When cybersecurity is discussed, the two terms “Red Team” and “Blue Team” are not far away. The scenario in which both teams are deployed includes a simulated situation of an active attack on a company’s systems.
Why expose yourself to danger?
No software or standard procedures can test your systems like a “real” attack. Except that in such a scenario, the respective “Red Team” works for you and not against you. In addition, some of today’s threats (e.g. malware or phishing emails ) are stopped by automated tools at the edge of the network. However, targeted attacks usually get through automatic security barriers, and it is up to the people to contain the threat.
Such an attack makes it possible to test the security of an organization, whereby the focus is not only on outside intrusion. Entrance gates are also tested, which also require physical access.
In such an attack scenario, the “red team” represents an independent group that attacks the company. The procedure is the same as for real attacks. The focus is on testing the company’s ability to recognize and react. A “Red Team” does not consider many different weak points, but only those that lead to the goal.
tasks and goals
The tasks and goals of a “Red Team” can include the following:
- Compromising security by extracting information, intruding into the system or crossing physical boundaries.
- Avoiding discovery by the “Blue Team”.
- The exploitation of weak points and errors in the infrastructure. This can reveal gaps in security that need to be closed afterwards.
- Initiation of unauthorized actions to obtain a reliable assessment of the defence capabilities of the “Blue Team”.
In addition, attack techniques such as
- the use of Open Source Intelligence (OSINT) to collect information about the target,
- the use of “Command and Control” servers to establish communication with the target network,
- laying the wrong tracks to distract the “Blue Team”,
- using social engineering and phishing attacks to manipulate employees or
- exploiting the “human” vulnerability
Finally, the “Red Team” creates a detailed report in which the security gaps are described, and suggestions are made on how security in the company can be improved.
The “Blue Team” usually consists of in-house IT security personnel who deal with the company’s security around the clock. It is in readiness to be able to recognize, fight and mitigate complex attacks with wise foresight. However, the “Blue Team” does not wait for an attack from the “Red Team” or an IT vulnerability scan. Of course, security improvements are also carried out without attacks to maintain defensive measures against attacks and to be able to protect the company preventively.
The “Blue Team” therefore has two areas of responsibility that must be fulfilled in parallel. On the one hand, the defence of the network against attacks and, on the other hand, the continuous improvement of the network’s security situation. The “Blue Team” is expected to recognize false positives and react just as quickly to any possible malicious attack and react as quickly as possible with adequate and efficient countermeasures. The “Blue Team” needs supporting information from IT forensics to identify threats and thus take the best available countermeasures.
It is the responsibility of the “Blue Team” to adapt and update procedures, guidelines and documents at regular intervals. This is especially important after security events such as attacks or regular tests. This ensures that cybersecurity is up to date and that open security gaps are closed as quickly as possible.
tasks and goals
The tasks of the “Blue Team” can be summarized in the following bullet points:
- Each phase of an incident needs to be understood and then responded to appropriately.
- Suspicious patterns need to be recognized and identified.
- Any form of impairment must be prevented quickly.
- Identification of the “Command and Control” servers and blocking of their connections.
- Implementation of IT forensic analyzes on various operating systems in the organization.
The “Blue Team” can use the following methods:
- Inspection and analysis of the log files.
- Implementation of a SIEM platform (Security Information and Event Management) to detect intrusions and to trigger alarms.
- Gather new information about threats.
- Establish priorities for appropriate actions related to risks.
- Implementation of traffic and data flow analyzes.
Act before it’s too late !!
To strengthen and improve the “Blue Team” and the infrastructure behind it, those responsible should regularly practice protecting the network against attacks with planned procedures. External “red teams” can be used to simulate attacks on the systems and attempt to penetrate the network.
Pick out attackers
The “Red Team” should consist of qualified auditors who are proficient in the areas of system administration, network protocols, IT security protocols, application systems and network components. In addition, several programming languages should be known. The more technical knowledge and experience the team has, the more successfully the simulated attack can run, and possible long-term damage, such as the failure of certain attacked systems, can be prevented.
In addition to technical knowledge, the “Red Team” should have additional skills such as goal-oriented thinking and acting, persuasiveness, a quick grasp and sound judgment. After all, these auditors are the attackers who will do their best to break into your systems. The “Red Team” should also be able to organize itself. It should be able to analyze the infrastructure and be able to cope with the workload as a team, to be able to work in a goal-oriented manner, especially in sensitive issues.
The BSI recommends using teams of at least two people when reviewing IT security so that the four-eyes principle is maintained. The neutrality and independence of the auditors play a major role. If one of the examiners is dependent on the tested institution, the indispensable independence that is necessary for carrying out such a test is missing.