What’s the difference between Pen Testing, Red Teaming, and Threat Hunting?

At first glance, it seems like pen testing, red teaming, and threat hunting all seem like a fancy way of saying the same thing — a test to make sure your data is protected from attackers. Full disclosure, I first came across these terms when writing content for the MPG website. They seemed to overlap in more ways than one, so I set out to do a little investigating on my end to make sure I understood each of them individually and their unique purpose to an organization’s security posture. I am on the marketing team at MPG, so my research was slightly less technical than most, but if you’re looking to understand them at a high-level, you’ve come to the right place.  

I already mentioned that these terms have a common goal of protecting data from attackers. Each of them can be extremely useful, but as you’ll see, picking one over the other really depends on what your goals are. Frequently, we see a combination of these services requested, so organizations are getting the broader sense of what these test results bring back. 

Let’s dive into the similarities and differences between pen testing, red teaming, and threat hunting. 

What is Pen Testing? 

Wikipedia definition: “A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.” 

Objective: To find as many vulnerabilities as possible, that may lead to a breach.  

Sometimes, pen testing simulations are known about by the teams they are impacting; other times they are not. From what I’ve found, it seems like these are commonly focused on exploiting known vulnerabilities that have not been patched properly or at all. 

Examples:  

  • Web Assessments: Discovering and exploiting web-related vulnerabilities such as Cross Site Scripting (XSS) and Structured Query Language (SQL) Injection 
  • Network Assessments: Discovering and exploiting network related vulnerabilities such as insecure protocols, services, and applications 

What is Red Teaming or a Red Team Assessment? 

Wikipedia definition: “A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization’s detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible.” 

Objective: To find an entrance to specific information without causing alarm from internal systems, thus also testing the organization’s response capabilities, time to response, etc.  

In a few different articles that I found (like this one) pen testing and red teaming are compared to pirates and ninjas. The idea is that “pirates,” or pen testers, come in loudly and fiercely to take anything and everything that they can. They are less discrete, and you’re well aware of the attack. On the other hand, “ninjas,” or a red teams, focus on more controlled, and stealth attacks. They have a specific thing (i.e specific data) `that are trying to take and don’t bother with other distractions.  

Examples:  

  • Phishing: Enticing unsuspecting users into navigating to malicious sites or conducting malicious activity 
  • Code Execution:  Leveraging social engineering in conjunction with weaknesses in system security to obtain the ability to execute malicious code on a victim’s machine 

What is Threat Hunting? 

Wikipedia definitionAn active cyber defense activity. It is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” 

Objective: Find Existing threats by first looking for a breach, then working backward to find their  mode of access and what actions they took during the breach.  

All of the defensive measures in the world won’t matter if there’s already a threat actor inside your environment exfiltrating data. At MindPoint Group, we then take our learnings from this activity and develop new automated detections to alert on the types of activities we discover. 

Examples:  

  • Antivirus: System security tool to detect malicious payloads 
  • Threat Intelligence Resources:  Human-produced intelligence, customer telemetry, scanning and crawling open sources of information 

The Pen Testing, Red Teaming, and Threat Hunting Overlap 

If you’re a visual learner like me, fear not! We created this diagram to show where these three tests overlap and where they differ.  

Pen testing, red team, threat hunting

In conclusion, all these tests have their place and purpose in your cybersecurity strategy. As organizations continue to face evolving cyberthreats, your job to protect your organization’s data only becomes more crucial to success.  

For over a decade, MindPoint Group has helped organizations of every size, complexity, and sophistication design, implement, manage, and advance their cybersecurity defensive capabilities and operations—all to protect and support their missions and businesses. Learn more about our security operation services (including pen testing, red teaming, and threat hunting) to see how we can help your org.  

Related blogs: 

How to hack through a pass-back attack >  

3 Vulnerabilities to Lookout for in 2020 >