It’s difficult to be vulnerable, no matter what the situation, even when we’re talking about something that’s ultimately beneficial like having an external company come in and test your cybersecurity environment.
Nevertheless, penetration testing and red teaming are security necessities for any prudent, forward-thinking organization. That’s why we wanted to share a few ideas on how you can help us help you prepare for your next RedTeam engagement.
What do we mean by engagement?
Before you get confused by all this talk of vulnerability and engagements, we’re not proposing a romantic relationship here. If you’re working with us, you’re looking for help securing your organization from the industry’s leading professionals.
Our engagement might involve:
- Application penetration testing — aiming to identify application layer flaws such as Cross Site Request Forgery, Injection Flaws, Weak Session Management and many more.
- Network penetration testing — aiming to identify network and system level flaws including misconfigurations, wireless network V=vulnerabilities, rogue services and more.
- Physical penetration testing — understanding strength/effectiveness of physical security controls through real-life exploitation.
- Social engineering — aiming to exploit weaknesses in people and human nature, testing human susceptibility to deceitful persuasion and manipulation through email phishing, phone/text message, and physical/onsite pretexting.
- All of the above — Red teaming is a full-scope, multi-layered attack simulation designed to measure how well your people, networks, applications and physical security controls can withstand an attack from a real-life adversary.
Keep in mind, too, there’s a difference between penetration testing and red teaming. Even though they are often used interchangeably, we like to put it in vivid terms — pen testers are pirates ready to rampage and pillage wherever and whenever they can. Red teamers are more like ninjas, stealthily planning multi-faceted, controlled, focused attacks.
5 tips to prepare for your penetration test or red team operation
Know what you are looking for from the engagement.
Sure, we listed all those types of engagement above because we wanted to show off all that we can do. It also helps you to understand all that’s available to you.
However, we don’t recommend all of our services for all organizations. Far from it, in fact; we specialize in creating tailor-made plans specific to your organization’s needs. We like to make this known in advance because it’s much easier for us to accurately plan and price your engagement if we know what you’re looking to include from the outset.
Know what you are asking for.
This is related to the previous tip, of course. It’s possible that you know that you want web application testing, but you don’t have a very deep sense of what that actually means for you.
We’d recommend reviewing some of our resources like our blog post on Understanding Application Complexity to help you get a handle on what we’ll be talking about and what that means for you.
Know the numbers ahead of time.
The better able you are to quantify your testing environment, the more accurate and specific we can be. For example, be ready for us to ask you “how many IP addresses do you have?” Please, don’t hand us a five-page spreadsheet and make us count them by hand. Know the answer beforehand and it’ll be a whole lot more painless for the both of us.
You can get a good idea of the topics we’ll want to know about by perusing our Scoping Questionnaire.
Know your budget parameters.
In order for us to work within your budget parameters, we need to know what they look like. The more we know, the better able we are to determine if your budget matches your testing environment.
For example, we can’t test 100 live hosts when you only have the budget to test 50. With all the numbers at our disposal, in advance, we can work with you beforehand to determine priorities based on your objectives, the importance of the testing items, and your risk level.
Know your appetite for risk.
Asking this question is our chance to channel our inner financial advisors. With a better idea of your risk threshold, we can make smart choices about what level of testing to conduct for your organization.
If you are relatively risk tolerant, for example, maybe we don’t need to go as in-depth. If you’re risk adverse (or in an industry with strict security regulations or compliance requirements), we will want to be as thorough as possible leaving no stone unturned.
Finally, provide as much detail as you can when answering our scoping questionnaire and during your consultation with a RedTeam Security expert. Your responses help us ensure an accurate and complete proposal, which helps us help you for your RedTeam engagement.
If you have any questions, schedule a meeting with one of our security consultants. We’re here to help.