Open in app

Sign in

Write

Sign in

The InfoSec Color Wheel

Dan Covic
7 min readMar 20, 2023

--

Most cybersecurity professionals have heard about red and blue teams. But did you know that there are others?

In this article, we will explore the InfoSec color team structure, the different teams involved, and how they interact with one another to produce full security coverage.

The image below displays the full spectrum of teams needed for organizational security. It shows the different teams and their respective roles.

Color Wheel

Primary Teams

The color chart above represents the different cybersecurity teams. As you see, there are three primary teams, which are represented by the primary colors:

  • Blue team, also known as the defenders
  • Red team, also known as the attackers
  • Yellow team, also known as the builders
Primary Teams

Let’s take a look at each of these teams in more detail and explore some of their roles and responsibilities.

Blue Team

The blue team, known as the defenders, consists of security professionals who have a full picture of the organization. Their function is to defend the organization’s critical assets against any threat, internal or external.

This team has a full understanding of the business objectives and the organization’s information security strategy. Their duty is to strengthen the fortress walls so no intruder can compromise the defenses.

Blue teams are the ones who establish security measures around all of the organization’s key assets. Their defensive strategy begins by identifying the critical assets and then documenting their importance and the impact the loss of these assets would have on the organization.

They can then complete risk assessments by identifying potential threats against each asset and the vulnerabilities these threats can exploit. By evaluating the risks and prioritizing them, blue teams can produce a plan of action to implement controls that can reduce the impact or likelihood of threats actualizing against the organization’s assets. To achieve this goal, they must break this down into three main functions:

  • IT security/defense includes network monitoring, Incident Response, and patching.
  • Physical security includes locks, cameras, security personnel, etc.
  • Security awareness training means teaching employees how to protect themselves and their organization’s assets from threats.

Red Team

The red team, known as the attackers, is a team of security professionals whose task is to emulate a threat actor and subvert an organization’s security controls. In this team, the ethical hackers attempt to breach security by finding weaknesses in technology, people, and physical locations. Through this process, security vulnerabilities are identified and eliminated, and the attackers can make recommendations to improve the security posture of the organization they’re working for.

The red team is an adversary to the blue team, whose goal is to prevent attacks against the organization. Red teams are greatly beneficial to blue teams since their attacks allow the defenders to gauge the effectiveness of their defense. A red team engagement will show whether a blue team is able to detect, prevent and respond to the incidents the red team generates.

Organizations will often hire an external red team to engage test their defenses. Alternatively, it is also possible to maintain an in-house team of security professionals, who will constantly seek to challenge and improve the organization’s security. The main functions of red teams include:

  • Penetration testing (Pentesting): Often referred to as ethical hacking, pentesting is an activity where a red team attempts to infiltrate a secured network or system.
  • Social engineering: A technique through which a red team tries to deceive employees into providing sensitive information which can help them obtain access to a secured system. This can include the use of phishing emails.

Yellow Team

The yellow team are typically referred to as the builders due to their role in designing and building the various tools used by the other teams. The yellow team includes people who are involved in the testing or development of systems or applications. It also includes software engineers and system architecture. These are the people who build and design software tools to improve organizational efficiency and introduce new products to the market. They focus primarily on requirements, functionality, user experience, and back-end performance.

It is becoming more common for the yellow team to be concerned with security while building their systems, in order to limit vulnerabilities and the possibility of exploitation. It is for this reason that the yellow team often has to work closely with both the red and blue teams, giving us the orange and green teams. Without this collaboration, a system designed by a yellow team alone may be a prime target for a threat actor due to its potentially insecure design.

Secondary Teams

Now that we have our primary teams, similar to mixing the primary colors, we can merge these to get new teams. These are known as the secondary teams, which combine the skills and techniques of the primary teams. The secondary teams consist of the following:

  • Purple team: Fills the gap between blue and red
  • Green team: Fills the gap between blue and yellow
  • Orange team: Fills the gap between yellow and red
  • White team: Incorporates all teams

These teams are crucial to fill in the security gaps between the three primary teams, highlighted in the image below:

Red Blue Yellow

Purple Team

The purple team bridges the red team’s offensive capabilities and the blue team’s ability to respond to the threats they pose. Their focus is to maximize the effectiveness of both the red and blue teams. The purple team integrates the defensive tactics and security controls from the blue team with the threats and vulnerabilities found by the red team into a single narrative that maximizes both.

The purple team cooperates with the blue team to improve their cybersecurity posture and points the red team in the right direction regarding an offensive strategy. Their goal is neither attack nor defense. It is to enhance organizational security as a whole. Moreover, their function is to act as a mediator for the two teams and promote collaboration between them.

Ideally, the purple team shouldn’t be a separate team at all, but rather a permanent dynamic between the red and the blue team. Their primary focus should always include the following:

  • Improving detection and defense through collaboration.
  • Enhancing the skills and improving the knowledge of the members of both the red and blue teams.
  • For larger organizations, monitoring and testing systems for potential vulnerabilities.

Green Team

The green team fills a vital role in improving collaboration between the blue and yellow teams. The blue team needs to be aware of everything that’s going on within their network. This includes monitoring and hardening systems and applications built by the yellow team. The green team consists of ongoing structured interactions between the blue team and the yellow team. Their primary focus is to enhance code-based and design-based defense capability for detection, incident response, and digital forensics. Essentially, the green team improves the detection capabilities of the blue team while securing the systems built by the yellow team.

For example, the green team can help improve organizational security by:

  • Greatly improve logging capabilities while also helping to prioritize important events.
  • Providing more useful data to the blue team for improved incident response.
  • Bringing improvements to the Change Management process through collaboration.
  • Creating greater overall security coverage through improvements to end-point protection.

Orange Team

The goal of the orange team is to improve the security awareness of the yellow team. This is accomplished through offensive security training and ongoing engagements between the red and yellow teams. This results in a more security-conscious development team which, in turn, helps the yellow team build a more inherently secure system or application. The orange team can help the yellow team think like a hacker. With this mindset, the yellow team can spot security bugs and vulnerabilities with more precision and help eliminate these in the development process before the system or application is out for production.

The orange team can bring several security benefits to an organization. For example, they can:

  • Create a more security-conscious yellow team.
  • Promote offensive critical thinking while developing systems.
  • Help decrease the number of vulnerabilities and security bugs in a system.

White Team

The white team encompasses, and manages all of the other colors, without directly being any one of them.

The white team includes elements of management, compliance, analysis, and logistics. Their main goals are to provide neutrality, organize teams, set strategy, perform risk assessments, and monitor incident remediation. Often they run security training exercises, such as Capture the Flag, which pose the red and blue teams against one another. They also facilitate communication and collaboration between different groups to benefit the organization and improve overall security.

The image below shows the organizational security pyramid which the white team oversees. Each of these areas are important in their own right but all must be managed to ensure that the organization’s security policy stays solid.

Risk Management Pyramid

That’s all for today!

Credits: RangeForce

Information Security
Red Team
Blue Team
Purple Team

--

--

Dan Covic

Written by Dan Covic

157 Followers

A disciple of curiosity, experience and knowledge

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams