Red team vs. blue team exercises are a valuable learning tool for security teams. In these scenarios, the red team simulates an attack that the blue team needs to defend against. By doing this, the blue team has the opportunity to test their skills in an active environment and better prepare for real attacks.
What is the Red Team?
The red team is a group of individuals experienced in penetration testing and vulnerability scanning that are tasked with simulating a cyber attack. By utilizing the same tools, techniques, and tactics that criminals use, these team members can launch a highly realistic attack. Specialized training is needed to successfully execute these roles, and many learn in the military. Others participate in labs, take classes, and practice on their home networks. Each member within the team has a role based on their specific specialty (network, privilege escalation, etc.).
Unlike standard penetration testing done by a singular person or automated tool, which are more easily recognizable, the goal of the red team is to be sneaky. Their aim is to get into the network, steal data, and get out undetected. Their attacks are always different because they are operating with the mindset of a criminal, always asking “what would the criminal do?”. Red teams will also have clear objectives from the company. These might include gaining access to the domain controller or an email system to see if sensitive information can be stolen.
When red teams are launching an attack, they need to follow the industry best practices surrounding the steps an actual criminal would take. Originally established by Lockheed Martin as the Cyber Kill Chain, the current protocols are the MITRE ATT&CK framework. This program, started in 2013, “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”
Red teams can also be physically present. Members can go to the company’s physical site and gain network access via a USB device or with a laptop using company WiFi in the parking lot.
What is the Blue Team?
The blue team originated with secure IT before security became its own department. People working in IT departments began to get deeper into cybersecurity and eventually branched out into their own group, forming what is now considered to be the blue team.
As blue teams have evolved, so have their programs and procedures. It’s from these new policies that companies started to make their own security recommendations like network segmentation, access control, intrusion detection and prevention, email security, and firewalls.
Blue teams today are focused primarily on security and network monitoring. While some companies still use the older model of IT handling security, most modern, data-driven companies are far more likely to use this new security-specific team model. This is helped by the addition of security individuals within the C-suite.
Unfortunately, many small and medium-sized businesses can only afford a security team or an IT department, not both. They can either outsource or try and do it themselves; however, this can be problematic because it’s not reasonable to expect someone to do both jobs well.
What is the Purple Team?
Experience as part of both the red team and the blue team is required to be considered purple team. This dual knowledge provides a holistic view of the entire kill chain from the way the attack works to how that same attack is defended. This is similar to threat intelligence where professionals are analyzing vulnerabilities and attacks while trying to figure out how to prevent them from happening. The purple team plays the role of coach, seeing both the offense and defense and helping them work together.
Can Red and Blue Teams Work Together?
While these teams can work together, red teams will always have the advantage as the offensive party. The blue team has a more challenging role because they need to be selective with their time; they cannot block every single threat, because this would be too time-consuming. For this type of exercise to be successful, the blue team cannot know when the red team’s attack is coming, because that is unrealistic in the real world.
The 1/10/60 rule is an industry best practice to help neutralize threats, but it needs to happen in a way that does not harm the business.
- Detect suspicious activity in 1 minute
- Analyze that activity within 10 minutes
- Contain the attack within 60 minutes
What Are the Benefits of Red Team and Blue Team Services?
The goals of these exercises are improvement—for the individual members, the teams, and the company. By participating in an exercise, blue team members can learn from red team attacks they cannot defend against and learn how to spot similar attacks in the future. By practicing against seasoned attackers, the blue team will be better prepared to defend against a real criminal.
These exercises should be done at least once a year, at minimum every other year. Having this continued education can save recovery money, data loss, and the protect company reputation in the face of a cyberattack. Red vs. blue team exercises also highlight weaknesses that need to be secured, which is helpful to know when allocating a security budget.
Blue Team Alpha runs red team vs. blue team exercises to help businesses ask themselves: “Do you think your organization is prepared for an attack?” Find out more information on the services offered here.
