The
long-held rivalry between red and blue teams has served a beneficial purpose,
simulating the highly competitive real-world environment between hackers and
those defending organizations.However,
recent advances in blue team capabilities and the sophistication of the
security technologies that support them have shifted the balance between the
two groups. While in years past the red team always had the upper hand, the
blue team is now increasingly well-equipped to defend enterprise attack
surfaces while proactively hunting threats. This benefits many across the
security ecosystem and can bring more value to the overall practice. There are
a few key ways enterprises should take advantage of the new dynamic.Tech
Advances Are Leveling the Playing Field
A few years
ago it was very simple for red teams to emulate hackers and launch successful
attacks on hosts and servers. Now, endpoint protection tools have improved to
the point that security teams can focus on going on the offensive with threat
hunting. Fileless, behavioral or ransomware attacks that would have been missed
by blue teams a few years ago have become table stakes. For instance, increased
capabilities in endpoint protection tools now allow teams to watch for attacks
at an almost forensic level. This means that defensive skills have become
increasingly sophisticated. Meanwhile,
advances in AI and machine learning have significantly up-leveled and automated
much of the blue team’s work. The defensive side used to be bogged down by
inefficient, repetitive tasks like sifting through high volumes of unactionable
events or drowning in the noise of too many alerts. As recently as a few years
ago, there was no way for blue teams to keep up with the sheer volume of
threats endangering organizations. Fast forward to today, and we now have the
capability to catch many of the “slow and low” or outlying behavior attacks
that used to sneak by easily. Blue teams now have the freedom to focus on
higher-level tasks like threat hunting that are more engaging, rewarding and
effective. Even better, they’re challenging red teams to step up their game.
This evolution means many security teams now understand that running a pen test
and walking away is no longer good enough. There’s a greater focus on how to
actually fix a vulnerability. Now is the perfect time to optimize your strategy
with three tactics to get the most value from this dynamic.1) Adopt a
“Purple Team” MindsetRed and blue
teams should no longer be working in independent silos. The best value comes
from blending the two together — not in an entirely separate purple team but in
a purple mindset that combines learning, strategy and critical thinking from
both sides. In the past, it was common for the red team to just do their job
and send a report about it without involving the blue team. That’s no longer
going to cut it. The focus now should be on collaboration.Red and blue
teams should learn from each other and push each other to develop new skills.
The offensive side should openly communicate their tactics and techniques by
outlining what attack they’re running, as well as any potential ports,
processes or other known items that may be used. From there, the blue team can
see what it looks like from a forensic standpoint and what types of event logs
they should keep an eye out for to ensure they can be detected in full or
partially. They can also communicate back what they’re seeing to inform how the
red team can better hide their attacks based on what the blue team is able to
detect. Having both teams work together in real-time where possible ensures
that nothing slips between the cracks. For example,
tools like Bloodhound and Empire worked like magic a few years ago. Typically,
no one would detect them. Instead of the red team trouncing defenses and
leaving, I had them stick with it and teach the blue team what types of logs to
look out for to better prevent such attacks in the future.2) Use Tools
That Enable and Improve CollaborationRed and blue
teams must share metrics, information, and goals to better interact and get the
most out of the simulated attack process. Using the right tools can help enable
this. Advances in SIEM and SOAR technology have had huge benefits. Implement a
SOAR-inspired playbook to automate the low-hanging fruit and enable blue teams
to focus on more cutting-edge techniques. This can be beneficial for recruiting
as well. Use SOAR playbooks to automate low-level security defenses so your
security team has the freedom to focus on more engaging, exciting threat
hunting projects. This will help attract and retain the best talent, which is
an increasing challenge in the security space.These tools
can also fuel information-sharing and collaboration. For example, I have my
internal blue team work with the red team to show them how they’d write alert
content in the SIEM, which helped red improve the stealthiness of their command
and control communication channels. 3) Encourage
Red and Blue Players to Switch SidesI encourage
security professionals to switch sides — from offense to defense and vice
versa. This allows them to get fresh perspectives on the latest techniques the
other team is using. For example, offensive players that are used to easily
compromising a network have had to advance their capabilities to better hide
their tracks and actively evade blue teams. They now need to build better
infrastructure to hide persistence and external communications to better avoid
detection. We have a lab with most defensives tool available, so our internal
red team can go in and learn about the latest threat hunting techniques to
inform their own strategies. Conversely, our blue team members try their hand
at detecting cutting-edge attacks to stay up-to-date with the latest tricks. While the
dynamic between red and blue teams continues to evolve, one thing remains
unchanged: in order to better protect against the latest threats, it’s
essential to solidly and equally invest in both sides. Organizations should
leverage these changes while uniting red and blue teams under a shared
objective: to find weaknesses and figure out how to best address them; to
successfully fend off attacks; and to improve the overall security posture of
the company. This has been and, ideally, always will be the most effective way
forward. Joe Partlow, chief technology officer at ReliaQuest
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Threat actors have leveraged a massive botnet with 1.33 million compromised devices which is almost six times larger than last year's biggest botnet to launch a distributed denial-of-service attack against a betting platform in late March, The 420 reports.