[BreachExchange] Cyber Security: Red Team, Blue Team and Purple Team

[Audrey McNeil]

http://securityaffairs.co/wordpress/49624/hacking/cyber-red-team-blue-team.html

Whenever we discuss Information Security from a defensive point of view, we
are inclined to think about protection, damage control, and reaction.

However, adopting an attacker’s mindset can effectively help businesses
enhance their chances ofsecuring themselves against ever-changing threats.

In military jargon, the term Red Team is traditionally used to identify
highly skilled and organized groups acting as fictitious rivals and/or
enemies to the “regular” forces, the Blue Team.

Basically, the Red Team relied on its own expertise to explore any possible
way to plan and carry out an attack – thus trying to espouse the
standpoint, the attitude of potential assailants.

Such simulations aimed at both reproducing a real emergency and improving
the troops’ ability to fend off an aggression.

At the same time, Blue Team members were trained and expected to detect, to
oppose and to weakenthe Red Team’s efforts.

All of these concepts have been given a peculiar status in the
Cybersecurity field, as well: in this case, the Red Team’s hostile
activities take the form of sophisticated penetration tests, whose results
constitute a reliable assessment of a business/organization’s defensive
capabilities and its safety status.

Generally speaking, the Red Team is given a very specific task – for
example, evaluating the possibility of accessing sensitive data stored in a
database.

In such a scenario, the group would have to act as an external threat
actor, by recognizing any opportunity to exploit bugs and weaknesses of the
infrastructure, the target being the extraction of the required pieces of
information.

Meanwhile, the Blue Team would be in charge of any defensive step.

The Red Team is supposed to both identify any vulnerability in the PPT
(People, Process and Technology)defensive system and help the organization
improve its own defensive abilities.

While the Red Team’s role is usually well-defined, the Blue Team’s (and
hence, the SOC analysts andresponse handlers‘) task is mutable, it is not
known a priori: therefore, the former’s simulated assaults are expected to
test and enhance the latter’s skills, igniting a virtuous circle.

The Blue Team’s work routine includes accessing log data, using a SIEM,
garnering threat intelligence information, performing traffic and data flow
analysis; we may compare their mission to finding the well-known needle in
the haystack…

On the other hand, Red Team members have to be aware of any potential
opponent’s TTP (Tactics, Techniques, Procedures), which the Blue Team is
expected to detect and counter.

While automation can prove to be useful at this stage, the Blue Team
shouldn’t rely on technology alone: on both sides, human intuition,
expertise and cleverness cannot be replaced (yet) – social engineering
techniques (i.e. Spear phishing) being a strong reminder of this.

Let’s go back to our simulated data theft – in such a situation, Red Team
members would have to act as relentless cyber criminals. A first step might
be targeting a final user’s PC, thus getting useful credentials for
gathering information from within the network. This could lead to an
attempted privilege escalation, aimed at seeking privileged credentials
which might grant access to the central database. Should said database be
accessed, the effective data exfiltration could take place, usually via a
network connection to the outside, to the Web.

The Blue Team should be able to notice such efforts, the lateral movements,
and any typical step of the so-called kill chain as early as possible –
basically, it ought to oppose the attack and prevent the Red Team from
reaching its goal.

While this short overview might make the Team’s tasks look quite simple,
this is not the case.

Red Team vs Blue Team – what makes their confrontation successful?

As we have seen, both teams have to accomplish complex tasks – but what
makes their activities effective?

A crucial element for the Red Team’s success is its ability to espouse an
aggressive mindset, a true hacker‘s point of view. Therefore, its members
shouldn’t be chosen among those who have contributed (or are still
contributing) to defending the business’s infrastructure, as it would
produce a patent conflict of interest which could stifle a genuine hostile
effort and a fair security assessment.

An “outsider mindset” is needed, and this necessity can be better addressed
by relying on either external assistance or uninvolved personnel.

A real assailant is going to overlook any rule, etiquette and ethical issue
(he/she may be a terrorist, a criminal, or even a resentful former
employee) – adopting such a mentality may be difficult.

In some cases, the confrontation between the teams starts as a pure
abstract exercise, in a meeting room; however, this should just be the
beginning – a real test entails real attacks, which cannot overlook the
organization’s physical security.

Truth be told, reproducing a real-life scenario isn’t always an option –
for example, a serious assault on critical locations and infrastructures
might result in irreparable damage or even in human losses.

However, whenever possible, actual tests ought to be considered, and they
should also focus on the weakest spot in the security system – human beings
(i.e., the employees).

The Red Team may have the chance of observing the employees’ response to
some given inputs – malicious e-mail attachments, a “strange” USB drive
left in the HQ facilities (parking or restroom).given inputs – malicious
e-mail attachments, a “strange” USB drive left in the HQ facilities
(parking or restroom).

If the company has already issued its own security policy, the Red Team’s
efforts will be able to assess the employees’ knowledge, awareness and
discipline of it, and also the business’s capability of enforcing the rules.

While the employees’ physical security and behavior must not be neglected,
wireless networks compose another battlefield which deserves the utmost
attention.

The migration from wired to Wi-Fi networks has been transparent and plain,
despite the need for a distinct, specific security approach to each
solution.

One of the most serious threats to wireless network is the so-called
Wardriving, which paves the way for following malicious and exploitative
activities.

Cooperation, Mutual Feedback and Continuous Improvement

The usefulness of the Red Team vs Blue Team approach lies in interaction
and mutual feedback, in its ability to turn the challenge into a way to
ameliorate an organization’s capability of detecting and counter threats.

Such a cooperation should strive for continuous improvement, the Blue Team
should see the Red Team’s activities as an opportunity to understand
potential assailant’s tactics, techniques, and procedures.

While a SOC’s failure to notice a breach may depend on its staff members’
shortcomings, it may also be the outcome of inadequate measures against
really refined or even previously unknown methods.

The Red Team attack can expose these weaknesses before real criminals may
take advantage of them. As each team has different purposes, their means
will be different, too.

The Red Team is expected to master the use of offensive tools (for example,
Meterpreter or Metasploit), to know what a SQL injection is, to employ
network scanning tools (Nmap), to use scripting languages, to recognize
router and firewall commands, etc.

On the other hand, the Blue Team is supposed to understand any single phase
of an Incident Response, to master its own share of tools and languages, to
notice suspicious traffic patterns, to identify the Indicators of
Compromise, to use an IDS properly, to carry out analyses and forensic
 testing on different Operating Systems.

A New Color on the Horizon

Since each team strives to reach its own goals – and, when defined, its own
KPIs – having the two of them work synergically is not an easy task.

However, the ultimate aim is helping the business attain a higher level of
security; therefore, a new Team – more correctly, a new “function” has been
getting more and more attention.

This new actor, the “Purple Team”, would have to maximize and guarantee the
effectiveness of the “traditional” groups’ activity, by combining the Blue
Team’s defensive routine with the weaknesses exposed by the Red Team, thus
producing coherent efforts aiming at maximizing the results and common,
business-led KPIs and metrics
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160725/6abc3e52/attachment.html>