Red Team vs Blue Team Penetration Testing

What's the difference between Red Team vs Blue Team?

  1. Red Teams are offensive security focused. They simulate how a possible attacker would attack cybersecurity defenses.

  2. Blue Teams are defense focused. They architect and maintain the protective internal cybersecurity infrastructure.

  3. Purple Teams - Blue Red Teams - are both offensively and defensively minded and were designed to ensure holistic and synergistic operations and information exchange between attackers and company defenders. Typically purple teams aren't really a team at all, rather a collaborative agreement between red and blue teams.

  4. What is a tiger team? Tiger Teams are similar, but not quite the same as a red team. They're kind of like a special forces team that is put together to solve a specific problem.

What is a red team?

A red team is a group of security professionals who are acting as hackers trying to beat cyber security controls. Red teams are usually made up of ethical hackers who work independently and objectively. They use a wide variety of techniques to find weaknesses in people, processes, and technology. Red teams make recommendations and plans to help an organization increase their security.

The objective of red teaming is to exploit, compromise, and circumvent blue team defenses so that a company can verify their prevent, detect, and respond capabilities. A red team consists of security red team operators that proactively simulate how cyber attacks could be perpetrated in real-time against an organization. Red teams aggressively pursue all attack vectors including physical security controls and access to sensitive data, using social engineering among other techniques.

What are red team techniques and red team exercises?

Red teams use a wide variety of methods and tools to help them find vulnerabilities and weaknesses in a system. These exercises include adversary simulation, blackbox penetration testing, and assumed breach scenarios to generate recommendations for vulnerability findings. Red teams gather threat intelligence and then map it against all of the information against known adversary tactics, techniques, and procedures (TTPs). Specifically, red teams look to exploit cyber security controls and corporate environments by any means necessary including:

  • Penetration testing. This is also known as ethical hacking, and involves a tester trying to gain access to a system using software tools.

  • Physical security breach. This involves a hacker trying to get physical access to a computer or system, in-person.

  • Wireless access. Wireless access involves red teams trying to gain access to a system remotely.

  • Active directory exploits. An active directory exploit is when a red team utilizes the directory to gain access to domain rights.

  • Email exploits and phishing. These tactics are used to try and get company members to log in to spam websites, give their credentials, and more.

  • Vulnerable file servers. Red teams will find vulnerable file servers and try to exploit them to gain access to the entire system.

  • Vulnerable endpoints. Red teams can utilize vulnerable endpoints to work their way back through a system.

  • Appropriate social engineering techniques for access. This involves a red team using threats, enticing rewards, alarms, and more to try and gain access.

  • Known vulnerabilities (common knowledge). Red teams can use known vulnerabilities in an organization to get in, or to exploit team members to gain access.

What is a red team operator?

Red team operators are also called red teamers and are tasked with executing adversary emulations and assumed breach scenarios. Seasoned red team operators are expected to have experience in black box testing, Windows and Linux OS, networking protocols, and some coding languages including python, C/C#/C++, Java, and or Ruby.

What are red team tools?

Red teams emulate every step that a hacker would follow along the cyber kill chain. Red teaming requires being intelligent, clever, and the ability to think outside of normal processes. The tools used to support a red team are diverse but can be grouped into categories based on the flow shown below.

Methodology.jpg

Sample Red Team Tools

Reconnaissance

  • Nmap

  • sqlmap

  • Nikto

  • OpenVAS

  • Spiderfoot

  • Intrigue

  • Maltego

  • OSINT

  • Shodan

  • Wireshark

Weaponization

  • Social Engineering

  • Metasploit

  • Invoke-Obfuscation

  • Veil

Delivery & Exploitation

  • Gophish

  • Hashcat

  • BeEF

  • King Phisher

Privilege Escalation

  • PowerUp

  • BeRoot

  • BloodHound

  • Mimikatz

  • PAExec

  • CrackMapExec

  • LaZagne

Command, Control, Complete

  • EvilURL

  • Empire Project

  • Pupy

  • Cobalt Strike

  • Cloakify Factory

  • DNSExfiltrator

  • DET

  • Powershell-RAT

What is a blue team?

If red teams are the offense then blue teams in cyber security are defense. Blue teams in cyber security don't typically get the attention that a red team does however, their importance can't be understated. Blue teams in cyber security are constantly assessing and analyzing information systems to patch systems, identify security flaws, configuration issues relevant to security, and verifying the impact of security controls. The work together with red teams to help create a strong security system for an organization.

What are some examples of blue team exercises and responsibilities?

Blue teams perform all of the SOC (security operations center) functions and are generally responsible for security information and event management (SIEM), incident tracking, threat intelligence, packet capture and analysis, and security automation. Additionally, blue teams identify critical assets and conduct intermittent risk assessments in the form of vulnerability scans and penetration testing to continually test their exposure. The graphic below is the Emagined One Clear Path and the framework/methodology that we use to help clients mature their security program. Phase 1 addresses many of the functions and security objectives associated with blue teams. Additionally our Managed Security Services provide blue team services for those who need it.

OCP.png

  • Endpoint Protection

  • Logging (collecting, parsing, and normalization)

  • NSM event collection

  • NSM by network layer

  • Continuous security monitoring (CSM) concepts

  • CSM event collection

  • Data centralization

  • Events, Alerts, Anomalies, and Incidents

  • Incident Management Systems

  • Threat Intelligence Platforms

  • SIEM

  • Triage and Analysis

  • Alert Tuning

  • Security Automation

  • Incident Containment

  • Windows tools including Windows GodMode utility

  • NMAP

  • OpenVAS

  • Nexpose Community

  • OSESEC - Free IDS tool

  • KaliLinux

    • Metasploit

    • Burpsuite

    • Maltego

    • John the ripper

  • Wireshark network protocol analyzer

  • JumpCloud

  • Syslog

VS.jpg

chrisodom+ebook.jpg

Stop guessing. Start testing.