By Tom Wilhelm

When I first began my career in information security, I was in the U.S. Army working in the Military Intelligence service. During that period in my life, every time we talked about adversaries in a training situation, they were referred to as the "Red Team. " However, when I initially moved into the civilian business world, the term "Red Team " was never used; it actually had a negative connotation. Fast forward more than a decade, and suddenly the term "Red Team " is in vogue throughout the penetration test community. But what does it really mean, and should we be using the term at all?

I have used the term "penetration test " extensively during my career since I left the military, and always understood it as numerous steps, including information gathering, vulnerability identification, vulnerability exploitation and enumeration – but always within the boundaries of the project scope. The scope could be as restrictive or expansive as necessary to meet the business objectives and goals of the organization requesting the penetration test. In some cases, the scope was simply to verify vulnerabilities and identify potential problems once the vulnerability was exploited; other times, it was to see how far we could get into a network using whatever methods we selected. In other words, we did it all.

The concept of a "Red Team " attack from a military perspective is to imitate potential threats and use the same vectors that the adversary would use during an attack. The problem with this terminology used in information security is that a Red Team project somehow tries to separate itself from the general concept of a "penetration test; " as if a Red Team assessment is somehow more than a pen test – more intensive, more advanced, or perhaps more effective in identifying and exploiting vulnerabilities within an organization’s network. To separate Red Team from the term "penetration testing, " proponents of the term "Red Team " distinguish Red Team efforts by restricting penetration testing to vulnerability verification without the ensuing enumeration component (or at least minimal enumeration). Opponents to the term believe that Red Team activities are already a subcomponent of penetration testing, and the attempt to separate Red Team from pen testing is simply a marketing ploy.

While I am in the camp that believes Red Team activities already exist in a professional penetration test, I do see some value in distinguishing different levels of effort within a pen test; customers have always been confused by the term "penetration test, " and bandy the term around as if it defined everything from a simple vulnerability scan to multivector attacks against corporate assets. Although more and more businesses understand the need for a security process within their organizations (which includes penetration testing), they are still unfamiliar with what a penetration test truly comprises. Using buzzwords, including "Red Team, " might help clarify exactly what corporate managers should ask for from security professionals. The danger is that too many buzzwords might add more confusion, not lessen it, especially within industries that include compliance. An example where adding new terminology could have devastating effects is PCI compliance standards, which require that a penetration test be conducted. Using the definitions of those who advocate the use of Red Team, a penetration test (which only verifies vulnerabilities – not enumerate past the initial compromise) would not comply with the spirit of PCI regulations. If the definition of "Red Team " continues to gain traction and becomes accepted within the community, many companies could be less secure because they only asked for a "penetration test, " because that’s all that PCI "requires. "

The problem, however, doesn’t really reside in whether or not "Red Team " is a new buzzword, or a valid activity separate from penetration testing; the real problem is our ineffectiveness of explaining what a penetration test encompasses and why penetration tests are an enabler for any organization that includes them within their security process. As a community, we have failed to provide management the critical and fundamental understanding of what we do as professional penetration testers. Regardless of which terminology we use, the most important thing to remember is that we must be thorough in our explanation of all the steps taken during a penetration (or Red Team) test so that our clients won’t simply watch our activities in wonder and confusion; rather, they will understand what we do and how we do it so that they can make the proper security decisions to reach their particular business goals.

Tom Wilhelm, ISSMP, CISSP, SCSECA, SCNA, SCSA, IEM, and IAM, is currently employed in a Fortune 20 company performing penetration testing and risk assessments. Tom has spent over 15 years in the Information System career field and is currently a PhD student at the National Center of Academic Excellence in Information Assurance Education. He is the author of the recently released Syngress hit, Professional Penetration Testing: Creating and Operating a Formal Hacking Lab, available at www.syngress.com.