When it comes to searching for different offensive security services, you may find that each company has a different definition of a vulnerability assessment, penetration test, and/or red team. The team at FortyNorth Security thinks that the easiest way to know what you’re getting from us, is to define it! We do have some information available within our Services page, but we’ll expand on that here. Let’s start by talking about what you will receive from all of our service offerings – our deliverable to you.
All of our services will produce a report which contains multiple sections including:
- Executive Summary – This section will include a high level wrap-up with details such as logistics associated with the assessment, the number of findings included in the report (along with their severity), key security strengths currently utilized by your organization, and opportunities for growth that can help improve your security posture.
- Assessment Timeline – FortyNorth Security will provide an assessment timeline with key dates and discoveries mapped within the timeline to allow your organization to track assessment discoveries and cross-correlate any actions you may have seen within your network to the steps taken by our consultants.
- Assessment Methodology – The assessment methodology is part of our report which will contain the technical details of the assessment. The goal of this section is to provide the “story” of the test which documents our process of assessing your environment. The assessment methodology will include all tools used during the course of the assessment, the commands that FortyNorth Security consultants ran, and relevant snippets of output which help tell the story of the test. Your internal staff should be able to take the details from the assessment methodology section and recreate any portion of our report.
- Findings and Recommendations – All findings that are discovered during the course of FortyNorth Security‘s assessment will be documented in the Findings and Recommendations section, and each finding will have many attributes. All findings are evidence backed and will include screenshots, log files, or any other documents to support the finding’s existence. The recommendation will provide a means to remediate the security issue or a method to detect if it is being abused.
FortyNorth Security’s reports will NOT be the result of any automated scanner output. Our reports are created by our security consultants after thoroughly analyzing the evidence gathered during the course of your assessment.
The goal of a vulnerability assessment is to identify as many vulnerabilities as possible within your environment (specifically the in-scope network ranges that you would provide to FortyNorth Security). A vulnerability assessment is not designed to evade detection by your organization’s internal security team, and it is perfectly reasonable to inform your internal team that a vulnerability assessment is underway. During the course of a vulnerability assessment, FortyNorth Security may use an automated program to help identify vulnerabilities at scale within your environment. In conjunction with any scan running in your environment, FortyNorth Security will also manually hunt for vulnerabilities.
The report you will receive not simply the output from an automated scanner due to the fact that a vulnerability assessment is both an automated and manual process. FortyNorth Security will prioritize vulnerabilities that are discovered during vulnerability discovery process based on severity and validate if the vulnerability exists (or if it is a false positive). This will ensure that the potential security issues that present the highest risk to your organization are reviewed first.
A penetration test is a goal oriented test that’s designed to emulate a goal-oriented attacker that is targeting your organization for a specific phase of the attack lifecycle (an external or internal attacker). The goal(s) of a penetration test is always customer developed and tailored to your organization, and FortyNorth Security will work with you to identify and develop these goals. The goal(s) typically will depend on the type of penetration test being performed for your organization, such as:
- External Penetration Test – The most common goal targeted for an external penetration test is to determine if an attacker external to your organization would have the ability to gain access to your internal network. The external penetration test emulates an attacker that is connected to the internet, from any location worldwide, that is targeting your organization’s publicly available IT infrastructure. This test is commonly performed remotely, but can be performed on-site within your organization.
- Internal Penetration Test – Internal penetration tests are commonly performed on-site within your organization and can emulate an external attacker whom has successfully gained internal access to your network, or a malicious insider. Goals for an internal penetration test are customized to your organization and the data/assets that are most important to you. Sample goals include:
- Access to client lists
- Targeting financial data
- Copying a secret recipe
- Gaining access to a sensitive system within your organization
- Transferring money from one account to another
- Many more!
Penetration tests are not designed to evade detection by your organization’s internal security team. A penetration test may contain a vulnerability scan, but a penetration test is not limited to testing and validating the vulnerabilities discovered during the course of the test. FortyNorth Security consultants will identify and exploit vulnerabilities or misconfigurations that will allow them to achieve the pre-determined assessment goals within the in-scope testing ranges for the penetration test. A penetration test is different from a vulnerability assessment because the penetration test always remains focused on being a goal oriented test, rather than a vulnerability identification and validation assessment.
Red Team Assessment
A red team assessment is also a goal oriented test which is designed to emulate the full attack lifecycle carried out by a motivated attacker. FortyNorth Security will work with your organization to develop goals for the assessment, but it is likely that is all of the information that your organization would provide to our consultants. A red team assessment can include a physical aspect as part of the red team assessment, especially if accessing the goal may require a physical element. However, most of our clients opt to only perform a digital assessment.
A penetration test is typically isolated to testing only your external perimeter or your internal perimeter, it would likely include providing FortyNorth Security with IP address ranges that will be considered in-scope for the assessment, and may also include other information. A red team assessment consists of all phases of an attack lifecycle, rather than just being isolated to a specific step, which includes:
- Open Source Intelligence (OSINT) Gathering
- Developing external command and control (C2) infrastructure
- Developing highly targeted campaigns for phone and/or e-mail based social engineering campaigns to gain internal access
- Establishing persistence within your organization to maintain access to internal resources
- Laterally moving and compromising systems within your organization’s internal network with the goal of completing the pre-determined assessment goals
The takeaway is a red team emulates an attacker with no access into your environment and needs to create a means to accessing your organization’s internal systems and maintain that access to target the goals of the test. A red team assessment is not limited to only reviewing the external perimeter or being plugged into your internal network as the starting point.
A red team assessment is designed to test your internal security team’s detection capabilities and incident response procedures. The report is best when ingested by your internal security team because the report documents how FortyNorth Security consultants attempted to perform the various steps of the red team assessment and provides recommendations for detection opportunities. A red team assessment is best utilized by companies who have a mature security program and want to test their processes and train their security team against a skilled adversary.
We hope that this helps highlight differences between vulnerability assessments, penetration tests, and red team assessments and provides some insight to how we at FortyNorth Security conduct our assessments. If you have any questions, please don’t hesitate to contact us.