First, Choose Your Team: Red (Offensive) vs. Blue (Defensive)
Sports are an excellent analogy for this subject. Not only do they illustrate the need for practice, but they can help us further break down the concept of red team cybersecurity vs. blue team cybersecurity as separate sides of the same “game.”
For red team and blue team cybersecurity efforts to be effective, they need to work together. Both teams are different and view the overall cybersecurity infrastructure through their own unique lens. Together, they both play pivotal roles in strengthening cybersecurity systems at large.
While red team cybersecurity is focused on offense and exposing cybersecurity vulnerabilities and loopholes, blue team measures are focused on constant monitoring and protection. The blue team’s continuous monitoring is valuable for the long-term strength and health of the system and making sure defenses remain strong.
Although valuable in determining vulnerabilities, the red team doesn’t have the same holistic view. The loopholes and exposures they discover within a client’s system are critical for informing the blue team’s defense strategy. Still, the red team only operates from a current, “present-moment” view of a company’s cybersecurity measures.
In most sporting events, both teams need to play offense and defense. To better understand what red team security is, you may want to think of them as the offense. The role of this team is to launch coordinated penetration attacks to test the strength and coverage of an overall security system.
An IT professional will assume the role of attackers or threat actors to see what loopholes or vulnerabilities could pose a major threat by being exploited during a real-world attack. The goal here is not to hold anything back. Successful red team and blue team operations require the “practice attacks” to mimic what would occur in the real world as closely as possible.
For that reason, many organizations choose not to use internal staff to test their own system with red team and blue team cybersecurity drills. Companies will hire an outside consultant or third-party vendor to “attack” their system in several different ways. In doing so, they’re not only testing a system, but they’re also testing the employees’ ability to conduct themselves safely and securely as they perform daily operations on their individual end terminals.
Here are a few of the main attack types red team members will employ when testing systems:
- Phishing attacks. These help to test the cybersecurity training of your clients’ non-IT staff. They’ll be made aware of any cybersecurity exposure on the human level, as well as within your email system.
- Social engineering. These are attacks that play on your clients’ team members’ psychology or emotional response. While phishing falls under this category, it may also include more targeted attacks like spear phishing, vishing, whaling, baiting, and more.
- Employee impersonation. Some attacks will come from threat actors who pretend to be employees within the organization. The goal of these attacks is to obtain admin access to sensitive files and information. If not stopped quickly, these types of attacks can be particularly devastating.
By launching these varied attacks, red teams play an integral role in testing the functionality of your clients’ cybersecurity strategy. The data and intel red team exercises provide go a long way toward preventing future data breaches and adequately equipping your clients’ overall system.
Tools for Red Teaming
1) Beginner? Want to learn ethical hacking basics.
The best stepping stone is the Practical Ethical Hacking course by TCM on freeCodeCamp’s YT. FreeCodeCamp has other free courses related to programming, ethical hacking, etc on their YouTube channel. Learn for free.
2) Try Hack Me (THM)
Learn and practice your cybersecurity skills such as red teaming activities, blue team activities etc.
Has curated learning path for organized learning.
Subscription: Most of the rooms are free. Subscription (~10$/mo) enables to access the learning path and exclusive rooms.
3) Web Security Academy.
Free, online web security training especially on OWASP top 10 from the creators of Burp Suite
4) eLearnSecurity Junior Penetration Tester Training and Certification.
Curated courses and labs for the preparation of eJPT certification offered by INE.
Subscription: Free course and lab. eJPT exam costs 200$
5) Hack The Box (HTB)
Learn and practice your cybersecurity skills such as hacking, OSINT, binary analysis.
Subscription: Active machines are free. Retired machine access requires a valid subscription (14$/mo).
6) Proving Grounds by Offensive Security
Preparing for OSCP? This could be a platform for practicing and for preparation.
Contains machines designed by the Offensive security team and Vulnhub machines.
Subscription: Two types. Play subscription is free and access only to Vulnhub machines. A practice subscription costs 19$/mo.
If the red team is the offense, think of the blue team as the defense of the red and blue team cybersecurity scenario. Their role is to respond to the attacks launched by the red team.
As the red team launches their attacks, the blue team should be working to strengthen defenses and take whatever steps necessary to enhance incident response. This means they’re responsible for responding to red team attacks, but they also need to handle much more.
The blue team is tasked with constantly strengthening the overall cybersecurity posture for your clients. In addition to defending against the red team attacks, blue team members also need to remain ever-vigilant of unusual or suspicious activity.
To do this effectively, blue team cybersecurity squads will employ one or more of the following tools:
- Log and memory analysis. IT staff will analyze the information contained in system memory dumps. They will look at volatile data and use memory forensics techniques to identify attacks that may not leave a trace on hard drive data like traditional attacks.
- PCAP. Short for packet capture, PCAP is a method of using third-party API software to capture packets of data as they enter a network or system. These collections of system traffic data offer valuable insight into file analysis and network monitoring.
- Risk intelligence data analysis. As time goes on and more attacks are attempted on your clients’ systems, you should be assembling a running library of risk intelligence. Informed threat intelligence based on hard evidence and actionable insights can better position your team to respond to threats and protect your clients’ company assets.
- Digital footprint analysis. As organizations conduct business, visit websites and share things online, they begin to leave a digital “paper trail.” Members of your blue cybersecurity team will examine this online footprint and see what steps can be taken to minimize its size and exposure.
- DDoS testing. In addition to red team cybersecurity attacks, the blue team will also run tests against typical DDoS threats. Typically, these are 4 or 7-layer attacks conducted to test the resilience of a network’s service availability.
- Developing risk scenarios. Part of a blue team’s cybersecurity defense is identifying the specifics of potential attack scenarios. Developing detailed descriptions of possible future IT events can be critical in helping you protect your clients from future breaches or interruptions of service.
- Reverse engineering. History is the best teacher. Data from previous attacks, or even reviewing case studies of attacks in similar industries, should be part of any robust protection plan. Reviewing past events and asking what went wrong or what could be done better is essential for improving cybersecurity measures.
- Security audits. Regularly scheduled, detailed audits of your clients’ systems help you take a proactive role in their cybersecurity. Routine maintenance tasks like DNS audits ensure the security of data packets being passed back and forth through the system. With so many outside threat actors to worry about, conducting these standard protocols is crucial to ensure your team’s energy and resources are used in the best way possible.
Proper blue team cybersecurity helps MSPs gain a holistic cybersecurity perspective. Seeing what loopholes and vulnerabilities your red team can exploit is just one piece of the puzzle. Threat detection and threat response are just as important – if not more important – and blue team cybersecurity measures help strengthen your clients’ systems to that end.
Tools for Blue Teaming
7) Incident Response
LetsDefend is a great platform to practice real-world exercises on Incident Response and Handling.
Offers free and premium exercises.
Link : https://letsdefend.io/
Subscription : Free/Analyst (25$/mo)/Incident Responder (40$/mo)
Level : Beginner/Intermediate
8) Blue Team Lab Online (BLTO)
Great platform to learn and practice your blue teaming skills. Includes exercises on DFIR, Security Ops etc.
Subscription: Free exercises and Pro subscription costs 15GBP/mo.
9) RangeForce Community edition.
Learn SOC skills, Incident Handling, also has some red teaming stuffs.
Link : https://go.rangeforce.com/community-edition-registration
Subscription : Community edition is free.
Level : Beginner.
10) AttackIQ Academy
Learn MITRE ATT&CK and Purple Teaming.
Link : https://academy.attackiq.com/
Cost : Free
Level : Beginner.