The long-held rivalry between red and blue teams has served a beneficial purpose, simulating the highly competitive real-world environment between hackers and those defending organizations. However, recent advances in blue team capabilities and the sophistication of the security technologies that support them have shifted the balance between the two groups.
While in years past the red team always had the upper hand, the blue team is now increasingly well-equipped to defend enterprise attack surfaces while proactively hunting threats. This benefits many across the security ecosystem and can bring more value to the overall practice. There are a few key ways enterprises should take advantage of the new dynamic.
Tech advances are leveling the playing field
A few years ago it was very simple for red teams to emulate hackers and launch successful attacks on hosts and servers. Now, endpoint protection tools have improved to the point that security teams can focus on going on the offensive with threat hunting. Fileless, behavioral or ransomware attacks that would have been missed by blue teams a few years ago have become table stakes. For instance, increased capabilities in endpoint protection tools now allow teams to watch for attacks at an almost forensic level. This means that defensive skills have become increasingly sophisticated.
Meanwhile, advances in AI and machine learning have significantly up-leveled and automated much of the blue team’s work. The defensive side used to be bogged down by inefficient, repetitive tasks like sifting through high volumes of unactionable events or drowning in the noise of too many alerts. As recently as a few years ago, there was no way for blue teams to keep up with the sheer volume of threats endangering organizations. Fast forward to today, and we now have the capability to catch many of the “slow and low” or outlying behavior attacks that used to sneak by easily. Blue teams now have the freedom to focus on higher-level tasks like threat hunting that are more engaging, rewarding and effective. Even better, they’re challenging red teams to step up their game. This evolution means many security teams now understand that running a pen test and walking away is no longer good enough. There’s a greater focus on how to actually fix a vulnerability. Now is the perfect time to optimize your strategy with three tactics to get the most value from this dynamic.
1) Adopt a “purple team” mindset
Red and blue teams should no longer be working in independent silos. The best value comes from blending the two together — not in an entirely separate purple team but in a purple mindset that combines learning, strategy and critical thinking from both sides. In the past, it was common for the red team to just do their job and send a report about it without involving the blue team. That’s no longer going to cut it. The focus now should be on collaboration.
Red and blue teams should learn from each other and push each other to develop new skills. The offensive side should openly communicate their tactics and techniques by outlining what attack they’re running, as well as any potential ports, processes or other known items that may be used. From there, the blue team can see what it looks like from a forensic standpoint and what types of event logs they should keep an eye out for to ensure they can be detected in full or partially. They can also communicate back what they’re seeing to inform how the red team can better hide their attacks based on what the blue team is able to detect. Having both teams work together in real-time where possible ensures that nothing slips between the cracks.
For example, tools like Bloodhound and Empire worked like magic a few years ago. Typically, no one would detect them. Instead of the red team trouncing defenses and leaving, I had them stick with it and teach the blue team what types of logs to look out for to better prevent such attacks in the future.
2) Use tools that enable and improve collaboration
Red and blue teams must share metrics, information, and goals to better interact and get the most out of the simulated attack process. Using the right tools can help enable this. Advances in SIEM and SOAR technology have had huge benefits. Implement a SOAR-inspired playbook to automate the low-hanging fruit and enable blue teams to focus on more cutting edge techniques. This can be beneficial for recruiting as well. Use SOAR playbooks to automate low-level security defenses so your security team has the freedom to focus on more engaging, exciting threat hunting projects. This will help attract and retain the best talent, which is an increasing challenge in the security space. These tools can also fuel information-sharing and collaboration. For example, I have my internal blue team work with the red team to show them how they’d write alert content in the SIEM, which helped red improve the stealthiness of their command and control communication channels.
3) Encourage red and blue players to switch sides
I encourage security professionals to switch sides — from offense to defense and vice versa. This allows them to get fresh perspectives on the latest techniques the other team is using. For example, offensive players that are used to easily compromising a network have had to advance their capabilities to better hide their tracks and actively evade blue teams. They now need to build better infrastructure to hide persistence and external communications to better avoid detection. We have a lab with most defensives tool available, so our internal red team can go in and learn about the latest threat hunting techniques to inform their own strategies. Conversely, our blue team members try their hand at detecting cutting-edge attacks to stay up-to-date with the latest tricks.
While the dynamic between red and blue teams continues to evolve, one thing remains unchanged: in order to better protect against the latest threats, it’s essential to solidly and equally invest in both sides. Organizations should leverage these changes while uniting red and blue teams under a shared objective: to find weaknesses and figure out how to best address them; to successfully fend off attacks; and to improve the overall security posture of the company. This has been and, ideally, always will be the most effective way forward.
Joe Partlow is the chief technology officer at ReliaQuest.