I am not the first one writing about red and blue teams. And I, for sure, will not be the last. Before going further, let me explain the reason for writing this post. The topic has been turning in my head for quite some time now. Still, I recently watched a webinar from Black Hills Information Security (BHIS), and they were presenting Applied Purple Teaming. Of course, there was at some point a discussion regarding red and blue teams, so here we are now talking about it.
Quick side note, BHIS guys rock, and you should check their free and paid webinars, all of them worth every penny and every second of your time.
Let’s start defining, in the most simple way, what a red and blue teams are, in the context of Cybersecurity.
Red Teams are internal or external groups dedicated to testing the effectiveness of all the security measures a company might have by emulating the tools and techniques of likely attackers in the most realistic way possible.
Blue Teams refer to the internal security group that defends against both real attackers and red teams.
You will find red teamers and blue teamers. The Red team attacks. A Blue team defends. So when you have a red team “attacking” you, the blue team will “protect” you from the attack. And the ultimate goal of this process is to improve the security measures and procedures you have in place. How? By having a report of the red team explaining what they did and how, so that the blue team can explain what they saw and, more importantly, what they did not catch, so that next time you are more prepared.
And here is where I see some difference of opinion. A red team exercise without the ultimate goal I just explained is useless. If you just do a red team test and do not finish the process, you will only end up knowing one thing: you are potentially vulnerable to an external attack. But that, per se, is pointless. You need a debrief between the red team and the blue team. In case you do not have a blue team, you still need the debrief. It will be a different one, with the red team providing way more information and input. This is what some people call the Purple Team.
All red team exercises should be with a Purple Team, where the goal of the attacker is to improve the security processes. Let’s be constructive. Let’s go beyond the fact that every single organization can be compromised, so rather than spending time confirming an undeniable fact, let’s work towards the improvement. It requires just a little effort, mindset change, but I firmly believe it is what we should be doing.