Red, Blue & Purple Team: Attacker, Defender & Facilitator

By Ayesha Yousuf

Introduction:
Building an effective & secure platform is critical! In this era of rising technologies, it is becoming more and more complex to manage security. Conducting a red team vs blue team exercise could be an eye-opener for companies who seek optimum level protection against their network and systems. Through these exercises a lot of loopholes could be discovered leading to potential opportunities of securing the network and systems more.

How Does The Journey Begin?
The journey starts with the name orientation, the team names originate from an Army perspective which indicates Red Team as an Attacker and Blue Team as a Defender.

The basic phenomenon includes the activities performed by the red team to emulate an attacker’s behaviour and try to penetrate through the company’s network or system. However, the blue team is all packed up to join forces and defend against those attacks. This includes implementing preventative and detection controls and responding to security incidents and alerts. This function can be internal, outsourced to a third party, or a hybrid of both.

How do they exactly work and where does the purple team join the scenario? Let’s find out!

Red Team:
Red team — as the name indicates, it is a team of vigorous ethical hackers whose purpose is to carry forward the exercise with simulating a real attack to the proposed system or network. They use real time hacking technologies and tools to breach the network. To make it more realistic, the blue team is usually not informed about the timings and the goals of the related attack.

These exercises are usually performed bi-annually as sometimes it takes months to complete the thorough analysis of the security measures taken by the company. Red team exercises are done internally or externally of the organisation.

The red team works with unified objectives which includes:

• Compromising the target’s security by different hacking tools.
• They initiate holistic activities which includes ethical penetration testing, giving the team a thorough assessment of the tactics the blue team has used for protection.
• Exploiting the bugs and weaknesses of the company, this shows how drastic is the gap between the company’s security and the requirement to fix them.
• Remain undetected by the blue team and penetrate into the application in a fleeking time which makes it extremely hard for the blue team to detect and work for countermeasures.
• They apply social engineering and phishing techniques to manipulate the employees into revealing the secrets and confidential information of the company.

Blue Team:
Blue team comes into action after the exercise of red team is done and the cyberattack simulation has been finished. The blue team plays off a defender where they basically set the platform to give countermeasures against the attacks.

The blue team exists to oppose the red team, they create barriers for those hackers to not let them breach or trespass the security measures they have taken for a particular network or system.

Their tactics include:

• The blue team detects and neutralises the more sophisticated attacks and closely monitors current and emerging threats to preemptively defend the organisation.
• They understand every suspicious activities and take readily measure to counter the attack
• They use automated tools to detect the malware or phishing emails that could be a potential lead towards a great loss.
• Their activities also include gathering threat intelligence information to use against any new risk or suspicious activity.
• They perform analysis to carefully cater the need of implementing such security measures that are cardinal and also help the system to be nearly impossible to breach.

Purple Team:
Purple Team is not evidently a permanent team but acts as a bridge between the red and blue team.

Let’s understand the basic concept of how purple team comes in the scenario with the following example:

Experts Chefs Keeping Their Masterpieces To Themselves:

Think of a scenario such as that a high end, elite restaurant is losing its customers.

When the investigation team looked into the matter it was found out that the chefs who create fantastic dishes are keeping them in the kitchen. When the chefs were asked why this is happening they replied, “We have spent years to learn such skills and knowledge about every single ingredient we use and the waiters and the customers don’t even know how to create such a master-piece, they don’t deserve this!”

The Verdict:

This example shows that the chefs don’t want to coordinate with the waiters and the customers, as they think the food they create is not worthy to be presented to the customers.

Just like this the Red Team and Blue Team usually do not go hand in hand. Here is when the services of Purple Team are required where they act as an incident response group or a detection group or a developer group to keep the exercise going and secure the systems or network of the company.

Red & Blue Team Cooperation Problems:

Red team commonly being an external team and blue being the internal team of an organisation goes through different challenges to connect. Here are some challenges they face.

1. The red team being an attacker thinks of itself as too elite to share information with the blue team creating a gap between them.
2. An external red team working vigorously towards its objectives when pulled inside the organisation is often criticised, neutralised and demoralised ultimately lowering their effectiveness of the task assigned.
3. The red and blue team are not initially designed to work hand in hand so when they work together and learn lessons along the way at some point they go to their designated seats and the communication is broken down.

Organisations that suffer from such problems introduce another team as “Purple Team”. Relatively the purple team could not be a permanent solution to these challenges but could surely be an option when there is a need.

Challenges That Drive Solutions:
Many companies and organisations lack the skill of holistically implementation of the defensive and preventative controls to robustly respond to the red team attacks. The result sometimes shows that the repeated exercise discovers the same loopholes that are not amended due to lack of communications or countermeasure knowledge by the blue team.

Some challenges they face along with the benefits of working together are mentioned as:

Skill & Expedite Constraints:

Firefighting, responding to incidents and prioritising the appropriate use cases, writing and updating playbooks, implementing new preventative controls among many other tasks without an incident hunter solution could be overwhelming for the blue team. Unfulfilled cybersecurity jobs will be estimated at 3.5 million by 2022.

Onboarding the relevant log sources and adhering to organisational change procedures for implementation can also severely limit the blue team’s ability to respond adequately and results in quick fixes.

In a purple team exercise, red and blue teams collaborate to ensure that the organisation is getting the most out of its investment in cybersecurity. Not only does this approach lead to improved security posture, it also allows for a more consistent and even distribution of resources like blue team members and vulnerability scanning platforms.

Restricted Knowledge of Red team Discoveries:

A red team is focused on security compliance issues so that they continuously debug from the perspective of an attacker or malware.

These red teams use static reports to provide their observations, but assume that some of these observations are not acted upon. The red team here develops a better communication mechanism with the blue team. This will help ensure that improvements address their actual concerns, and also allows them to concentrate on the new concerns that arise as a result of their work.

With teams sitting together, sharing screens and files, the mapping of engagement processes becomes more seamless and collaborative. This creates a better learning environment for blue team members to understand new threats that may have been precipitated by a red team insertion into cyber systems.

Unable to Test Control Implementations:
To test security controls, you need to be able to reproduce the red team attack patterns. However, simulating such attacks is difficult. Your blue team may not have the right skills and permissions to do this. They may also prove inadequate due to them only covering specific behaviours, meaning they need a lot of adaptation. With no log simulation tool, defences are difficult to test, which restricts your ability to keep developing your security posture. Scarce resources can make these hurdles even harder to navigate.

By combining red and blue teams, the red team learns more about current controls, and the blue team learns more about current attack behaviours. The purple team exercises allow for regular testing of controls to ensure they still function as expected. Combining red and blue functions also means that the blue team does not have to learn the red-team skills, or take the time to recreate attack behaviours themselves.

The Tunnel Vision:

Understanding the intended behaviour of the adversary is key to creating effective threat hunting use cases. The same applies for blue teams, who must also understand the offensive playbook used by their red team in order to detect and counter it. Using a thorough understanding of the threat, blue teams can create and implement effective long-term solutions that may be difficult or time-consuming to implement, but once completed will prevent an attacker from further progress.

The red team can articulate and demonstrate why implementing a tunnel vision control is less valuable. Working together promotes a better understanding of how attacks work, and how they can best be prevented or detected.

Use Of Purple Team In The Transformation Journey:

Many organisations are adopting an agile manner of working where they make decisions and implement them, getting quick results. This method focuses on immediate action that helps relatively into the transformation journey.

A Joint Mission:

The quickest and most effective way to mature the security monitoring in a short period of time is running purple team exercises. A purple, whose entire objective is to improve the security monitoring function of the company through direct collaboration. Many different forms are possible — an effective method involves both teams sitting together in one room and going through attack behaviours, this can be based on many scenarios: intel based, a previous red team exercise or even replaying an actual attack your organisation has experienced in the past. Once the red team completes an action, the blue team checks if it detected or prevented it. If not, together they work out why and either fix the issue on the spot and retest or work out an actionable plan to implement the required controls.

Focus Required In:

In a purple team scenario, the most effective areas to focus on are post-exploitation activities. Assume breach and identify the attacker’s actions in your environment. By assuming breach, teams can look for the following behaviours: lateral movement, escalation of privileges, reconnaissance, and data exfiltration.

Is Red Team Exercise Still Needed With Purple Team Exercise Conduction?

Yes, red team exercise is still as cardinal as before. Purple Teaming is not a replacement for Red Teaming but complements it by extending the benefits of the Red Team exercise as an extension. This can be performed with (pre or post red team exercise) or even independently if you do not conduct red team exercises.

Conclusion:

In order to make the companies systems and networks as optimum as possible the red, blue and purple team work side by side with each other. Red, being the attacker, carries forward with real-life attack cases to exploit the network whereas the blue team mitigate possible countermeasures. The purple team, a worthwhile addition, acts as a combined effort of both the teams.