Red Team VS Blue Team
This article was originally published in hakin9 magazine Cyber Kill Chain in volume 16 no 02 which can be accessed at https://hakin9.org/product/cyber-kill-chain
In the information security context, the terms “red team” and “blue team” are often mentioned. Both teams play essential roles in protecting organizations’ IT systems from cyberattacks and prevent threat actors from stealing confidential data or disturbing the normal IT systems operations.
A red team is formed from a group of offensive security experts who possess advanced skills in attacking computerized systems and breaking different security defenses. The blue team is formed from a group of defenders who work to protect an organization against all types of cyberthreats. Red team works on performing simulated attacks against the blue team to test the effectiveness of security defenses and to discover security vulnerabilities in the target IT system. Both team works together to find and eliminate vulnerabilities and prevent threat actors from exploiting them to gain an entry into a target network to perform their malicious actions.
WHAT IS THE RED TEAM?
The red team acts as an adversary to simulate attacks against the target network and are commonly independent of the company (target) that hire them. Red team works to discover weak spots within an organization cyber defense and test human reactions in response to different social engineering attacks. Red team exercises are performed by professional security experts and ethical hackers who use the same attack techniques and hacking tools employed by cybercriminals to penetrate computer networks and premises.
Red team exercises are not limited to executing attacks against computerized systems. For instance, the red team uses a plethora of techniques and tools (e.g., social engineering, network monitoring tools) to discover weaknesses in organization processes, people, and technology and exploit these weaknesses to gain unauthorized access to IT assets.
By implementing such an adversarial scenario, an organization defense is tested using real-world attack scenarios instead of depending solely on the installed security solutions’ theoretical capabilities. Red teaming becomes a critical test to gauge an organization’s ability to mitigate, detect and recover from cyberattacks. Having a red team capability also raise an organization reputation -among customer, stakeholders, and partners- as an entity caring about defending against the latest cyber threats.
HOW RED TEAM EXECUTES THEIR SIMULATED ATTACKS?
The first phase of the simulated red team attack is to gather intelligence about the target. For instance, many cyber-attacks depend on the information collected during the reconnaissance phase to plan the attack before launching it.
For example, in spear phishing -which is considered a type of social engineering attack, adversaries need to collect information about the target before crafting a tailored email for him/her. In the same way, attackers need to gather intelligence by monitoring network traffic (via packet sniffer) before executing a penetration test exercise.
WHAT INFORMATION IS GATHERED DURING THE RECONNAISSANCE PHASE?
Discover the type of operating systems in use (Windows, Linux, macOS) in addition to their edition.
Identify the types of networking equipment, such as servers, firewalls, switches, and routers.
Investigate physical access controls used to prevent unauthorized access to sensitive materials. Examples of physical controls include security guards, steel doors, picture IDs, surveillance cameras, motion or thermal alarm systems, locks, and users biometric authentication.
Investigate open ports and running services on the target network.
Network mapping creates a map that shows all running hosts across the network.
After collecting information about the target, the red team will initiate their simulated attack by trying to gain access into the target network by stealing some users’ credentials using various attack techniques (e.g., utilizing social engineering attacks techniques such as phishing or finding zero-day exploit). After becoming inside the network, the next step will be to elevate privileges, move laterally across the network to access the most sensitive places, and begin exfiltrating data silently to avoid detection.
HOW RED TEAM DIFFERS FROM THE PENETRATION TEST?
Many people think the red team and penetration tester are the same. However, this is not accurate. For instance, penetration testers try to find exploitable vulnerabilities in the target system –using non-stealth tools such as network scanners- within a limited time frame. In contrast, red teams execute their attack over an extended period of time and use cutting edge hacking tools and customized malware to gain an entry point to the target network.
WHAT IS THE BLUE TEAM?
While the red team plays the offense role, the blue team is the counterpart and plays the defense role. Blue team is formed from professional IT security consultants (such as incident response personnel, digital forensics examiners) whose work investigates the internal and external organization security defense mechanisms and work to protect it against all types of cyberthreats. Blue team members are commonly owned by their company (target) and not independent as with the red team.
Blue team is typically working within a Security Operations Centre (SOC). SOC works to enhance an organization’s defense by monitoring its network 24 hours a day and working to detect any suspicious activity and stop it before it becomes a threat. Blue team must work continually to catch the red team attacks and always enhance their skills to face serious real-world cyberattacks.
While security solutions existed on network perimeters –such as firewalls and IDS- are designed to stop most of today’s cyber threats automatically, such as phishing emails. The blue team’s role is to monitor these tools and add a touch of human intelligence to them to counter more sophisticated attacks such as those executed by APT groups.
THERE ARE VARIOUS TASKS PERFORMED BY THE BLUE TEAM:
- Understand all phases of incident response procedures and understand how to respond correctly to various cyberthreats.
- System log and memory analysis.
- Security audit.
- Risk intelligence.
- Reverse engineering and malware analysis.
- Testing systems against DoS and DDoS attacks.
- Detect red team and other threat actor’s activities and work to block the connection to their command and control (C&C) servers.
- Identify compromised systems and disconnecting them rapidly.
Having a red/blue team capabilities helps organizations test their security defenses in a low-risk environment and have a holistic view of their IT security status. The outcome of red/blue team engagements will help an organization continually strengthen its defenses and fix any vulnerability before exploiting it by malicious actors.
Khera, V., 2021. Red Team VS Blue Team. [online] Linkedin.com. Available at: https://www.linkedin.com/pulse/red-team-vs-blue-dr-varin-khera/ [Accessed 30 June 2021].