Cybersecurity Weekly: 28 July, 2023

Blue Team, Red Team, Purple Team, Oh My!! (Part 1)

It is a very good discussion that is occurring with more frequency - the discussion about these different types of teams as part of an organization's approach to a comprehensive #cybersecurity program. These conversations and companies that are driving this helps to bring awareness to how these Teams can be used to test defenses, penetration skills, and communication about cybersecurity strengths and weaknesses. We are going to take some time today to discuss each of these teams' purpose and drawbacks (when used in isolation) and the synergies achieved from the combined #PurpleTeam.

Introducing The Red Team

Red Teams can be internal to the company or they can be hired externally from companies that specialize in this area - it all depends on the organization in question, their size, their requirements, and their objectives. Regardless, the purpose of the Red Team is to find ways to break into an organization's information systems (Technical Red Team) or facility (Physical Red Team), sometimes both.

Objectives

The Red Team's objectives are decided before the activity begins and can vary based on what the organization is trying to learn. Here are some common objectives:

Test a specific internet-facing application or asset to determine what #vulnerabilities it has

• Test a software release for undiscovered vulnerabilities prior to market availability
• Test the skills of the #BlueTeam or to test a new cybersecurity capability
• Test the facility security guards and/or employees against social engineering attacks or to determine if someone who does not have a company badge is ever challenged.

Benefits

One of the most significant benefits of a Red Team is the human element and the ability to adapt throughout the activity to achieve goals. Now, many attack emulation software applications and tools can absolutely automate these various tests with efficiency. However, there is something to be said of the human aspect - after all, the adversaries will be doing the very same against their target. If the purpose of utilizing a Red Team is to simulate actual attacks against an organization, just as an attacker, then using software for this may not adequately address the purpose.

Drawbacks

The primary drawback of a Red Team is the cost. Like many aspects of cybersecurity, the cost can vary greatly depending on the organization's requirements, scope, and duration of the test.

According to NetworkAssured in a blog post from July 27, 2023 here are some of their cost estimates:

• Pricing normally starts at $10,000 and can get up to $85,000 for several weeks
• A compliance-mandated engagement for #PCI-DSS, #HIPAA, #GDPR can cost between $4,000 and $35,000 for 7-10 days.

The other disadvantage is coverage (scope). The engagement must be planned thoroughly to ensure that all of the potential areas of concern are covered so the organization can determine where it is weak and needs mitigations and remediations. A more expensive and longer engagement is likely to address all of these areas; however, that may not be feasible based on resource scheduling and funding. The results of missing an area that is later subject to a successful adversarial penetration can be damaging.

One way to address this aspect of scheduling and cost is to hold several engagements over the course of a period of time. The organization can outline every area of concern that needs to be tested (application, network, credentials, etc.) and then prioritize them based on the number of planned engagements over the course of the coming year (for example).

There are many benefits to utilizing a Red Team as part of an organization's cybersecurity program. They are the closest to a real-world attack that is likely to be encountered in the life of an organization. However, they are expensive and take time and resources to complete successfully. Do not forget, that once the Red Team builds their report, the work of mitigation and remediation (and prioritization) begins to fix the findings.