Red Team vs Blue Team Skills
Red team skill set
A successful red team must be devious in nature, assuming the mindset of a sophisticated adversary to gain access to the network and advance undetected through the environment. The ideal team member for the red group is both technical and creative, capable of exploiting system weaknesses and human nature. It’s also important that the red team be familiar with threat actor tactics, techniques and procedures (TTPs) and the attack tools and frameworks today’s adversaries use.
For example, a Florida teenager recently used spear-phishing tactics as well as social engineering techniques to obtain employee credentials and access internal systems at Twitter, resulting in a high-profile breach of more than 100 celebrity accounts.
A member of the red team should have:
- A deep awareness of computer systems and protocols, as well as security techniques, tools and safeguards
- Strong software development skills in order to develop custom made tools to circumvent common security mechanisms and measures
- Experience in penetration testing, which would help exploit common vulnerabilities and avoid activities that are often monitored or easily detected
- Social engineering skills that allow the team member to manipulate others into sharing information or credentials
Blue team skill set
While the blue team is technically focused on defense, much of their job is proactive in nature. Ideally, this team identifies and neutralizes risks and threats before they inflict damage on the organization. However, the increasing sophistication of attacks and adversaries makes this an all but impossible task for even the most skilled cybersecurity professionals.
The blue team’s job is equal parts prevention, detection and remediation. Common skills for the blue team include:
- A full understanding of the organization’s security strategy across people, tools and technologies
- Analysis skills to accurately identify the most dangerous threats and prioritize responses accordingly
- Hardening techniques to reduce the attack surface, particularly as it relates to the domain name system (DNS) to prevent phishing attacks and other web-based breach techniques
- Keen awareness of the company’s existing security detection tools and systems and their alert mechanisms
How Do the Red Team and Blue Team Work Together?
Scenarios When a Red Team/Blue Team Exercise Is Needed
Red team/blue team exercises are a critical part of any robust and effective security strategy. Ideally, these exercises help the organization identify weaknesses in the people, processes and technologies within the network perimeter, as well as pinpoint security gaps such as backdoors and other access vulnerabilities that may exist within the security architecture. This information ultimately will help customers strengthen their defenses and train or exercise their security teams to better respond to threats.
Since many breaches can go undetected for months or even years, it is important to conduct red team/blue team exercises on a regular basis. Research shows that adversaries dwell, on average, 197 days within a network environment before they are detected and ejected. This raises the stakes for companies in that attackers can use this time to set up backdoors or otherwise alter the network to create new points of access that could be exploited in the future.
One important differentiator in the way that CrowdStrike approaches red team/blue team exercises is in terms of the overall strategy. We use red team activities to seed the environment with data so the blue team can gauge the risk associated with each incident and respond accordingly. As such, we don’t treat this exercise as a proverbial war game where our clients attempt to block each and every red team action, but effectively assess and prioritize those events that the data reveals to be the greatest threat.
Red Team Exercise Examples
Red teams use a variety of techniques and tools to exploit gaps within the security architecture. For example, in assuming the role of a hacker, a red team member may infect the host with malware to deactivate security controls or use social engineering techniques to steal access credentials.
Red team activities commonly follow the MITRE ATT&CK Framework, which is a globally-accessible knowledge base of adversary tactics, techniques and methods based on real-world experience and events. The Framework serves as a foundation for the development of prevention, detection and response capabilities that can be customized based on each organization’s unique needs and new developments within the threat landscape.
Examples of red team activities include:
- Penetration testing in which a red team member attempts to access the system using a variety of real-world techniques
- Social engineering tactics, which aim to manipulate employees or other network members into sharing, disclosing or creating network credentials
- Intercepting communication in order to map the network or gain more information about the environment in order to circumvent common security techniques
- Cloning an administrator’s access cards to gain entry to unrestricted areas
Blue Team Exercise Examples
Functioning as the organization’s line of defense, the blue team makes use of security tools, protocols, systems and other resources to protect the organization and identify gaps in its detection capabilities. The blue team’s environment should mirror the organization’s current security system, which may have misconfigured tools, unpatched software or other known or unknown risks.
Examples of blue team exercises include:
- Performing DNS research
- Conducting digital analysis to create a baseline of network activity and more easily spot unusual or suspicious activity
- Reviewing, configuring and monitoring security software throughout the environment
- Ensuring perimeter security methods, such as firewalls, antivirus and anti-malware software, are properly configured and up-to-date
- Employing least-privilege access, which means that the organization grants the lowest level of access possible to each user or device to help limit lateral movement across the network in the event of a breach
- Leveraging microsegmentation, a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network