Red Team vs. Blue Team

What is the Red Team?

Red teaming can be defined as approaching an environment from an adversarial or attacker perspective, to proactively test security controls in the environment, with the overall objective of increasing an organization’s security posture. Red teaming is a form of ethical hacking and shares some similarities with penetration testing. A red team exercise is also known as engagement. When a red team begins an engagement, the first step is to develop the engagement scope, which may include the following objectives:

• define the types of attacks to be used
• define the parts of the environment to be tested
• understand the prior knowledge of the environment that will be provided
• define the desired outcome of the engagement

The scope of the engagement will determine the type of testing. Once testing is completed, the team will provide a report of findings and may provide recommendations to support the remediation of findings.

Red team members must be knowledgeable in many system protocols and components. Networking, client-side and server-side operating systems, web applications, and encryption capabilities are just a few of the necessary knowledge domains that red teamers need. Protocols, such as the Simple Network Management Protocol (SNMP), Server Message Block (SMB) protocol, HyperText Transfer (HTTP) Protocol, and many others, will be used for the environment enumeration and exploitation so the red teamer must have a functional knowledge of how the protocol operates.

Additionally, the red team member needs to be well-versed in several tools commonly used in penetration testing. They must know which tools are needed for the job and how to use those tools to get the job done. Some common tools used include NMAP, Netcat, Impacket, and Snmpwalk. With all the tools present, the red teamer may choose to use a penetration testing distribution such as Kali Linux or Parrot OS. These distributions come with many tools pre-installed and ready to run, so red teamers do not have to spend much time adding tools that will be needed. Some red teamers prefer to use standard distributions and add the tools that they commonly use to allow a more customized experience.

What is the Blue Team?

Blue teaming can be defined as proactively and reactively, securing the environment from a purely defensive perspective. Proactive defense includes hardening systems, secure code review, advising on patch management schedule, control implementation and tuning, and system logging. Reactive defense includes incident response, forensics, malware quarantine and eradication, and other similar defense techniques. After an engagement, blue teams will receive red team reports that may include recommended remediations and controls, which should be implemented to prevent similar future attacks. Blue teams also provide continuous monitoring of the environment to move into reactive defense as soon as a red team attack is discovered.

Blue team members must know network configurations, secure coding practices, operating system configuration, and many other aspects of securing data, systems, and networks. This includes how to properly implement protocols like SNMP, SMB, HTTP, and many others. Blue team members will also need knowledge on proper system logging, forensic techniques, and implementing incident response to various disasters, attacks, and other incidents.

Blue teamers will often be responsible for inspecting controls, such as firewalls and their configuration, ensuring that rules are tuned to the environment. Intrusion Detection/Prevention Systems (IDS/IPS) will often be reviewed and more tightly configured, by the blue team to ensure alerts, logging, and rules are tuned to limit false positives, false negatives, and alert fatigue. Forensic focused blue teamers will also need knowledge of forensic techniques, tools, and legal requirements to ensure forensic evidence is properly discovered and handled. Many tools, such as enCase and FTK (Forensics Tool Kit) that the forensic technician may choose to use to help properly perform their job.

Continuous monitoring, log aggregation, and correlation searches are other responsibilities of blue team members. Log aggregation tools bring system logs from throughout the environment to a single location, then process the logs to easily allow blue team members to search for information in the logs. These log aggregation tools will often be called a Security Information and Event Management (SIEM) tool. One of the main functions that a well made SIEM will have is creating correlation searches. Correlation searches allow blue team members to take the information in system logs and create alerts based on compromise indicators. This process allows the blue team to perform continuous monitoring of the environment and to react to an attack quickly.

How to develop the Purple Team mentality

The purple team mentality removes the red and blue team's separation and combines the team as one. In this case, the team will often test their controls through the attack and defense testing. This gives the team an overall picture of the environment's security without having to involve third party testers. Purple teaming allows the team to see both sides' attacks to create better logging and correlation searching, IDS/IPS rules, and system configurations based on how the attack looks and what the logs contain. The purple team mentality also creates a stronger blue team and red team members because both teams can focus on each team's domain knowledge.

How can Cybrary Help?

For both red and blue teams, the start is well rounded foundational knowledge in multiple domains. Individuals need to get into the security industry and veterans of the security industry to maintain constant training on new technologies. With a constantly growing database of courses offered, Cybrary is a great place to begin and continue this training. Some classes for beginning red teamers would be Penetration Testing and Ethical Hacking, Networking Fundamentals for Security Practitioners, and many more. For blue teaming, Cybrary offers Introduction to SIEM Tools , Web Defense Fundamentals, and others.