We’ve talked about how we can use vulnerability scans, penetration tests, and bug bounties to find vulnerabilities in our systems. Another approach you may have heard of is called red and blue team exercises.
These exercises are typically reserved for organizations that have a higher security maturity. Performing them before you’ve gone through multiple rounds of vulnerability scans, pentests, and potentially bug bounties, would be a big waste of money because these exercises are more advanced than what you would need at that stage.
With that said, this is a topic that’s covered in the CompTIA Security+ exam, which means you need to fully understand what these exercises are and how they work. To do that, we first need to talk about red teams and blue teams.
What are red teams?
Red teams are the hired attackers. They are looking for weaknesses and vulnerabilities in an organization’s defenses so that they can break through and achieve their objective. They are ethical hackers hired either as full-time employees or as contractors to help an organization evaluate its security.
To do that, they will use existing or custom-built tools, and they will emulate (which means imitate) TTPs (Tactics, Techniques, and Procedures) used by real adversaries to be as realistic as possible. This means that they will use similar tools, tactics, exploits, and pivoting methodologies that you could expect from real threat actors. They may even go after similar goals to specific threat actors that your organization is wanting to defend against.
This sounds similar to penetration tests, but red team engagements do have differences:
- Pentests typically just test for vulnerabilities that can be exploited and then stop there, providing a report of the issue but nothing more
- Red teams don’t just test for vulnerabilities, they actively attempt to exploit them using TTPs from threat actor models
- Pentests typically last for a short period of time — say, 1 to 2 weeks
- Red team engagements can sometimes be shorter, but they can also run for extended periods of time — say weeks or months in order to more accurately mimic threat actors
- Pentests typically use common tools and techniques to find issues
- Red team engagements should be using similar tools and techniques that threat actors use, and they will oftentimes need to write custom code on the fly to evade blue teams. It’s not just about running automation, it’s about doing whatever it takes to evade defenses
Pentests and red team engagements do have a lot of similarities, though:
- They’re both security assessments
- They’re both behaving like attackers
- Neither will tell you everything wrong with your organization’s security, but they will provide specific issues that they found
The ultimate goal of a red team is to continuously test and improve the effectiveness of a blue team by mimicking real-world attacks. This is a very different goal from vulnerability assessments, pentests, and bug bounties, which are more focused on finding vulnerabilities so that they can be prioritized and fixed or accepted as a risk.
What are blue teams?
Blue teams are the defenders. They’re a group typically made up of various incident response roles that aim to make an organization more secure by providing guidance on where improvements can be made to stop anything from simple to more sophisticated types of cyber threats.
Blue teams work to improve an organization’s ability to detect, prevent, resist, and respond to threats that could result in damage to an organization.
This means that members of the blue team are typically already employees of the organization, although sometimes independent contractors can also be hired for specific engagements.
The main difference between red teams and blue teams is that red teams attempt to find weaknesses in order to exploit systems, whereas blue teams look for weaknesses in the systems and in their ability to respond to active threats, in order to fix them and prevent red teams from successfully exploiting them.
Studying for the Security+? Get CompTIA Security+ Certified with our high-quality certification preparation course and practice exams
What are exercises and exercise types?
Now that we understand what blue and red teams are, we can make an educated guess about what exercises are.
Exercises can be a highly effective way of helping an organization find security weaknesses that haven’t yet been addressed. By having a red team attack an organization’s networks and resources using a threat actor’s tactics, techniques, and procedures, the blue team will have to react. We are simulating a real-world attack and response scenario.
This is not just theoretical…we’re talking about actually attacking networks, applications, devices, and other resources.
This helps in a few different ways:
- It helps the blue team identify blind spots — if a red team is actively attacking and the blue team doesn’t even know it, then obviously there’s a pretty serious blind spot that needs to be fixed
- It helps identify which security controls work and which don’t work — exercises help us assess which existing security controls either prevented a red team’s advances or slowed it down. It also helps identify which security controls need to be implemented
- It helps identify an organization’s response time — how much time went by between when the blue team detected the red team’s actions, identified what was going on, and effectively responded to the incident? Your organization may be quick at responding to certain events while being slow at maneuvering for others
By having both the blue team and red team sit down at the end of an engagement and exchange notes, the blue team can get a better insight into what attack methods were used, what resistance the red team faced, and what areas they faced little to no resistance in.
If the blue team is made up of employees instead of only external contractors, these types of exercises can also help on a human level. What I mean is that when a breach is detected, adrenaline starts kicking in, the clock starts ticking, and the pressure is on. There’s no real way for you to know how you will perform under pressure unless you experience that. It’s much better to experience that with a red team that’s hired to help you versus with malicious actors that are actually trying to harm you.
This experience also provides the individuals involved with the ability to think like an adversary. This ability is invaluable because it can help members of the blue team think ahead of attackers, and therefore, implement better security controls to stop the attack in its tracks.
It’s important to point out that exercises may sometimes also go beyond just the digital world. Red teamers may also try physical attacks depending on the organization and depending on the engagement.
Purple teams (collaborators)
In addition to the red and blue teams, we actually also have purple teams and white teams.
In some cases, instead of having the blue teams and red teams work separately, organizations may want to facilitate collaboration by having them collaborate as the exercises are happening. Whereas some red and blue team engagements will exchange notes after the exercise is complete, purple team exercises have both teams engage during the exercise to share information and explain what’s going on. That way, if the blue team is struggling to fend off an attack, the red team can provide additional insights into what they’re doing. Vice versa — if the red team is struggling to break through defenses, blue teams could share how they’re defending, giving red teams insights into how they could bypass those defenses.
The goal of purple teams is essentially to improve the skills of both teams and to hopefully come out of the exercises with more insights.
Purple teams can involve other individuals that act strictly as collaborators or facilitators, but oftentimes it’s not really a team at all. Instead, it describes a dynamic between the red and blue teams.
White teams (managers)
White teams, on the other hand, don’t take an active part in either offense or defense. They are a neutral party that sets the Rules of Engagement (RoE) between the red and blue teams. They are needed before the exercises even start since they will dictate how the engagement will go. They’re also needed during the engagement to enforce rules, observe the exercise, resolve problems, answer questions, etc…
Since these exercises will have concrete goals, the white team will keep an eye on metrics of success to monitor progress, and they will step in, when necessary, to end the exercises.
This is important since these exercises could have real impacts on a businesses’ operations, but also because sometimes exercises are not pre-announced. A blue team may have no idea that they’re part of an engagement, so that they’re not able to prepare.
When that’s the case, the white team — which is often made up of management — will be aware that there’s a red team engagement so that they can keep things in check.
I had a guest on the Cybr Podcast who was an Incident Response Team Lead at a Fortune 50 company, and he shared a story about when he thought they were under real attack, when in reality, it was a red team engagement. When he went to his manager to report that an incident was ongoing and that they had successfully broken through, his manager smiled and said that it was just an exercise. The manager was aware of the red team engagement, but they hadn’t told the blue team to expect it so that they could see a realistic reaction. If you find that interesting, definitely check out the episode!
Exercise types progression based on an organization’s security maturity
Just to re-iterate and help my visual learners, this is typically the progression of an organization’s security maturity:
- Vulnerability scans (Vulnerability Assessments as a whole)
- Bug bounties
- Red/blue team exercises
Organizations will want to go through multiple rounds of vulnerability scans and pentests before they consider red and blue team exercises. Bug bounties are relatively new, but a general train of thought is that they can be performed either right before pentests or after pentests. Either way, they should be performed after vulnerability scans, since it’s a waste to crowdsource finding common problems that could be discovered with automation or a single-tester assessment.
Once an organization feels ready and needs more in-depth tests, they can move on to engaging in red & blue team exercises to evaluate their readiness when it comes to more sophisticated attacks.