Red vs. Blue vs. Purple team
When it comes to cybersecurity roles, they tend to fall into three coloured ‘teams’. Here, we dissect the duties of each, the skills you need and the way each team interacts with each other.
We’re moving! Come and find us on www.cyberstart.com/blog where you will find even more tips, tricks and industry support. See you there!
Red Team
Attacking networks and finding the vulnerabilities; red team roles are hired to simulate a hacker trying to break into an application, whether they are web based, installed on a computer or on a mobile phone.
Main role: A ‘hacker’ called a Penetration Tester.
Work style: Red team experts are usually freelance and hired by the target company to test their defences (which are created by the blue team)
However, some companies have in-house red teams to test their networks and suggest how to make them better.
Main objectives:
· To compromise the target system’s security
· Exploit bugs and vulnerabilities
· Assess the blue team’s defensive capabilities (and avoid their detection)
How: Red teams work off of initial reconnaissance and open-source intelligence (OSINT) to collect information around the target and identify potential areas of weakness.
They then use this to attack or apply social engineering tactics (like phishing, pretexting, baiting or quid pro quo) to manipulate employees and gain more information to access the network.
They also create decoys to throw the blue team off their trail.
Red team attacks can also be physical. Red teams could gain access to the physical location of a client’s infrastructure (by tailgating or other means) and see how far they can get there.
Blue Team
If you have attackers, you also have defenders. The blue team are responsible for setting up secure network infrastructure and monitoring it, responding to any attacks.
Main role: Security Analysts within their own Security Operations Centre (SOC)
Work style: Blue teams often work inside organisations, such as Security Analysts within their own SOC. While companies can outsource for blue teams, it presents its own challenges and limitations even if on the surface it saves money.
Main objectives:
· To successfully defend a system
· To detect, oppose and limit the red team / an outside hacker
· Understand incidents and how to respond
· Notice suspicious traffic
· Analyse and undertake forensics testing through different mediums
· Research current ‘threat actors’ or operations and apply their knowledge
How: Blue teams require many skills to successfully defend a system. They need to be able to take on a SOC (Security Operations Centre) role, focussing on forensics, cover incident response units and work with security information and event management (SIEM) systems. They also need to be able to research threat intelligence (typically indicators of compromise), applying it to their networks via SIEM system rules or other rule-based devices like Intrusion detection or intrusion prevention systems (IDS/IPS).
Main day to day activities include performing traffic analysis and data analysis, analyzing and reviewing log data, using SIEMS for detection of live intrusions and network visibility, and creating custom rules within these SIEMS to better detect current malicious threat actors.
Purple Team
The Purple Team is a new joint approach; a combination of both blue and red teams sitting in the middle of each team.
Main role: Purple team members oversee and optimise red and blue teams to establish greater communication channels so they can foster a more collaborative culture.
Work style: Purple team is typically formed from Senior Security Analysts, Threat Intelligence Analysts or Senior Management within an organisation. The purple team works alongside both red and blue teams to identify weaknesses and suggest improvements in the interior workings of both teams.
Main objectives:
· Encourage collaboration between red and blue team
· Work alongside both red and blue teams to identify weaknesses
· Suggest improvements in the interior workings of both teams
· Ensures the maximum delivery and outputs from both teams collectively
How: The purple team builds on the effectiveness of both red and blue teams, as well as their potential for collaboration, enhancing their security controls and maximising the organisations’ cyber capabilities.
Purple teams oversee these improvements. For example, if a Penetration Tester wants to tell a Security Analyst how to update a SIEM rule to detect a new adversary, the purple team will make sure that this task is completed successfully.
Ultimately, the purple team ensures the maximum delivery and outputs from both red and blue teams collectively. Purple teams are puzzle solvers, making sure that a company is as cyber secure as possible.
Now you know what each team does, which one would you like to be part of?
Interested in our programmes? Check out where you can build your cyber security knowledge for free!
UK 13–18-year-old student programme: Cyber Discovery https://cyberdisc.io/medium
USA 13–18 year-old girls student programme: Girls Go CyberStart https://ggcs.online/medium
USA 18–year-old and above college student programme: Cyber FastTrack https://cyberft.io/medium
