The software industry often borrows names and processes from the US Army. One example is when the army splits its team into blue and red.
The blue one is defending a target, and the red one is attacking.
Some software companies adopted the same approach. The blue team consists of experienced experts responsible for keeping company assets secure. In turn, the red team specializes in finding a way to bypass security measures.
Find out why you should have a dedicated red team that constantly tests your cybersecurity and how your organization can benefit from creating its own red and blue teams.
What is the blue team?
The blue team is responsible for maintaining an IT infrastructure. They are defensive security professionals. Areas of their specialization include:
- identity management,
- user devices, and many more.
The required skillset depends on the company infrastructure.
Together they ensure that all solutions are properly configured and maintained to ensure that all company assets are secure. Their skillset consists of understanding company security strategy, analytical skills to identify threats, and hardening skills. That means they know how to reduce the attack surface and eventually spread security awareness in the organization.
Examples of blue team exercises
The blue team implements a set of exercises to verify the security.
The first (and key) step is ensuring that all security devices and tools deployed in the organization are properly configured and up-to-date.
That means checking firewall, IDS/IPS antivirus configuration hardening, and update management.
The blue team needs to ensure that access to assets in the company is limited. They do it by reviewing permissions to networks and assets, in general, using the least-privileged access concept. That means the user should not have access to something they do not need to.
The best way to grow in a blue team is to monitor new public security tools and verify if they are correctly detected or blocked.
It is a great way to ensure that the team is aware of the newest threats and if current tools and processes are sufficient to handle them properly.
The results from such exercises are:
- improved knowledge of the blue team members,
- new detection rules in detection and prevention systems,
- configuration improvements,
- and scheduling of urgent software updates.
Another exercise the blue team can do is to look for publicly available servers under the company DNS address. They do that to ensure that all of them are monitored and properly managed.
What is the red team?
A red team can simulate attacks on company assets.
They consist of security professionals qualified in:
- operating system security vulnerabilities,
- malware development,
- social engineering,
- and sometimes hardware and physical security.
Their skillset is similar to what malware operators or hacking groups like LAPSUS$ have, but they use it only ethically. They are developing TTPs (Tactics, Techniques, and Procedures) to simulate already known and new attacks.
As many companies use different software and have various infrastructure approaches, it requires a great effort to ensure that the team can deliver satisfying results for the exercises. For example, there can be a massive difference in attacks on on-premise infrastructure vs. the cloud-based one.
Examples of red team exercises
Depending on the team structure, red teams may work to break security controls to achieve target access. They can learn how to execute sophisticated attack techniques using training, research, and publicly available articles and tools.
Sometimes these security teams arrange access to widespread business tools. They do that to see how they work, and to find security vulnerabilities or common misconfigurations that they can use for attacks.
For learning purposes, the IT security community provides applications and virtual machines that are deliberately broken. That way, they want to show typical vulnerabilities for specific cases.
With all that knowledge, red team members can provide attack simulations to test the security controls of an organization. Typically there is a specific target.
It can be, for example, Domain Admin in Active Directory services, high-value data in the database, or proof of getting access to a restricted area.
Another thing to clarify before the test is to confirm the scope. A team needs to agree on what to attack, what is prohibited, and who to contact in case of any issues.
A good example is a letter stating that this is a test with contact info to a person responsible for a test on the company side.. After the tests, the team delivers a report with the scope, findings, and recommendations. It may contain all of the executed steps so that blue team members can review them, find blind spots and remove them.
Benefits of red team vs. blue team approach
Security systems are getting more complex each day. More and more processes are being automated and moved to the company infrastructure. Companies are using the new web, mobile applications, appliances, and even Internet of Things devices. In the age of digital acceleration, it is the only way to keep up with the market.
Unfortunately, each of these elements is a potential security risk if not properly assessed and verified in the whole environment.
Blue teams can do their best given limited budgets, headcount, experience, and priorities to ensure the company is safe.
But even then, there is a risk that they missed something or were wrongly prioritized. And then the breach can happen.
That is why red team exercises on company assets are crucial to assess a security posture. By doing such exercises regularly, it is possible to limit how long a vulnerability is present in the system and how severe damage it can introduce to it.
It is also a good idea to retest fixes as soon as they are published. That way the team can be sure that they are sufficient to resolve the vulnerability.
It is also worth noting that even if they did not detect vulnerabilities in a recent test, the threat landscape is still evolving.
New approaches and techniques to break into the systems are invented every day. Finally, it is a good way of elevating awareness about social engineering attacks in the whole organization.
Quite a new approach for collaboration between the Blue team and Red team is a security methodology called Purple teaming. That means closer cooperation between the teams to improve spreading awareness and boost the performance of all team members.
For a red team member, it is valuable to see how defenders usually work with services they need to protect. In turn, a blue team member can learn new attack techniques and tools with initial research delivered by a red team member.
Purple teaming can improve the security posture of an organization. Keep in mind though that if there is no red team present in the organization, such exercises can be arranged together with penetration testing as a form of a workshop.