red team vs blue team

One of the best ways to verify the security posture of a business is to perform a mock attack. This principle is behind the concept of penetration testing (manual mock attack) and vulnerability scanning (automatic mock attack). While penetration tests and vulnerability scans are performed regularly, there is a specific type of a wargaming activity that is quite effective for maintaining security: the red team vs. blue team exercise.

Red Team and Blue Team Concepts

In information security, the red team is a specialized team of external security professionals. The only purpose of this team is to compromise security controls of your business to show where their weaknesses are. The blue team is a specialized internal security team. Its purpose is real-time incident response – to prevent the red team from succeeding.

Some exercises also include a purple team that is more of a function than a team. The only goal of the purple team is to learn from the red team and pass the knowledge onto the blue team.

The terms red team and blue team are not limited to cybersecurity only – they come from the military. Red team vs. blue team exercises are performed in many environments and in many ways. For example, in national security, you can have a red team that attempts to spread false information and a blue team that attempts to eliminate that information and expose the falseness.

In some cases, the red team may be an internal security analyst team that is delegated to the outside to perform the attack. However, an external entity is preferred because it represents real attackers better.

Red and Blue Teams in Cybersecurity

In the world of cybersecurity, the difference between penetration testers and red teaming is that a penetration test is a one-time activity while red teaming is a continuous campaign. Red teaming exercises may last for months because such an approach simulates real attacks better.

Red team activities are also not limited to using penetration testing tools. They focus on continuously coming up with ideas on how the red team may get their hands on the sensitive data of the target. Since red teaming is not a limited-scope exercise (for example, it cannot be limited to web security only), it involves social engineering techniques, phishing, and many more attack techniques.

Red and Blue Team Compositions

The red team does not have to be limited to ethical hackers. Since the goal of the team is to breach the information security of a business, there are no holds barred. The red team might, for example, include someone who is very skilled at getting information via the phone by pretending to be someone else (just like the famous Kevin Mitnick) or even someone who is good with breaching physical security (for example, by delivering a rogue USB stick). The best red team members are those that are inquisitive, patient, and very creative.

The blue team also does not have to be limited to the employees of the security department. Very often blue team members from other departments come in very handy not because of their skills but because of their character traits. Someone who is very inquisitive, curious, notices even the smallest changes immediately, may be an extremely valuable resource for a blue team.

Vulnerability Scanning for Red and Blue Teams

A vulnerability scanner could be one of the tools that both teams use as part of their regular activities. The blue team could use a vulnerability scanner to continuously discover any new web threats. Of course, if the company is following best practices and uses a vulnerability scanner as part of DevSecOps, the blue team will have less to worry about. However, new vulnerabilities are often discovered in third-party applications (if the company uses such applications, for example, WordPress). A business-class vulnerability scanner also discovers other security system weaknesses such as common passwords, which may be introduced at any time and will not be picked up in the SDLC scans.

The red team could also use a vulnerability scanner regularly for exactly the same reasons. First of all, new threats will keep appearing during this long-term exercise. Second of all, the target may introduce weak spots in its security infrastructure such as misconfigurations. Therefore, it’s a good idea to use a professional vulnerability scanner such as Acunetix (which provides both web and network threat intelligence thanks to its integration with OpenVAS) during a red team vs. blue team wargame.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.