social engineering attacks.

The Importance of Purple Team Testing

In this section, the speakers discuss purple team testing as an important step in assessing an organization’s security maturity.

Maturity Levels

• External testing is the starting point for assessing an organization’s security posture.
• Internal testing is the next milestone after external testing.
• Purple team testing comes after internal testing when an organization has vulnerability assessment capabilities, monitoring capabilities like a SIM, instant response processes, etc.
• Multiple externals and internals may be necessary before conducting purple team testing.

Likelihood of Attack

• External attack surface should be assessed first since it is highly likely that organizations will be attacked from outside their network.
• Internal attack surface should also be assessed since it is another likely avenue of attack through malware infections or lateral movement.

Understanding Purple Teaming

In this section, the speaker explains what purple teaming is and how it differs from other types of security testing.

What is Purple Teaming?

• Purple teaming is a collaborative full knowledge assessment that involves cyber threat intelligence, red team (offensive security), and blue team (defenders).
• During a purple team exercise, the red team emulates real threats based on information obtained from the Cyber threat intelligence team.
• The blue team watches in real-time as attacks are executed to identify and respond to them.
• The goal of purple teaming is to identify, test, and measure how well people, processes, and technology work together to improve an organization’s security posture.

How Does Purple Teaming Work?

• A series of attacks are executed during a purple team exercise to determine an organization’s coverage for these attacks.
• The blue team identifies each attack in real-time and responds accordingly.
• After each attack, the blue team provides feedback on whether they detected it or not. This helps determine areas where improvements can be made.
• In contrast to internal pen tests which turn off controls like EDR, in a purple team environment we try to bypass them step-by-step while evaluating their effectiveness.

Differences Between Internal Pen Testing and Purple Teaming

In this section, the speaker highlights some key differences between internal pen testing and purple teeming.

Control Evaluation

• In a purple team exercise, the blue team is aware of the attack and tries to detect it in real-time.

Reporting

• Internal pen test reports are more black and white, focusing on whether controls were bypassed or not.
• Purple teaming is more gray because it focuses on evaluating how well people, processes, and technology work together.

Purple Team vs Red Team

In this section, the speaker explains the difference between a purple team and a red team. He defines a red team as simulating an attacker with specific goals and TTPs, while a purple team emulates threats in real-time to improve security defenses.

Purple Team

• A purple team is an internal process that emulates threats in real-time.
• The goal of a purple team is to materially impact and improve security defenses.
• Threat intelligence is important for making the exercise applicable to your industry, vertical, type of business, regions, threat actors, and groups targeting you.
• Testing all variations of techniques based on the threats facing the organization is necessary.
• Implementing controls and detections for gaps in detection and prevention is crucial.
• Re-testing those things again to make sure that there is coverage for those things.

Red Team

• A red team simulates an attacker with specific goals and TTPs.
• The goal of a red team is to assess the controls and response capabilities of an organization by testing how effective they are against motivated attackers.
• A red team simulation tests how well response capabilities are working against simulated attacks.

Red Team vs Pen Test vs Purple Team

In this section, the speaker discusses the differences between a red team, pen test, and purple team. He explains that a red team is a simulation where specific goals are targeted, while a pen test is more general and uses off-the-shelf tools. A purple team is a combination of both.

Red Team

• A red team is the highest level of maturity for an internal assessment.
• The engagement typically lasts two to four months.
• The goal of a red team is to go unnoticed and bypass defenses to achieve a specific goal.
• The engagement involves physical attacks such as social engineering and spear phishing.

Pen Test

• A pen test uses off-the-shelf tools.
• It usually lasts for one week or two weeks.

Purple Team

• It combines elements of both red teams and pen tests.

Goals of Red Team Engagements

In this section, the speaker discusses the goals of red team engagements. He explains that one goal is to train the blue team in their incident response process. Another goal is to identify gaps in security measures.

Training Blue Teams

• One goal of a red team engagement is to train the blue team in their incident response process.

Identifying Security Gaps

• The engagement aims to identify gaps in security measures.

Differences between Penetration Testing and Red Teaming

In this section, the speaker discusses the differences between penetration testing and red teaming.

Penetration Testing vs. Red Teaming

• Penetration testing identifies gaps in security measures and helps remediate them.
• Red teaming goes beyond identifying gaps to test an organization’s ability to detect and respond to attacks.
• The industry sometimes uses these terms interchangeably, but they are very different.
• It is important to get on the same page with regards to terminology when involved in these types of things.