Red Team & Blue Team

Hello everyone, Today I want to introduce "Red Team and Blue Team".

1. Introduction
2. What is the RED TEAM?
3. Functions of Red Team
4. How to work and Red Team Tasks
5. Red Team Metrics
6. What is the BLUE TEAM
7. How to work blue team and their tasks
8. Conclusion

1. Introduction

Nowadays companies are started to protect their information systems/information technologies against hackers. The hackers are more aggressive than before. In this age is calling " information age" information is a most valuable thing for our age. If you got an information, this means you are powerful. Hackers motivated some kind of trigger functions this could be money, revenge, fun, political, hacktivism etc. Sometimes the governments could support these hackers for political issues and strategies. 

After all, these things companies try to protect themselves against the attacks. Some companies are taking outsource services about this field or they have an in-house security department and they are doing this kind of scenarios.

2. What is the Red Team?

The Red Teams are performing an attack and penetrate the environment by trying to breakthrough the current security controls. In the other hand this definition is known "penetration testing". 

2.2  How to work and what are the tasks?

The missions are discovering the vulnerabilities and exploiting them and then gain the access as a administrator or root (User privilege escalation) and collect the data or harm their systems or just spying.

2.3 Red Team Metrics

• Mean Time to Compromise (MTTC): This starts counting from the minute the red team initiated the attack to the moment that they were able to successfully comprimse the target.
• Mean Time to Privilege Escalation (MTTP): This is the which is the moment the red team has administrative privilege on target.

3. What is the Blue Team

We can define the blue team as a "Defense Team". Because blue team members are working for SoC department. SoC departments ensure the defense things for companies. Blue Team has too many tools for defense. These tools are SIEM, Firewalls etc. They can prevent the attacks before it happens. But the point is how to manage that tools. In the other hand, they have a disadvantage. That is the human factor. Because people are the weak point of security. Hackers can be targeted to person by phishing attacks like spear phishing. Because of this points, blue teams have many responsibilities.

3.1 How to work blue team and their tasks

The blue team responsible for defense companies against to hackers. 

• Save evidence: It is imperative to save evidence during these incidents to ensure you have tangible information to analyze, rationalize, and take action to mitigate in the future.
• Validate the evidence: Not every single alert, or in this case evidence will lead you to valid attempt to breach the system. But if it does, it needs to be cataloged as an Indication of Compromise (IOC).
• Engage whoever is necessary to engage: The blue team must know what to do with this IOC, and which team should be aware of this compromise Engage all relevant teams, which may vary according to the organization.
• Triage the incident: Sometimes the Blue Team may need to engage law enforcement , or they may need a warrant in order to perform the further investigation, a proper triage will help on this process.
• Create a remediation plan: The blue team should put together a remediation plan to either isolate or evict the adversary.
• Scope the breach: Blue team has enough information to scope the breach
• Execute the plan: Once the plan is finished, the blue team needs to execute it and recover from the breach.

Conclusion

Both of these team can be in-house or can hiring outsource. The companies already started to give huge budget for these teams. Thus the companies can see their weaknesses, vulnerabilities and then they can take an action to fix all of these.