Red and blue teams

Red teaming is a term borrowed from the military. In military exercises, the red team simulates attack techniques to test the reaction capabilities of a defending blue team against known adversary strategies.

In cybersecurity, the red team emulates a real threat actor's Tactics, Techniques and Procedures (TTPs) for measuring how well the blue team responds and test any security controls in place. Usually the blue team is made up of members of a security incident response team (SIRT) and/or security operations team (SOC).

Red teaming does not replace penetration testing. It complements it by focusing on detection and response rather than prevention. Red teaming improves penetration testing by taking into account more attack surfaces:

• Technical Infrastructure: Like in a regular penetration test, a red team will try to uncover technical vulnerabilities, with a much higher emphasis on stealth and evasion.

• Social Engineering: Targeting people through phishing campaigns, phone calls or social media to trick them into revealing information that should remain private.

• Physical Intrusion: Using techniques like lockpicking, RFID cloning, exploiting weaknesses in electronic access control devices to access restricted areas of facilities.

The objective of such exercises is not for the red team to “beat” the blue team. But of course, human traits.

Purple teams

The scope and goals for purple team operations are very similar to the operations defined for a red team. The main difference is that focus lies on transparency and collaboration between red, blue, engineering, and management teams.

If attacks succeed and are not caught, detections are fixed and implemented, and attacks are run again right away–until there is a measurable improvement.

Ingredients for success

A gray hat red or purple team is usually better at simulating real attackers, but does have to consider legal and organisational policies when operating. This has implications for how realistic certain scenarios can be played out – and some scenarios can be played out on paper or using tabletop exercises. Re-inventing the wheel is silly, so we can either use existing games as inspiration, and adapt those to a local context to not fall in bias traps, or design a totally new game.