on Tuesday, 20 April, 2021

Blue team versus red team

In preparation for my interview tomorrow in information security, I have been listening to some podcasts on information securit. I think one of the biggest things you can do in information security is stay connected with new information and others in the field. But one thing that keeps popping up in discourse is this red team/blue team discussion. And one thing I have realised is that the best way for me to learn something new is to research it and write a post that covers the topic. In the past, I would do this in notebooks (though I am slowly digitalising old notes on that), but here I will be assessing this distinction today.

Simply:

Red team: a group of people who act as adversaries to overcome cyber security controls. These teams often consist of ethical hackers (i.e., "white-hat" hackers, or penetration testers, but can also include social engineering and phishing). As a result of these simulated attacks, red teams make recommendations and plans on how to strengthen an organisation's security posture.
Blue team: a group of people who have an inside-out view of the organisation, whose goal is to protect the organisation's critical assets against any kind of threat.

Red teams will often spend much of their time preparing for the attack, such as gainin knowledge about operating systems, ports, make and models of networking equipment, understanding physical controls, and generally creating a map of the network. Once this is done, one can develop a plan of action designed to target vulnerabilities specific to the information gathered.

Blue teams will often gather data and carry out risk assessment. Then they attempt to tighten up access to the system. Monitoring tools are often put in place, allowing information gathering regarding access to the systems to be logged and checked for unusual activity. They start their defensive plan by identifying the critical assets, document the importance of these assets to the business, and what impact the absence of these assets will have. Senior management at the later stages are often critical, as only they can decide whether to accept a risk or implement mitigating controls against it, often involving cost-benefit analysis. Some examples of blue team prevention techniques include DNS audits, digital footprint analysis, installing endpoint security software, ensuring firewall access cotrols are configured, deploying IDS and IPS software, implementing SIEM solutions, analysing logs and memory to identify unusual activity on the system, segregating networks, using vulnerability scanning software regularly, and embedding security in processes.