Understanding Red Teaming, Blue Teaming and Purple Teaming

What is cyber security teaming?

To prepare against the ever-increasing number of cyber threats, organisations may choose to conduct team-based exercises where two teams, attackers (red team) and defenders (blue team), work in tandem to improve the overall security posture of an organisation.

These exercises are intended to simulate “real world” attacks on an organisation and test its ability to detect and mitigate such threats. There are a vast range of tactics and techniques a malicious attacker may utilise in an attempt to break through an organisation’s defences, which is why it is so important to understand what you are up against.

There have been countless evolutions of cyber security threats throughout the years, all of which have played a part in changing the defensive actions taken by security professionals. Some of the top cyber threats facing businesses today include:

• Ransomware
• Phishing
• Credential Stuffing
• Configuration Mistakes
• Social Engineering

What is red teaming?

The role of the Red Team is to identify the gaps in the organisation by adopting the mindset of an adversary. They emulate the tools, techniques, and procedures used by adversaries to test the ability of an organisation to detect, prevent and respond to such threats.

Red teams will utilise all techniques available to help outline weaknesses in an organisation’s procedures, processes, and technology, whilst also making suggestions on what should be done to strengthen the organisation’s security posture. They also try to evade the detections developed by the blue team and point out the gaps so that the defenders can fix them.

The goal is to emulate a malicious adversary as closely as possible, which involves carrying out research on the targeted organisation. For example, a successful spear phishing campaign relies on social engineering (researching the company and its employees on LinkedIn and other social media platforms and using the information to craft a more convincing phishing email, therefore increasing the likelihood of a successful attack whilst also avoiding/delaying detection).

Adversaries will utilise a wide range of tools to collect as much information about the target organisation’s cyber defence topography before an actual cyber-attack is attempted. Vulnerability scans can be employed to “check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.”

Let us run through a hypothetical situation to give some context. Imagine a malicious actor has discovered that a server is running on a Microsoft Server operating system. Microsoft’s software is released with default configurations, and it is up to an organisation’s network administrator to configure the server. A server running an out-of-the-box configuration can be vulnerable to certain malicious attacks. Those vulnerabilities could easily be eliminated with the correct configuration. It’s mistakes like this that could cause massive problems for organisations.

Why carry out red teaming exercises?

• “Real World” Training – Since one of the roles of the red team is to accurately simulate a real-world attack, it gives security analysts “real world” training without the added pressure of an actual security incident, which could have huge financial implications if not handled correctly.

• “Identify Infrastructure Weaknesses” – The red team’s secondary role, and arguably the most crucial, is to provide guidance to the blue team on what needs to be patched to avoid future compromises utilising the same techniques

• “Detection Visibility” – Help an organisation understand their scope of detections i.e., what could they see happening on their network, what could not be seen, and what data would need to be collected to give them visibility on the activity being carried out on their network.

What is blue teaming?

The role of the Blue Team is to defend the organisation against both real threats and red team attacks. They use feedback from the red team to improve their detection and response systems. They also proactively hunt for threats that are not being detected by their sensors and use threat intelligence to prioritise mitigation for new emerging threats.

Blue teaming usually involves working with a variety of tools, such as Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) solutions, as they enable the team to work more efficiently and provide greater visibility into the organisation’s network. The blue team are also responsible for gathering documentation of an organisation’s critical assets, carrying out risk assessments for those assets and protecting them from cyber security threats.

The blue team can be considered the defenders, whereas the red team are the attackers. In an ideal world, a security team would prevent any and all cyber-attacks, but in real-world applications, this is near enough impossible, which I why detecting and remediating threats is just as important.

Some of the tasks blue teams carry out include:

• Deploying both IDS and IPS tools
• Implementing and configuring SIEM solutions including rule creation and log ingestion
• Configuring and segregating network infrastructure
• Deploying endpoint security across a range of hosts
• Reviewing and amending an organisations security procedures

Why carry out blue teaming exercises?

• “Detection and Remediation” – The members of a blue team are consistently monitoring activity in an organisation network. They are the first line of defence and will help stop/limit any damage caused by a malicious actor.
• “Elevate Cyber Security Awareness” – Within an organisation, there will be employees at both ends of the scale when it comes to cyber security knowledge. It is up to the members of the blue team to educate employees to any potential risks. (Common training employees will receive is in relation to phishing i.e., how to spot a phishing email, how to correctly report them to the security team, and the implications to the organisation if a genuine phishing campaign is not handled correctly)
• “Patch Security Flaws” – The blue team can act on any advice received from the red team and carry out and configuration changes they may suggest

What is purple teaming?

Organisations may not benefit as much from conducting these exercises if both teams fail to cooperate and share their finding. It would be a wasted exercise if an organisation did not benefit after the fact. That is where Purple Teaming comes in. Instead of being a separate team in an organisation, it is a mindset that encourages both red and blue teams to work in unison. It allows blue teams to understand the attacker’s methodology by being part of the attack, making them more effective in employing existing tools to prevent threats. The purple team is not an actual independent team, it is more of a collaboration between both the red team and the blue team.

To refer back to the hypothetical situation referred to under the “What is Red Teaming” section of this blog, where a server vulnerability is being exploited due to bad configuration. If the red team do not refer the blue team to this vulnerability and make suggestions on what actions should be taken to prevent any future exploits (correctly configuring the server), then this entire exercise is pointless. Remember part of the benefits of running red team exercises is to help harden an organisations cyber defence. The blue team cannot make changes to their security posture if they do not understand their own weaknesses.

Conclusion

Teaming is an efficient way organisations can assess and improve their security posture against adversaries, though the ability to share information and willingness to cooperate between both red and blue teams will be crucial to get the most value of such exercises.

It’s very easy for both teams to fall into a competitive mindset and focus on “winning”. The overarching goal of carrying out both red and blue team exercises is to help an organisation harden their castle walls against genuine malicious actors, so collaboration between teams is crucial.