Often when speaking with non-IT business leaders, there is a confusion of terms when it comes to Penetration Testing. They hear their more technically inclined counterparts speak in just about all the colors of the rainbow which can make knowing what you want and need difficult to determine.
In simple terms, the color of a Penetration Test (PenTest) indicates:
- Approach
- Parties involved
- Authorization
Approach: Blackbox vs. Whitebox
In general, when you hire an outside party to perform a PenTest, they need to know the methodology for which they will perform the engagement. Specifically, will you share details about your environment or will you leave it up to them to determine which assets to target? A Blackbox test – occasionally labeled a blind test – is one in which the assessment team has no knowledge of the in-scope systems. The assessment team is expected to rely on public resources to determine which systems should be attacked. A benefit of this approach is that it mimics a real-world attack from a malicious actor using only knowledge determined from publicly available (i.e. internet-based) resources.
Conversely, a Whitebox test is one where you provide the assessment team with many details. This could include target networks, hardware inventory, network diagrams, and even credentials. The benefit of a Whitebox test is that the assessment team is able to identify a much larger list of vulnerabilities impacting your environment.
Parties Involved: Red Team vs. Blue Team
Every PenTest engagement involves two sides: attackers (the Red Team) and defenders (the Blue Team). Whereas most organizations do not have active monitoring controls in place, those that do, may want to evaluate the effectiveness of their Blue Team to detect the Red Team’s activities. In these engagements, the Blue Team is not notified of when the Red Team’s assessment activities begin.
What about White Teams? These are parties who monitor the activities of both the Red Team and Blue Team to evaluate the effectiveness and outcome of the engagement. This may be the business leaders who have inside information about when the Red Team will conduct their activities and are looking for notifications from the Blue Team when suspicious events are identified.
Authorization: Whitehat vs. Blackhat
Any respectable cybersecurity firm that is hired to conduct a PenTest will also require a Rules of Engagement to be established which stipulates the scope (e.g. targets) and constraints (e.g. testing window) of the assessment team’s activities. This document provides liability coverage for the Red Team while further providing transparency for the target firm on what and when testing will occur. If you are required to go to this level of approval with your assessment team, feel relieved you have engaged with Whitehat testers (also known as ethical hackers).
Conversely, a Blackhat is someone who performs unauthorized tests. Their motivation varies but without approval, their actions are criminal in nature. They may seek to perform financial fraud, reputational damage, or just simply wreak havoc on your IT infrastructure and consequently your business operations.
So What Do I Want?
BW Cyber’s assessment team is made up of a group of highly technical cybersecurity experts who each hold multiple PenTest related certifications. These Whitehat individuals use the same tactics, tools, and techniques employed by those with more nefarious intentions. The goal of any Whitebox exercise with BW Cyber’s Red Team is to provide you with a full understanding of what your technical risks are while providing you with a prioritized list of actions to deploy to further reduce or eliminate your risks.
If you have not conducted an annual Penetration Test this year, we recommend making it a top priority. Click here to get started.