You may have heard these terms before in reading articles, attending trade shows, or in conversations with people in cyber security and have often wondered what they meant. So I thought we should throw together a quick hit article about what these terms mean and what the job roles look like for each “Team”. As a disclaimer, the descriptions are not meant to be all inclusive. Rather, they are meant to give you a general idea of each “Team” and what they do to help organizations.
JSCM Group has both Red and Blue Teams. Sometimes the team members switch sides for a project or a period, but the projects they work on are always divided up.
Blue Team
The easiest analogy to remember for the Blue Team is defense. This Team is responsible for configuring the tools and writing the policies to defend against threats that an organization faces. It is their job to defend and protect the organization, and when an issue is identified or when a breach occurs it is up to them to patch the hole and analyze what happened.
The following are examples of the tools and polices that they are responsible for - firewalls, endpoint protection, mobile device management, device encryption, email encryption, DNS security, secure internet gateways, VPN’s, password policies, and computer policies. While the exact toolset will vary based on the organization, the underlying principles will remain the same.
The Blue Team will also often have insight and purchasing input into what tools are purchased and how they will be configured. Some organizations make the mistake of allowing the networking teams to select the firewalls used, for example, but it should reside with the Blue team since they are responsible for the defense.
The Blue Team is also responsible for the detection of an intrusion and to understand how an attack may have been successful. That knowledge can then be used to shore up defenses and better defend itself the next time. Some of the tools they can use to detect an intrusion would be IDS/IPS systems, SIEM, event log reviews, access logs, and reporting from the devices and tools in use.
Red Team
The easiest analogy to remember for this Team is offense. It is the responsibility of this team to test an organizations defenses and to simulate an attack. This is also called ethical or white hat hacking. This Team is going to make sure what the Blue Team is doing is effective and working as expected. The Red Team will be able to analyze what alarms, if any, went off when the attacked started, commenced, or concluded. Was data exfiltrated from inside? Did users fall for a Phishing Test? Was the network knocked offline? Was credit card data found? The Red Team will be able to provide answers for those types of questions.
These Team members should possess a very similar, but ethical, skill set to an attacker. They will utilize various hacking tools as well as human interaction to break into the organization. They will be up to speed on the latest tools and trick on the black market that are being used. They will also attend conferences regularly to keep their skill set up.
Lastly, the Red Team should be removed from the general day-to-day of the Blue Team. They should have as little insider knowledge as possible. This ensures the highest success of the Red Team.
Conclusions
Red and Blue Teams are vital for every organization. They can be internal employees, external contractors, or perhaps a combination of both. But if you are not proactively defending yourself from threats and if you are not testing those defenses, you are virtually guaranteeing a successful attack of your organizations. Never assume what is a default setting is good enough. And never assume that the manufacturer will do what is in your best interest. The responsibility to setup and test should be left to the Blue and Red Teams, respectively. In over 20 years I have never seen a network be secure out of the box. For example, Windows requires over 300 customizations to be secure. And a firewall does not inspect secure web traffic by default.
Stay safe and “Go Team”!