Vulnerability scanning, penetration testing, and red teaming all belong to the branch of proactive security. Experts performing these offensive security activities are behaving as intruders trying to get into the company and its network, servers, or workstations. The intruders gather information about the company’s security issues, and afterward, they create a report and offer remediation for these issues. Each of the three terms represents a more intensive and thorough approach than the previous one, with red teaming being the most real-world examination of a company’s security. The most extensive examination of a company’s security posture involves a combination of red teaming and penetration testing.
A vulnerability scan is an automated search for potential vulnerabilities. Those vulnerabilities are usually not actively exploited throughout the test and some of the results may, therefore, contain false positives. Each found vulnerability is assigned a certain score expressing its severity. Vulnerability scans are usually highly automated, affordable, and do not take too long to finish. An example of vulnerability scanning can be a scan of internal infrastructure or a secure code review.
Penetration testing is a more active approach towards assessing the company’s security. It usually contains vulnerability scanning as well as finding additional vulnerabilities that are not detectable by automated scanners. Also, chained vulnerabilities may be found by the testers that may have low severity on their own but may be of higher severity when chained together. Active exploitation of found vulnerabilities is involved in pen testing. It does not create false positives because misuse of the vulnerability is proof that it is exploitable. Common techniques used during pen testing are for example password cracking, privilege escalation, SQL Injection, and others.
Red teaming is the most broad scale way to examine the company‘s weaknesses. A red team simulates the behavior of an adversary and demonstrates a real-world advance of an attacker in the company’s infrastructure. It includes all kinds of exploitation, ranging from social engineering and physical exploitation to application and network exploitation.
A company can choose to what extent it wants to evaluate and improve its security. A regular vulnerability scan can be sufficient but from time to time a deeper examination in the form of penetration testing or red teaming is needed.
After these offensive security activities have been finished, a report is created and it is up to the IT staff to patch those weaknesses according to suggested mitigations. Afterward, the scan can be rerun to verify if mitigations were successful. Such an activity is not just a one-time process but has to be repeated continually in order to maintain a secure infrastructure.