Blue Team, Red Team, and Purple Team: An Overview
By Erik Goldoff, Ray Van Hoose, and Max Boehner || Guest Authors
This post is comprised of 3 articles that were originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.
Blue Team – Defend, Detect, Protect
by Erik Goldoff || CISSP, @ErikG
“Blue team” is a high-level term covering defensive security, whose goals are to reduce attack surface, as well as detect and respond to threats.
Here are some, but not all, of the sub-topics under the umbrella of blue team operations:
- Defensive Security
- Infrastructure Protection
- End-User Education
- Incident Response (IR)
- Business Continuity/Damage Control
- Security Operations Center (SOC)
- Threat Hunting & Digital Forensics (DF)
Transitioning to blue team positions is easier for existing IT staffers (user support/help desk operations, or network team). You need to be able to understand what is normal for your environment in order to quickly recognize the abnormal (potential security events). Your existing IT jobs are a great place to gain understanding of your environment from various fundamental perspectives.
As part of defensive security and/or infrastructure protection, it is vital that security stack components be configured and deployed properly — so as to not ignore threats, but not so stringent as to prevent productivity. You do not want your security solution to present the denial-of-service you are trying to prevent. Endpoint security, endpoint detection and response (EDR), and security information and event management (SIEM) are tools used in defensive security.
End users are often the weakest link in any organization with regards to security threats. You need to help them understand not only what to do, but also why, in order to help increase cooperation. Publishing periodic phishing test results by department can be more motivational than just individual training.
Should your organization be breached by a cybersecurity attack, how do you proceed to mitigate the threat and damage while keeping your enterprise operating as it should? Your SOC and incident response teams can help identify the threat, the source, and the immediate remediation, while still maintaining “chain of custody” for any evidence found, as your organization may have legal requirements for cooperation with authorities and/or qualifying for insurance reimbursements.
Being reactive is not enough. A proactive approach to threats is imperative for an organization. The threat hunting teams may find evidence of incursion before a major incident evolves. Did they find IOCs and EOCs (indicators/evidence of compromise) that alerted the DF/IR teams? Digital forensics (DF) gathers data on the attack methods, points of entry, incursion path, and potential exfiltration targets, while incident response (IR) helps to lock down the environment as necessary by disabling accounts restricting network access, shutting down exfiltration paths, removing malware, etc. Different parts of cybersecurity work together to detect, identify, and eradicate attacks.
If you are going to defend against cybersecurity attacks, you needs to know about the tools and techniques available to defend with, as well as what tools and techniques your attackers are using. Knowledge is power!
Blue Team Resources
Vulnerabilities
Vulnerabilities are tracked by their CVE (common vulnerabilities and exposures) number. Stay better informed on known vulnerabilities:
URLs
To determine if a fi le or URL/link is malicious before you take defensive action, or as part of your forensics investigations:
News
It is important for blue team members to stay current on evolving solutions to various cybersecurity problems:
Active Countermeasures – Community, tools, trainings, and more:
activecountermeasures.com
Red Team – Adversarial Simulation
by Ray Van Hoose || @_meta.
The question: How can we know how effective our security will be at detecting and mitigating the impact of a successful hack?
The answer: Red teaming.
Red team operations utilize covert and strategic attack techniques in an attempt to infiltrate systems undetected. While job titles may vary (operator, engineer, security specialist, etc.), the overall objectives remain consistent: to emulate adversarial actions, document response times and effectiveness, and proactively improve detection and response capabilities.
What are the minimum tools one would need to survive as a red teamer?
- a clipboard
- a USB stick
- a convincing story
Considerations and Job Requirements
- Strong communication and social skills
- Technical skills that cover a broad variety of domains
- Spy-gadgets and costumes would (likely) come from your personal budget
- Knowledge and understanding of blue team tactics, techniques, and procedures
- Ability to maintain composure while under pressure and in awkward situations
- Knowledge of the potential legal considerations and complications
- Solid understanding of the business side of the organizations
Finally, you should be aware the while executing some of the exercises, particularly in on-premise engagements, it is not uncommon to be arrested, including a chance at being jailed.
Darknet Diaries episode detailing potential legal complications:
darknetdiaries.com/episode/59
Skills and Techniques to Survive
Communication
The most important skill. You’ll be interacting with law enforcement, physical and cyber security teams, as well as debriefing leadership and working with developers and the blue teams to improve detection and mitigation capabilities.
Documentation
Considering the range of legal complications and varied types of attacks, simply documenting the scope can be daunting. Commonly documented items also include attacks, exploits, the security team’s responses to those attacks, artifacts created, steps to reproduce, and suggesting improvements to policies and processes of the blue teams.
Exploitation
Many red team exercises require you to first exploit (social or technical) their systems. Even if you are given an “assumed breach” option to gain initial access, stealthily gaining more shells often requires additional exploitation.
Tools and techniques for gaining initial access:
- gophish – quickly and easily set up phishing engagements
- Use a SSO (Single Sign-On) vendor to provide a clean phishing link!
Post-Exploitation
Exploiting a vulnerability to get you a foothold is only the first step. Ideally, this leads you to additional systems that you are able to stealthily exploit to gain persistence and all of the shells.
Red Team Resources
- Responder – monitor and manipulate response in order to gain control of the network
- Mimikatz – extract passwords, hashes, PIN codes, and Kerberos tickets from memory
- Cobalt Strike – commercial (costly) product providing tool(s) for adversarial emulation
Purple Team – With Our Powers Combined…
written by Max Boehner
What It Is
Purple teaming is a collaborative activity performed by blue teamers and red teamers with the goal of improving defenses. In other words: red teamers share or demonstrate tools, tactics, and procedures (TTPs) to train the blue team. This can range from a one-off, “Do you get an alert if I run this attack tool?” to complex, repeatable, and defined processed.
What It Isn’t
Purple teaming is not red teaming, despite the involvement of red teamers. Red teaming tests the blue team’s detection and response by performing simulated attacks without informing the blue team, while trying to remain undetected. During purple teaming, you want the blue teamers to be aware and on the lookout.
Why Do It?
Blue teamers need to understand adversary TTPs to defend against them. Red teamers know these TTPs and can execute them. Purple teaming can be an effective way to bring this together.
Here are some potential use-cases:
- Validating that event logging and forwarding are working as expected
- Discovering detection gaps and developing new detections
- Establishing time-to-response metrics and discrepancies between attack activities and alert notifications
Getting Into Purple Teaming
The bad news first: dedicated purple team positions are rare. Most organizations cannot afford dedicated full-time purple teams.
The good news: If you have experience in blue, red, or ideally both, and have a collaborative mindset, you can still do purple teaming. Folks starting in infosec might want to pick red or blue first, gather experience there, and then get involved in purple later on. A good way to train for purple activities is to set up a testing lab that includes machines to run attacks, with centralized logging configured to analyze the telemetry generated during an attack. Of course, you can also attend training courses that focus on purple teaming.
Purple Teaming with Kent Ickler and Jordan Drydale:
youtu.be/_KqtVWrw_Gc
Purple Team Resources
MITRE ATT&CK®
This knowledge-base of attacker behavior and techniques is a must-know. It is used as a common terminology for categorizing attacks.
Purple Team Exercise Framework (PTEF)
Further reading on purple teaming with different levels of maturity being described.
Atomic Red Team
Library of executable attacks (atomics) that can be executed without deep red teaming knowledge in order to simulate adversary activity. It is utilized by many purple teaming frameworks and mapped to MITRE ATT&CK®.
VECTR
Free tool for planning, executing, and tracking purple teaming engagements. It can utilize Atomic Red Team atomics.
MITRE CALDERA™
Platform that can be used for purple teaming engagements. It includes functionality for performing adversary activity through a command-and control (C2) channel, among other things.
DO-LAB
Lab environment that is easily deployable in the Azure Cloud. Includes Active Directory, attacker and victim machines, and log aggregation in Sentinel.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
