In today's blog we will not discuss the red or blue political map of the US. Instead, we will review the interrelationship of 3 teams that make sure your infrastructure can withstand simulated attacks on enterprise networks.
The terms Red and Blue Teams are derived from the military jargon where one side attacks and another defends.
Red Team - Attackers
A Red Team is usually an external entity that attacks and attempts to break defenses by utilizing tools and techniques of likely adversaries as realistically as possible. A Red Team consists of ethical hackers who are unaware of company defenses.
A Red Team will perform all or some of the following:
Penetration Testing
Port Scanning
Vulnerability Scanning
Phishing, social engineering
In addition to those, a Red Team might use custom tools and techniques to breach company defenses.
At the end of an exercise, the Red Team will produce a report describing the techniques utilized and the penetration results. This report should also include recommendations on how to remediate identified issues and gaps in security.
Some people equate Red Teams to Penetration Testers, but even though there is some overlap in
skills, the work they perform and results they produce are different.
Blue Team – Defenders
The Blue Team is responsible for the creation of processes and procedures to reduce the chance of success and overall impact of an attack.
The Blue Team must:
Monitor network, computers, devices, and applications
Detect threats and create mitigation processes
Collect logs and maintain forensic data
Conduct risk assessments and audits
Perform vulnerability scans
After an exercise is completed, the Blue Team will produce a report documenting the logs and evidence collected. It will also produce a list of remediation steps to be taken based on the Red Team's results.
Purple Team
The Purple Team acts as the communication channel between the Red and Blue Teams. The Red Team does not want to disclose all the methods it utilized during the tests, while the Blue Team may be reluctant to provide information about its defense mechanisms.
In the best-case scenario, the Red and Blue Teams will communicate freely and share information. In that case, there will be no need for the Purple Team. The need for a Purple Team becomes apparent when the other teams start indicating that communicating information is not part of their job. When this happens, the Purple Team members act like a family counselor, opening channels of communication between the parties.
Summary
Security is a continuously evolving field. Hackers constantly find new ways around system weaknesses. Regular Red vs. Blue Team exercises not only improve corporate defenses, but also creates a process of cooperation between the attacking and defending teams.
Commentaires