Penetration tests, more commonly known as pen tests, have become a key concept for cybersecurity experts. With these tests, organizations simulate attacks on their own systems, in a controlled environment, in order to discover their weaknesses and vulnerabilities before cyberattackers do. To do this, they have several kinds of exercises available to them, depending on the information that the attacking role has about the system: “white box” if they have information about the system; “black box” if they have no information. They can also choose from several sector-recognized methodologies, including PTES, OSSTMM, ISAAF and OWASP.

All of this can be used to discover new vulnerabilities and mitigate weakness, while, at the same time, the cybersecurity professionals in the organization practice risky situations in order to prepare the best possible responses to real incidents. It is a hugely useful method for organizations that aim to improve their cybersecurity and incident prevention best practices. But in light of new, sophisticated cyberattacks and APTs, whose detection times tend to be much higher, cybersecurity professionals are applying a more strategic, more advanced kind of simulation to be better prepared. Red Team – Blue Team.

Differences with pen testing_

Red Team – Blue Team is a kind of simulation in which members of an organization create teams to compete in a cyberthreat scenario. The members of the red time are the attacking team. The blue team’s aim is to protect the organization. At first glance, the exercise may sound like a regular pen test simulation with defined teams. However, the red team simulation has notable differences with traditional pen testing. In this sense, the renowned CISO and cybersecurity blogger, Daniel Miessler, classifies them by their roles:

  • Red Team: these take on the role of attackers, like pen testers. There are, however, several differences, including the emulation the TTPs most likely to be used by cyberattackers, and the fact that they carry out a prolonged attack campaign that can last weeks or even months. In other words, the Red Team goes beyond short, one-off attacks to test or discover specific vulnerabilities, and use a series of TTPs and predetermined objectives for a long period of time.
  • Blue Team: these are the proactive defenders of the organization. Their approach is not limited to a reactive detection and response approach used by normal defenders: when faced with a prolonged attack campaign, they need to be creative, constantly seeking new approaches and ways to improve.

The BAD Pyramid_

As well as these two leading roles, Miessler introduces more categories to the work done by the analyst April Wright, and summarizes it in a diagram called the BAD (Build, Attack, Defend) Pyramid, where building is understood as software development. However, he clarifies that, in these cases that go beyond Red Team-Blue Team, they don’t necessarily have to be structured teams as such, but rather “cooperative mentalities”.

  • Purple Team: coordinates what the Blue Team has learned from the Red Team’s attacks. Miessler underlines the importance of this team in terms of a cooperative mentality, but believes that, if the Red and Blue Team are well coordinated, the Purple Team is not necessary.
  • Yellow Team, Orange Team and Green Team: Yellow is made up of developers from the organization participating in the exercise. They can make changes based of the knowledge provided by the attacker, in which case they’d be Orange, or based on the defenders, in which case they’d be Orange, or based on the defenders, in which case they’d be Green.

Strategic and preventive approach, key elements for threat hunting_

CIOs with broad experience, like Jorge Oteo, tend to highlight the fact that, in light of how sophisticated current attacks are, and how quickly cyberattacker tactics evolve, traditional cybersecurity measures, while still valid, are no longer in and of themselves enough.

This is the same premise under which the Red Team – Blue Team simulation was created: it goes beyond a regular pen testing exercise. Its pillars of defense are a proactive mentality, creativity and continuous learning.

These pillars coincide with the vision of the managed Threat Hunting and Incident Response service that Cytomic offers its customers, based on the solution Orion. Thanks to this solution, SOCs have the support they need to speed up their identification, mitigation and remediation processes for all kinds of threats, always from a strategic, proactive and creative point of view.