One Team, Two Team, Red Team, Blue Team (And Also Purple Team):

How to Best Utilize Security Efforts through Red Team-Blue Team Exercises

Teamwork really does make the dream work when it comes to proper information security.

With security breaches popping up left and right, costing companies billions of dollars and costing billions of customers their sensitive information, cyber and information security continue to prove themselves some of the most important — and most costly — aspects of computing.

Just as necessary as a strong line of defense is a strong line of offense. No, I’m not telling you to hack your school servers and change your grades. I’m talking about a tactic called “red team-blue team exercises.”

In its most basic form, this is a way to test the security measures placed by a company (alternatively, red team companies can be contracted by another company). Within a cyber security team, members will split into either the blue team or the red team. The blue team is responsible for the defensive side of cyber security, while the red team is in charge of offensive security.

Think of it like a soccer scrimmage! You’re all on the same team, but the red team is always trying to score. And the blue team is always trying to block the shots. And instead of attempting to make goals, the red team attempts to acquire data. It’s stressful, but it’s a great way to test out plays and see where the team can improve.

A very good summarization from Hacker Noon.

There are lots of types of security measures, and every aspect could — and should — be taken into consideration. Maybe you are preventing a physical security breach and want to ensure only authorized personnel have access to a building. Maybe you need to make sure computers aren’t compromised by malware. Maybe you have specific data in mind that you want to take extra care to protect. In any case, this security exercise is useful and highlights where defenses fall short.

As SecurityTrails mentions in their post about the subject, both roles are vitally important for the operation to work. One cannot have a blue team without a red team, and vice versa.

“The red team uses its tactics of attack and offense to test the blue team’s expectations and preparation of defense. Sometimes, the red team may find holes that the blue team has completely overlooked, and it’s the responsibility of the red team to show how those things can be improved. It’s vital for the red and blue teams to work together against cyber criminals, so cyber security can be improved.” -SecurityTrails

Nice! This seems like a good idea. How do we begin?

There are some major components and characterizations associated with both red and blue teams. Let’s go over some of them:

RED TEAM

How a red team might see themselves.

Think outside the box.

Whenever playing the role of a cybercriminal, the most effective way to accomplish the feat is to think like a cybercriminal. Remember to think of ways to exploit vulnerabilities in the security the blue team has in place.

Write your own tools.

This takes a lot of practice and skill, but realistically, an experienced hacker will have their own tools. To be an effective red team, creating malicious software not yet detected can be a useful key in testing the blue team’s defensive maneuvers.

Utilize social engineering.

Social engineering, according to Symantec, is “the act of tricking someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions.” It may be as simple as impersonating a customer service personnel, or making an appointment at an office under a pseudonym just to get access to the physical network.

This is a good example of social engineering.

The most important part of being on the red team…

…is starting on the blue team.

If you have never tried red team-blue teaming, it is best to play defense enough times to feel comfortable with the technology and security exercise. Starting off as blue team will help you become a stronger red team.

BLUE TEAM

How the blue team might see themselves during the exercise.

Maintain organization and detail-orientation.

Knowledge is power. Ensure that you know your security system back and forth, and know not only how to recognize suspicious activity, but how to deal with it. Being a detail-oriented team means making sure nothing slips through the cracks without someone noticing.

Have hardening techniques in place for when the threat cometh.

For it shall cometh. Knowing that a security vulnerability is inevitable is the first step in creating a solid hardening technique for your security system. Ask your team, once suspicious activity is noted, what should change? What ports, if any, should close? Should these techniques be automated?

Utilize software intrusion detection systems.

There are already many tools out there the blue team could use, like the intrusion detection software NetWitness, big-data analysis tool Splunk and network monitoring software Wireshark.

PURPLE TEAM

Just because the red team and the blue team have different roles in the exercise, both teams are working toward a common goal: increasing security. Think of it as a “purple team” — you’re working toward the same overarching goal and learning from one another.

If your post doesn’t have an iStock photo, is it really a blog post?

“He who is prudent and lies in wait for an enemy who is not, will be victorious.”

-Sun Tzu, The Art of War