Red team cyber security assessments are a crucial way of giving organisations a practical understanding of their defence capabilities.
In these exercises, the red team faces off against their counterparts, the blue team, in a battle to control a particular asset. That could be sensitive data, financial records, communication channels or the organisation’s infrastructure itself.
Assessments can be adapted to suit particular requirements. However, the objective is always to learn how a cyber criminal might target your organisation in real life, and the steps that your security personnel would take to prevent attacks.
But who exactly are the red and blue teams, and how can you conduct an assessment?
What is a red team?
Red teams are cyber security professionals who are experts in in the ways criminal hackers break through defences and steal sensitive data.
Although these skills are often associated with criminal activity, they are also essential in cyber security. After all, you need to know how malicious hackers operate in order to anticipate their methods and block their attacks.
Nonetheless, the read team acts as the adversaries in this assessment, and they will use their knowhow to try and capture sensitive information. Fortunately, there is no risk of a real-life data breach, as the ‘attackers’ are trusted personnel who agree not to abuse any data that they capture.
This is a common practice in cyber security, with organisations often hiring ethical hackers or penetration testers to probe their systems in the same way that a criminal would.
How a red team works
The red team uses any number of techniques to look for and exploit weaknesses. This could mean finding technical vulnerabilities and flaws in the organisation’s processes, or duping employees with phishing attacks and other social engineering techniques.
Typically, there are no limits on the actions that the red team can take. Anything that a cyber criminal might do is considered fair game.
However, there might be times when an organisation asks the attackers not to perform certain actions. This could be, for instance, because it might disrupt regular business activities or because the organisation wants to focus on specific defence mechanisms.
Red teaming usually begins with a detailed planning stage, in which the adversaries gain as much background information about the target as possible.
They will start with the basics, such as the operating systems that the target uses, and the make and model of the networking equipment (such as computers, servers, firewalls and routers).
In some cases, the red team might also look at physical controls, such as doors, locks, CCTV cameras and security, although most attacks are conducted entirely through digital means.
With this information, the team will then look for vulnerabilities in those systems and create a map that outlines various paths to their destination. The techniques they use will vary greatly, but at some point, the attackers will usually attempt to steal user credentials.
This gives them clear access to the organisation’s internal systems, where they can view anything that the employee whose account they’ve compromised can see. The attacker might also imitate that employee in an email or instant message in an attempt to grab more sensitive data.
It’s therefore no surprise that red teams, like cyber criminals, target usernames and passwords ruthlessly, with an assortment of tactics ranging from brute-force attacks to phishing scams.
What is a blue team?
While the red team is on the attack in these exercises, the blue team is playing defence. The group is also comprised of cyber security professionals, and their goal is to identify the adversaries’ attempts to compromise the organisation and to protect its critical assets.
The blue team’s tactics are guided by the organisation’s business objectives and security strategy. As such, they will have the same tools and knowledge that would be available in the event of a real-life attack.
How a blue team works
The blue team’s work begins long before the adversaries begin their attack. Their first job is to review the organisation’s security practices with a gap analysis and risk assessment in order to identify security weaknesses.
With that information, they implement controls to close gaps and bolster the organisation’s systems. This might include, for instance, introducing stricter password policies, patching software or reminding employees about the threat of phishing.
Networking monitoring tools are often also deployed, giving the blue team real-time information about people accessing the organisation’s systems. This is crucial to identify unusual or suspicious activity that would help them spot the red team’s efforts.
It’s only after these threat prevention and detection tools are put in place that the blue team are ready to fend off the red team’s attacks.
Although many organisations prioritise threat prevention as a security measure, it’s equally important to consider your ability to respond to attacks in progress. Organisations rarely get a chance to practice this, and it’s why red team vs blue team assessments are so helpful.
How do the red team and blue team work together?
Although the red and blue teams are on opposite sides during the assessment, they are both working to improve the organisation’s security posture.
As such, they must work together to ensure that both sides are operating with the latest information. For instance, the blue team should stay up to date on emerging threat prevention technologies and share their findings with the red team.
Likewise, the red team must keep an eye out for new hacking techniques, and explain to the blue team how they work.
This type of communication is crucial between assessments, but depending on the objective of the test, the red team won’t necessarily inform the blue team about a planned attack.
A surprise offensive is useful if the organisation wants to see how their security team responds to a crisis in a real-world scenario.
Even in this scenario, however, someone in a management position should be aware of the test. Typically, this will be the top-level employee in the IT or cyber security team, who may also act as the manager of the blue team.
This ensures that the senior personnel are aware that the activity is a drill while those responsible for incident response are not influenced by the knowledge that it’s only a practice.
When the test is complete, both teams gather and share their findings. If the red team was successful, they will explain how they bypassed security systems and provide tips to combat future attacks.
But if the blue team successfully repelled the attack, they would describe the steps they took to identify and thwart them.
Both teams should then work together to plan, develop and implement stronger security controls where necessary.
The purple team
Although the activities of the red and blue team are designed to work in harmony, the reality is usually more complicated. The two sides will naturally be competitive, and they might be reluctant to share tips that helps their opponents.
This is where the concept of a purple team comes in. As the name suggests, this team brings the red and blue team together to work in unison.
Individual employees might take it in turns to play attack and defence, while everyone is encouraged to share ideas that help either side.
Navigating the practicalities of a purple team can be tricky. For instance, it will be harder to spring a surprise attack on the blue team and therefore simulate a real-world attack.
Likewise, the red team is often a more appealing option, as cyber security personnel break away from their day-to-day tasks and show off their hacking expertise. Persuading people to switch sides can therefore be tricky, and it will require strong leadership to keep everybody happy.
However, when it’s done right, the purple team can prove an invaluable cyber security resource.
Developing an effective assessment team
Red and blue team assessments are among the most in-depth ways to manage cyber security.
They are highly organised, and they put every part of your organisation to the test. You’ll gain a real-world understanding of the ways a cyber criminal might target your organisation and get a close-up view of the ways in which your defences hold up to attacks.
Unfortunately, for many organisations, red and blue team assessments are impractical if not impossible. They either don’t have enough internal expertise to form opposing teams, or they don’t have the resources to conduct tests and monitor the results.
But that doesn’t mean you can’t benefit from these sorts of assessment. With IT Governance’s Red Team Assessment service, our team of experts will play the adversarial role and probe your organisation to see how you would handle an attack.
Our team of ethical hackers will test your organisation and provide expert guidance on how to improve your organisation’s security posture.
The scope of each engagement is tailored to your organisation’s requirements and goals, but in every assessment, we can:
Attack scenarios can be crafted to emulate specific types of threat actor. We use traditional and non-traditional techniques to test your resilience to intrusion, fraud, data extraction, internal threats, corporate espionage and physical attacks.