The long-held rivalry between red and blue teams has served a beneficial purpose, simulating the highly competitive real-world environment between hackers and those defending organizations. However, recent advances in blue team capabilities and the sophistication of the security technologies that support them have shifted the balance between the two groups.
While in years past the red team always had the upper hand, the blue team is now increasingly well-equipped to defend enterprise attack surfaces while proactively hunting threats. This benefits many across the security ecosystem and can bring more value to the overall practice. There are a few key ways enterprises should take advantage of the new dynamic.
Tech advances are leveling the playing field
A few years ago it was very simple for red teams
to emulate hackers and launch successful attacks on hosts and servers. Now,
endpoint protection tools have improved to the point that security teams can
focus on going on the offensive with threat hunting. Fileless, behavioral or
ransomware attacks that would have been missed by blue teams a few years ago
have become table stakes. For instance, increased capabilities in endpoint
protection tools now allow teams to watch for attacks at an almost forensic
level. This means that defensive skills have become increasingly sophisticated.
Meanwhile, advances in AI and
machine learning have significantly up-leveled and automated much of the blue
team’s work. The defensive side used to be bogged down by inefficient,
repetitive tasks like sifting through high volumes of unactionable events or
drowning in the noise of too many alerts. As recently as a few years ago, there
was no way for blue teams to keep up with the sheer volume of threats
endangering organizations. Fast forward to today, and we now have the
capability to catch many of the “slow and low” or outlying behavior attacks
that used to sneak by easily. Blue teams now have the freedom to focus on
higher-level tasks like threat hunting that are more engaging, rewarding and
effective. Even better, they’re challenging red teams to step up their game.
This evolution means many security teams now understand that running a pen test
and walking away is no longer good enough. There’s a greater focus on how to
actually fix a vulnerability. Now is the perfect time to optimize your strategy
with three tactics to get the most value from this dynamic.
1) Adopt a “purple team” mindset
Red and blue teams should no longer be working in
independent silos. The best value comes from blending the two together — not in
an entirely separate purple team but in a purple mindset that combines
learning, strategy and critical thinking from both sides. In the past, it was
common for the red team to just do their job and send a report about it without
involving the blue team. That’s no longer going to cut it. The focus now should
be on collaboration.
Red and blue teams should learn from each
other and push each other to develop new skills. The offensive side should
openly communicate their tactics and techniques by outlining what attack
they’re running, as well as any potential ports, processes or other known items
that may be used. From there, the blue team can see what it looks like from a
forensic standpoint and what types of event logs they should keep an eye out
for to ensure they can be detected in full or partially. They can also
communicate back what they’re seeing to inform how the red team can better hide
their attacks based on what the blue team is able to detect. Having both teams
work together in real-time where possible ensures that nothing slips between
For example, tools like Bloodhound
and Empire worked like magic a few years ago. Typically, no one would detect
them. Instead of the red team trouncing defenses and leaving, I had them stick
with it and teach the blue team what types of logs to look out for to better
prevent such attacks in the future.
Use tools that enable and improve collaboration
Red and blue teams must share metrics,
information, and goals to better interact and get the most out of the simulated
attack process. Using the right tools can help enable this. Advances in SIEM
and SOAR technology have had huge benefits. Implement a SOAR-inspired playbook
to automate the low-hanging fruit and enable blue teams to focus on more
cutting edge techniques. This can be beneficial for recruiting as well. Use
SOAR playbooks to automate low-level security defenses so your security team
has the freedom to focus on more engaging, exciting threat hunting projects.
This will help attract and retain the best talent, which is an increasing
challenge in the security space. These tools can also fuel
information-sharing and collaboration. For example, I have my internal blue
team work with the red team to show them how they’d write alert content in the
SIEM, which helped red improve the stealthiness of their command and control
Encourage red and blue players to switch sides
security professionals to switch sides — from offense to defense and vice
versa. This allows them to get fresh perspectives on the latest techniques the
other team is using. For example, offensive players that are used to easily
compromising a network have had to advance their capabilities to better hide
their tracks and actively evade blue teams. They now need to build better
infrastructure to hide persistence and external communications to better avoid
detection. We have a lab with most defensives tool available, so our internal
red team can go in and learn about the latest threat hunting techniques to
inform their own strategies. Conversely, our blue team members try their hand
at detecting cutting-edge attacks to stay up-to-date with the latest tricks.
While the dynamic between red and blue teams
continues to evolve, one thing remains unchanged: in order to better protect
against the latest threats, it’s essential to solidly and equally invest in
both sides. Organizations should leverage these changes while uniting red and
blue teams under a shared objective: to find weaknesses and figure out how to
best address them; to successfully fend off attacks; and to improve the overall
security posture of the company. This has been and, ideally, always will be the
most effective way forward.
Joe Partlow is the chief technology officer at ReliaQuest.