Cybersecurity Weekly: 04 August, 2023

Red Team, Blue Team, Purple Team, Oh My! (Part 2)

A Brief Recap

Last week we discussed the Red Team, its purpose, goals, and considerations and as a reminder, the Red Team can be internal or external to the organization. Unlike a penetration test, where the goal is for the team to get to a to find as many #vulnerabilities as possible, the Red Team is usually engaged to test the organization's defenses using the same types of techniques and tactics an adversary would employ.

The Blue Team

The #BlueTeam are the defenders of the organization's assets and are the ones responsible for monitoring the systems and assets for #malware, intrusions, exfiltration - any kind of threat. This is also the team responsible for setting up the defenses and oftentimes training and educating the workforce. #Sentinelone has a really good list for some of the strategies of a Blue Team including the following:

1. Regular security?assessments?to identify potential vulnerabilities and implement appropriate controls.
2. Intrusion detection and prevention systems to detect and block potential attacks.
3. AntiMalware software,?endpoint security?or XDR and other security tools to detect and remove malware.
4. Firewalls block unauthorized access and protect against network-based attacks.
5. Strong and unique passwords for all accounts and regular password changes to prevent unauthorized access.
6. Regular updates to operating systems and other software to patch vulnerabilities and prevent exploitation by malware.
7. Employee training and awareness programs to educate staff on best practices for cybersecurity and data protection.
8. Incident response plans to quickly and effectively respond to and mitigate potential threats.

The Blue Team has the most difficult of the two teams because they must defend successfully against all forms of attack, both internal and external. Whereas the Red Team (and threat actors) only need to be successful one time. This is where Active Cyber Defense (ACD) compliments the organization's defense activities by enabling the organization to deny, deceive, and delay attacks. Therefore, when the inevitable attack succeeds, the organization can choose to evict or to monitor and learn from the intruder.

Other Blue Team Activities

Here are some of the other exercises and activities defenders perform. Note that each organization uses Blue Teams based on their own requirements and some organizations utilize separate teams for some of these functions. However, each of these relate to defense.

1. Configuration audits and assessments
2. Deploying firewalls, intrusion detection, intrusion prevention, SIEM, threat intelligence, and endpoint detection
3. Performing vulnerability scans and analysis
4. Training and education (oftentimes known as an Orange Team)
5. Vulnerability remediation and mitigation
6. Operating the Security Operations Center (#SOC)
7. Operating the Cyber Range
8. Threat hunting

#Malware reverse engineering

Next Week - Purple Team

We will discuss this team, which combines both Red and Blue teams into the same exercise, activities, and even the same room for the benefit of sharing real-time information and tactics.

Questions

1. Have your participated in any of these teams or overseen these teams in your organization? What are some of the drawbacks you noticed or the challenges you encountered?
2. If you could create any of these teams with unlimited resources, what would that look and function like?