Rowland Johnson, CEO of Nettitude
Rowland Johnson, CEO of Nettitude

Ideas behind red teaming and blue teaming have been around for many years. First used as part of US defence initiatives, red teams were used to act as an offensive capability to identify and exploit organisations and their systems, while blue teams were used as a defensive measure and were designed to detect, respond and mitigate the attacks of the offensive red teams.

In sophisticated penetration testing engagements, security professionals often conduct red teaming exercises to deliver objective-based assessments of an organisation. For instance, an objective might be to determine whether a sophisticated external attacker could gain access to an internal database system and exfiltrate a specific set of sensitive records. In this instance, the red team would simulate an external threat actor and determine whether they could find a series of exploitable vulnerabilities that would cause them to exfiltrate sensitive data from the target database.

Red teams have historically been used to identify vulnerabilities in people, process and technology with the intent of carrying out an objective against an asset. The red teams focused on identifying vulnerabilities and the organisations that used their services concentrated on fixing defensive controls within their estate.

It is less frequent that red teams are used to deliver assurance around response capability. However, red teams can develop an organisation's detection and response capability. Red teaming also provides a strong way to train blue teams, security operations centres or response handlers on the type of traffic they are likely to see.

Blue teams need access to log data, SIEM data, threat intelligence data and to network traffic capture data. The blue team needs to be able to analyse vast swathes of data to detect the proverbial needle in the haystack.

Firstly, the red team should be conducting objectives based assessments that mimic known and quantifiable threat actors. As part of this process, the threat actor's Tactics, Techniques and Procedures (TTPs) should be known.

The blue team must educate themselves around these TTPs, and build and configure their detection and response capability in-line with these known approaches. For instance, if a threat actor is known to use spear-phishing as part of a campaign, the blue team must ensure that it has the ability to detect and respond to spear-phishing activity. It is no use relying on SIEM technology in the hope that it will alert you to a spear-phishing campaign, if the mail servers and relays are not configured to log or alert on specific types of mail content.

If a threat group is known to be trying to exfiltrate sensitive data from a specific industry or market segment, the red team should be attempting to simulate this type of activity. As an approach, this might result in the red team compromising an end-user host, with the intent of reusing their credentials to launch further information gathering campaigns across the internal network infrastructure.

The end objective of the red team might be to escalate their credentials to access a core database before exfiltrating traffic through a web-based protocol into a cloud-based service provider. The blue team needs to have tools and techniques that give them the ability to detect this type of traffic at every hurdle. The blue team needs to be able to respond to the attack and prevent the red team from carrying out its objectives.

It is clear that the penetration testing sector and red teams in particular can really sharpen an organisation's detection and response capability. Through the sharing of intelligence data across the red team and the blue team, it is possible to understand threat actors' TTPs. By mimicking these TTPs through a series of red team scenarios, the blue team has the ability to configure, tune and to improve its detection and response capability.

Too often an organisation gets compromised, and the Security Operations Centre (SOC) does not see a thing. This is not because of poorly skilled or ineffective technology. It is merely the case that the threat actor used a technique that goes undetected. If you are going to search for a needle in the haystack, it will be really helpful to know what the needle looks like!

Contributed by Rowland Johnson, CEO of Nettitude.