A successful red team must be devious in nature, assuming the mindset of a sophisticated adversary to gain access to the network and advance undetected through the environment. The ideal team member for the red group is both technical and creative, capable of exploiting system weaknesses and human nature. It’s also important that the red team be familiar with threat actor tactics, techniques and procedures (TTPs) and the attack tools and frameworks today’s adversaries use.
For example, a Florida teenager recently used spear-phishing tactics as well as social engineering techniques to obtain employee credentials and access internal systems at Twitter, resulting in a high-profile breach of more than 100 celebrity accounts.
A member of the red team should have:
While the blue team is technically focused on defense, much of their job is proactive in nature. Ideally, this team identifies and neutralizes risks and threats before they inflict damage on the organization. However, the increasing sophistication of attacks and adversaries makes this an all but impossible task for even the most skilled cybersecurity professionals.
The blue team’s job is equal parts prevention, detection and remediation. Common skills for the blue team include:
Red team/blue team exercises are a critical part of any robust and effective security strategy. Ideally, these exercises help the organization identify weaknesses in the people, processes and technologies within the network perimeter, as well as pinpoint security gaps such as backdoors and other access vulnerabilities that may exist within the security architecture. This information ultimately will help customers strengthen their defenses and train or exercise their security teams to better respond to threats.
Since many breaches can go undetected for months or even years, it is important to conduct red team/blue team exercises on a regular basis. Research shows that adversaries dwell, on average, 197 days within a network environment before they are detected and ejected. This raises the stakes for companies in that attackers can use this time to set up backdoors or otherwise alter the network to create new points of access that could be exploited in the future.
One important differentiator in the way that CrowdStrike approaches red team/blue team exercises is in terms of the overall strategy. We use red team activities to seed the environment with data so the blue team can gauge the risk associated with each incident and respond accordingly. As such, we don’t treat this exercise as a proverbial war game where our clients attempt to block each and every red team action, but effectively assess and prioritize those events that the data reveals to be the greatest threat.
Red teams use a variety of techniques and tools to exploit gaps within the security architecture. For example, in assuming the role of a hacker, a red team member may infect the host with malware to deactivate security controls or use social engineering techniques to steal access credentials.
Red team activities commonly follow the MITRE ATT&CK Framework, which is a globally-accessible knowledge base of adversary tactics, techniques and methods based on real-world experience and events. The Framework serves as a foundation for the development of prevention, detection and response capabilities that can be customized based on each organization’s unique needs and new developments within the threat landscape.
Examples of red team activities include:
Functioning as the organization’s line of defense, the blue team makes use of security tools, protocols, systems and other resources to protect the organization and identify gaps in its detection capabilities. The blue team’s environment should mirror the organization’s current security system, which may have misconfigured tools, unpatched software or other known or unknown risks.
Examples of blue team exercises include: