Cyber Security: Red Team, Blue Team and Purple Team

In military jargon, the term Red Team is traditionally used to identify highly skilled and organized groups acting as fictitious rivals and/or enemies to the “regular” forces, the Blue Team.

Whenever we discuss Information Security from a defensive point of view, we are inclined to think about protection, damage control, and reaction.

However, adopting an attacker’s mindset can effectively help businesses enhance their chances of securing themselves against ever-changing threats.

In military jargon, the term Red Team is traditionally used to identify highly skilled and organized groups acting as fictitious rivals and/or enemies to the “regular” forces, the Blue Team.

Basically, the Red Team relied on its own expertise to explore any possible way to plan and carry out an attack – thus trying to espouse the standpoint, the attitude of potential assailants.

Such simulations aimed at both reproducing a real emergency and improving the troops’ ability to fend off an aggression.

At the same time, Blue Team members were trained and expected to detect, to oppose and to weaken the Red Team’s efforts.

All of these concepts have been given a peculiar status in the Cybersecurity field, as well: in this case, the Red Team’s hostile activities take the form of sophisticated penetration tests, whose results constitute a reliable assessment of a business/organization’s defensive capabilities and its safety status.

Generally speaking, the Red Team is given a very specific task – for example, evaluating the possibility of accessing sensitive data stored in a database.

In such a scenario, the group would have to act as an external threat actor, by recognizing any opportunity to exploit bugs and weaknesses of the infrastructure, the target being the extraction of the required pieces of information.

Meanwhile, the Blue Team would be in charge of any defensive step.

The Red Team is supposed to both identify any vulnerability in the PPT (People, Process and Technology) defensive system and help the organization improve its own defensive abilities.

While the Red Team’s role is usually well-defined, the Blue Team’s (and hence, the SOC analysts and response handlers‘) task is mutable, it is not known a priori: therefore, the former’s simulated assaults are expected to test and enhance the latter’s skills, igniting a virtuous circle.

The Blue Team’s work routine includes accessing log data, using a SIEM, garnering threat intelligence information, performing traffic and data flow analysis; we may compare their mission to finding the well-known needle in the haystack…

On the other hand, Red Team members have to be aware of any potential opponent’s TTP (Tactics, Techniques, Procedures), which the Blue Team is expected to detect and counter.

While automation can prove to be useful at this stage, the Blue Team shouldn’t rely on technology alone: on both sides, human intuition, expertise and cleverness cannot be replaced (yet) – social engineering techniques (i.e. Spear phishing) being a strong reminder of this.

Let’s go back to our simulated data theft – in such a situation, Red Team members would have to act as relentless cyber criminals. A first step might be targeting a final user’s PC, thus getting useful credentials for gathering information from within the network. This could lead to an attempted privilege escalation, aimed at seeking privileged credentials which might grant access to the central database. Should said database be accessed, the effective data exfiltration could take place, usually via a network connection to the outside, to the Web.

The Blue Team should be able to notice such efforts, the lateral movements, and any typical step of the so-called kill chain as early as possible – basically, it ought to oppose the attack and prevent the Red Team from reaching its goal.

While this short overview might make the Team’s tasks look quite simple, this is not the case.

Red Team vs Blue Team – what makes their confrontation successful?

As we have seen, both teams have to accomplish complex tasks – but what makes their activities effective?

A crucial element for the Red Team’s success is its ability to espouse an aggressive mindset, a true hacker‘s point of view. Therefore, its members shouldn’t be chosen among those who have contributed (or are still contributing) to defending the business’s infrastructure, as it would produce a patent conflict of interest which could stifle a genuine hostile effort and a fair security assessment.

An “outsider mindset” is needed, and this necessity can be better addressed by relying on either external assistance or uninvolved personnel.

A real assailant is going to overlook any rule, etiquette and ethical issue (he/she may be a terrorist, a criminal, or even a resentful former employee) – adopting such a mentality may be difficult.

In some cases, the confrontation between the teams starts as a pure abstract exercise, in a meeting room; however, this should just be the beginning – a real test entails real attacks, which cannot overlook the organization’s physical security.

Truth be told, reproducing a real-life scenario isn’t always an option – for example, a serious assault on critical locations and infrastructures might result in irreparable damage or even in human losses.

However, whenever possible, actual tests ought to be considered, and they should also focus on the weakest spot in the security system – human beings (i.e., the employees).

The Red Team may have the chance of observing the employees’ response to some given inputs – malicious e-mail attachments, a “strange” USB drive left in the HQ facilities (parking or restroom).given inputs – malicious e-mail attachments, a “strange” USB drive left in the HQ facilities (parking or restroom).

If the company has already issued its own security policy, the Red Team’s efforts will be able to assess the employees’ knowledge, awareness and discipline of it, and also the business’s capability of enforcing the rules.

While the employees’ physical security and behavior must not be neglected, wireless networks compose another battlefield which deserves the utmost attention.

The migration from wired to Wi-Fi networks has been transparent and plain, despite the need for a distinct, specific security approach to each solution.

One of the most serious threats to wireless network is the so-called Wardriving, which paves the way for following malicious and exploitative activities.

Cooperation, Mutual Feedback and Continuous Improvement

The usefulness of the Red Team vs Blue Team approach lies in interaction and mutual feedback, in its ability to turn the challenge into a way to ameliorate an organization’s capability of detecting and counter threats.

Such a cooperation should strive for continuous improvement, the Blue Team should see the Red Team’s activities as an opportunity to understand potential assailant’s tactics, techniques, and procedures.

While a SOC’s failure to notice a breach may depend on its staff members’ shortcomings, it may also be the outcome of inadequate measures against really refined or even previously unknown methods.

The Red Team attack can expose these weaknesses before real criminals may take advantage of them. As each team has different purposes, their means will be different, too.

The Red Team is expected to master the use of offensive tools (for example, Meterpreter or Metasploit), to know what a SQL injection is, to employ network scanning tools (Nmap), to use scripting languages, to recognize router and firewall commands, etc.

On the other hand, the Blue Team is supposed to understand any single phase of an Incident Response, to master its own share of tools and languages, to notice suspicious traffic patterns, to identify the Indicators of Compromise, to use an IDS properly, to carry out analyses and forensic  testing on different Operating Systems.

A New Color on the Horizon

Since each team strives to reach its own goals – and, when defined, its own KPIs – having the two of them work synergically is not an easy task.

However, the ultimate aim is helping the business attain a higher level of security; therefore, a new Team – more correctly, a new “function” has been getting more and more attention.

This new actor, the “Purple Team”, would have to maximize and guarantee the effectiveness of the “traditional” groups’ activity, by combining the Blue Team’s defensive routine with the weaknesses exposed by the Red Team, thus producing coherent efforts aiming at maximizing the results and common, business-led KPIs and metrics

References:

http://redteams.net/blog/2013/what-is-a-red-team

https://www.army.mil/aps/09/information_papers/red_team_education.html

http://www.scmagazineuk.com/how-your-red-team-penetration-testers-can-help-improve-your-blue-team/article/431023/

http://blog.airbuscybersecurity.com/post/2014/11/APT-Kill-chain-Part-5-%3A-Access-Strenghtening-and-lateral-movements

https://www.cybrary.it/2015/02/red-team-vs-blue-team-review/

https://danielmiessler.com/study/red-blue-purple-teams/

https://www.rsaconference.com/writable/presentations/file_upload/air-w02-the-rise-of-the-purple-team.pdf

Written by: Luigi Cristiani  (@gigicristiani)

ICT Security and Network Specialist

 

 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Red Team, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]