Oct 1, 2022

What is Red team and Blue team in cybersecurity? Part 1

 Red Teams are internal or external organisations that aim to assess the efficacy of an organisation's security system by copying the methods and strategies of likely attackers in a realistic manner. It is similar to Penetration Testing, but involves attempting one or more targets as part of a campaign. For those on the Blue Team, having Adversarial Empathy - the capacity to think from the point-of-view of their adversary usually gained from attack experience - is essential.

Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. This group should be separated from standard security operations teams on account of their attitude, which is characterised by constant caution against attack. Purple Teams are a further way of ensuring the efficacy of both Red and Blue; they incorporate measures designed by the Blue Team with threats and weaknesses pinpointed by the Red Team for a greater level of coverage. Ideally, it isn't necessary to have a dedicated Purple Team but instead a sustained interaction between Red and Blue.


Although Red Teams and Penetration Testers share many skills and functions, they are not the same. There are a number of attributes that distinguish Red Teams from other offensive security teams. These include:

It is possible to emulate the TTPs utilized by adversaries the target is likely to face, such as utilizing analogous tools, exploits and pivoting methodologies, as well as constructing analogous goals. This is known as campaign-based testing and runs for an extensive period of time, often several weeks or months. In contrast, a Penetration Test tends to rely on conventional pentesting tools and is truncated - typically lasting one to two weeks with a distinct set of aims like pivoting to the internal network, obtaining confidential data or acquiring administrative rights. A Red Team engagement draws upon a more tailored selection of TTPs together with specific objectives over an extended timeline.

In addition to testing for vulnerabilities, red teams use the TTPs of their likely threat actors in campaigns that run continuously over an extended period of time

It is of course possible to create a Red Team campaign that uses the best-of-the-best TTPs known to the Red Team, which uses a combination of common pentesting tools, techniques, and goals, and to run it as a campaign (modeling a Pentester adversary). A Red Team campaign should emulate the tactics of a specific threat actor, but those tactics won't necessarily be the same as the attack of the Red Team.

Cybersecurity Blue Teams are proactive defenders of a company. n InfoSec, there are some tasks which are not considered Blue-Team-worthy due to their defense-oriented nature, such as tier-1 SOC analysts who aren't trained or interested in offensive techniques, aren't curious about what they're looking at, and aren't creative about following up on alerts. 

The difference between a Blue Team and just doing defensive things is the mentality. Here's how I differentiate: Blue Teams / Blue Teamers possess: A proactive vs. reactive mindsetEndless curiosity regarding things that are out of the ordinaryContinuous improvement in detection and responseIt's not about whether someone is a self-taught tier-1 SOC analyst or some hotshot former Red Teamer from Carnegie Mellon. Continually improving and being curious are the key.

Teams in purple: Rather than a dedicated team, purple is a cooperative mindset between attackers and defenders. Purple Teams are not necessary in organizations where the Red Team / Blue Team interaction is healthy and working well. A Red Team's purpose is to improve the Blue Team.A group that is not familiar with offensive techniques and wants to learn about how attackers think is best utilizing the term. A Purple Team exercise can involve good guys trying to learn from whitehat hackers. It could be an incident response group, a detection group, or a developer group. The solution to this problem is to fix the Red Team / Blue Team interaction dynamics-not to create a separate group that does their job for them.


Yellow, Orange, and Green Teams: what are they?

April Wright brilliantly introduced a few other team types in a Blackhat talk called Orange is the New Purple, in addition to the well-known Red, Blue, and Purple team concepts. It was during her talk that she introduced the Yellow team, which is the builder, and combined it with Blue and Red to come up with the other colors. I think this is extremely smart, but disagree somewhat with some of the characterizations of the combinations. In what I'm calling the BAD Pyramid above, which is a derivative of April's work, I captured my own interpretation of these interactions. I don't much care for the word "team" being assigned to all these colors, since I believe in most cases they are mindsets, or functions, rather than dedicated groups of people. Developers, for example, already have a name. Green, Orange, and Purple behaviors should be changed to either Developers or Blue Team behaviors.

No comments:

Post a Comment