Attack, Defence and Facilitation
Join SOC Analyst Amy Hargreaves and Security Consultant James Chamberlain for a tour of the roles and objectives of red, blue and purple teams.
A red team exists to attack, a blue to defend. The ambition is to strengthen an organisation's security by learning from the ensuing combat. A purple team is optionally set up to support the process.
A red and blue team exercise can be hugely beneficial as it affords the opportunity to challenge an organisation's defences realistically.
A red team is typically independent of the company (target) and hired to covertly test its defences. The team consists of skilled ethical hackers whose objective is to identify and safely exploit vulnerabilities in the target's cybersecurity or physical perimeters.
By mimicking sophisticated real-world threats, the exercise will be highly realistic. A red team deploys bleeding edge hacking tools and techniques designed to infiltrate systems and premises. This could extend to writing their own malware and devising new methodologies, just as malicious hackers do.
Traditional penetration testing deploys loud (typically detectable) techniques - e.g. vulnerability scanners such as Nessus - to identify gaps in security. In contrast, a red team is stealthy and will do everything it can to avoid detection.
Some organisations will be confident their systems are hard to penetrate as they have a range of robust security measures in place. A red team need only find the weakest link to break their perimeters wide open. This could include spear-phishing (socially engineering) employees or replicating the target's external services in a lab to find zero-day exploits.
In a red team engagement, anything goes. If this means arriving at the company's offices disguised as a delivery driver asking to "quickly pop into the post room" so be it. As they pass through, they'll discreetly insert a USB drive into a PC. Mission accomplished.
The red team’s objectives and duties include:
- Compromising the target's security by extracting information, infiltrating its systems or breaching its physical perimeters.
- Avoiding detection by the blue team. Many attacks occur over a fleeting period of time, making it extremely tricky for the blue team to neutralise the threat before the 'damage' is done.
- Exploiting bugs and weaknesses in the target's infrastructure. This highlights gaps in the organisation's technical security that require fixing, thus improving its security posture.
- Initiating hostile activity - including sophisticated penetration testing - giving a reliable assessment of the blue team's defensive capabilities.
The red team's methods include:
- Initial reconnaissance - open source intelligence (OSINT) for collecting information on the target.
- Deploying command-and-control servers (C&C or C2) to establish communication with the target's network.
- Using decoys to throw the blue team off the scent.
- Applying social engineering and phishing techniques to manipulate employees into exposing or revealing information to compromise their machines.
- Physical and digital penetration testing - typically done in a vacuum.
A blue team is a company's own cybersecurity personnel, typically within a Security Operations Centre (SOC). The SOC consists of highly trained analysts who work on defending and improving their organisation's defences around the clock.
The blue team is expected to detect, oppose and weaken the red team. The mock attack scenario is designed to enhance their skills by preparing them for dangerous real-world attacks.
Many of today's threats, such as malware and phishing emails, will be stopped dead by automated tools on the network's perimeter. For example, endpoint security products and threat detection platforms. The SOC or blue team adds vital human intelligence to the tools and technologies and is both proactive and reactive.
The blue team will detect and neutralise the more sophisticated attacks and closely monitor current and emerging threats to preemptively defend the organisation.
The blue team's objectives and duties include:
- Understanding every phase of an incident and responding appropriately.
- Noticing suspicious traffic patterns and identifying indicators of compromise.
- Rapidly shutting down any form of compromise.
- Identifying the red team/threat actors' command and control (C&C or C2) servers and blocking their connectivity to the target.
- Undertaking analysis and forensic testing on the different operating systems their organisation's runs, including use of third-party systems.
The blue team's methods include:
- Reviewing and analysing log data.
- Utilising a security information and event management (SIEM) platform for visibility and detection of live intrusions and to triage alarms in real-time.
- Gathering new threat intelligence information and prioritising appropriate actions in context with the risks.
- Performing traffic and data flow analysis.
IT Lab operates a cutting edge Security Operations Centre and can act as your blue team. Click here for details on our SOC.
A purple team is not permanent; it has a transient function to oversee and optimise the red and blue team exercise. It's typically formed of security analysts or senior security personnel within the organisation.
If the red and blue teams work well, a purple team may become redundant. It can be more of a concept than a function, driving the red team to test and target specific elements of the blue team's defence and detection capabilities.
The purple team's objectives and duties include:
- Working alongside the red and blue teams, analysing how they work together and recommending any necessary adjustments to the current exercise, or noting them for future.
- Seeing the big picture and assuming the mindset and responsibilities of both teams. For example, a purple team member will work with the blue team to review how events are being detected. The team member will then shift to the red team to address how the blue team's detection capabilities can be subverted.
- Analysing the results and overseeing necessary remedial actions, e.g. patching vulnerabilities, implementing employee awareness training and;
- Ultimately deriving maximum value from the exercise by applying learning and ensuring stronger defences.