Some people hate the red team. They think of them as the adversary, and at the extreme, people worry that their jobs are on the line. If any holes are found, network defenders worry it could be a mark on their competency. However, this should not be the case. Although it does not come across this way initially, the red team is leveraged to help the blue team strengthen defenses. The red team uses offense to validate the blue team's assumptions. A blue team may think its patching process is up-to-date but oftentimes, the red team will find a year-old patch missing (the oldest one recently being 10 years old). The role of the red team is not to say, “Look, you are not doing your job” but rather to say, “Here is how you can improve.” Having animosity between the red and blue teams creates a tendency for ‘cheating’ within red team engagements. This can come from both sides – the red team may go out of scope or use information they shouldn’t, while the blue team may take unfair actions to block out the red team. When the blue team deliberately makes a system more restricted or hardened against the red team, it only serves to give the blue team management a false sense of security – just like when a red team pops an insecure machine out of scope only gives a false report. At DerbyCon, Ben0xa explains in his “PowerShell Secrets and Tactics” talk how a blue team shut him down by suddenly removing PowerShell and how frustrating that was, the issue being it limited the value he could provide. Being as savvy as he is, Ben0xa simply created ‘Not PowerShell (NPS.exe)’ in order to run PowerShell. The point I want to make is that the red team is there to help – not hinder – your security, which serves to emphasize why Red and Blue need to work together. For example, on my pentests, I work with the blue team to gain more information. The more information that can be given, the more of my time is saved from doing work manually, allowing more time for me to spend creating value for them. The red team is there to serve the blue team, and we are against criminals – the real red team. If you realize we are all in this together against criminals, we can actually improve security. Instead of pretending to be better than the red or blue team, it's important to realize there is no real-world benefit in the long-term if you are better than a red or blue team. It is the criminals that really matter. The red team helps test with vulnerability and penetration testing assessments. As organizations mature, this idea of the red team and blue team working together should mature, as well. Purple teaming is the concept of using the red team to create training exercises for the blue team. We should all consider ourselves one team and work together. Carlos Perez is a long time security veteran and spoke on the benefits of Purple Teaming with “Thinking Purple” at DerbyCon 6. Perez calls Purple Teaming as: "[The] symbiotic relation between Red and Blue in a way that improves the security of the organization, constantly improving the skills and processes of both teams.” This is not just shaking hands at the end of the day but also operating in an open manner with regards to the red and blue teams actions. This may include how the red team bypassed the IDS or how the blue team was able to detect lateral movement. Perez even touches upon the management level of security, such that when red and blue work together, it creates a unified team that is then able to present findings and recommendations towards management with a much higher chance of receiving buy-in and support. This results in a team that is bouncing off of each other positively, with “red” trying to bypass and “blue” endeavoring to block/detect/mitigate, each seeking to push the boundaries and mature the security of the organization. This can only happen with teams that are completely open on tactics, techniques and procedures. I’ll be speaking with Chris Gates at SecTor on Purple Teaming. If you can, catch our talk “Purple Teaming the Cyber Kill Chain: Practical Exercises for Management” on October 18, 2016.
About the Author: Haydn Johnson has over 3 years of information security experience, including network/web penetration testing, vulnerability assessments, identity and access management, and cyber threat intelligence. He has a Masters in Information Technology, the OSCP certification and has recently gained the GXPN certification. Haydn regularly contributes to the InfoSec community primarily via Twitter and has spoken at BSides Toronto and Circle City Con. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
