Well established cyber security organizations often have a red team and a blue team. The red team plays offense, identifying holes in the security fabric that are caused by a company’s people, processes and technology. The blue team plays defense, attempting to block cyber attacks using the array of technologies, strategies and tactics. Modern organizations need both functions if they care about holistic cyber security.
Red Teams vs. Blue Teams
The red team will run a variety of cyber attack simulations in addition to performing vulnerability assessments and penetration tests. The goal is to identify the weak links in the chain before a real threat actor does. To accomplish that, they need to stay current with the latest black hat techniques so the blue team can improve the effectiveness of its threat hunting and incident detection and response.
Bear in mind that the red team is not just sitting around trying random things. Instead, they’re given a goal which mimics a hacker’s motivation such as gaining access to a database that contains sensitive information and exfiltrating data.
However, even if the red team fails, it’s not necessarily a “win” for the enterprise because the red team is human and humans don’t think of everything. For example, if the red team failed to breach a network because it followed one path or a couple of potential paths, that’s not a guarantee that bad actors won’t use other paths or means to reach their goal.
Data is critical to the blue team’s success. Without it, they can’t do their job effectively. They need a constant stream of data coming in from assets (including virtual assets) and cyber security tooling to perceive incidents in a timely fashion. Given the complexity of today’s tech stacks and the fact that the threat landscape is constantly changing, modern organizations need intelligent tools that take advantage of AI and automation because the scope of the job is too vast, too detailed and too nuanced for humans to do effectively.
According to IDC, enterprises should be using breach attack and simulation (BAS) now instead of traditional vulnerability management because BAS provides “closed loop automation that allows for threat indicators and attack behaviors, unprotected assets, misconfigurations, human errors, log gaps, and basic IT hygiene issues.” Such systems recommend what actions cyber security professionals should take such as closing gaps, fixing misconfigurations and strengthening credential management.
Red teams also take advantage of the latest technologies because if they don’t, they couldn’t emulate what bad actors are capable of doing. While it’s true that there’s no absolute defense against a determined nation state-backed adversary, red teams can help the enterprise become a less attractive target.
Medium and large companies may have both red and blue teams, but the red team and blue team may work in a siloed fashion. If they lack resources, they can hire consultants with relative ease.
Smaller companies may lack a blue team and a red team, which means IT has yet more work to do and generally, IT professionals are not cyber security experts. They may also hire consultants, or not, depending on the budget.
Both red teams and blue teams (or individuals acting in those roles) are available for hire.
Meanwhile, cyber security threats never sleep. They’re always evolving. Organizations, irrespective of their size, need the ability to play offense and defense simultaneously, which suggests purple teaming. In fact, Forrester recommends asking vendors whether they employ red or purple teams.
Why Enterprises Are Adopting Purple Teaming
A purple team is a highly collaborative combination of the red and blue teams. Because the two are communicating more often, they’re in a better place to understand how the details and outcomes of offense and defense inform a more effective cyber security strategy and goals. Purple teams can also help enterprises improve the tactical work such as network monitoring, threat hunting and vulnerability detection.
The people on the purple team still perform either a red or blue function, as opposed to a combined function, because the adversarial dynamic is critical. Also, by combining traditionally siloed functions, the red and blue teams can learn from each other and start thinking out-of-the-box (innovating).
By understanding the dynamics of defense and offense, purple teaming can help organizations reduce the possibility of cyber threats.