Cybersecurity Teams: An Introduction to Red Team

Red, Blue, and the Infosec Color Wheel
Red Team: Test Blue Team Detection and Response
Red Team, Penetration Testing, and Vulnerability Assessments
Red Team vs Penetration Testing

In order to understand Red Team, it is important to be aware of the different cybersecurity roles (teams) and functions in the cybersecurity industry. Traditionally, the three primary cybersecurity teams are Red, Blue and Purple:

Red Team: Offensive Security
Blue Team: Defensive Security
Purple (team/function): the interaction between offensive and defensive teams.

A newer framework includes Green, Yellow, and Orange Teams. This framework was introduced by April Wright in the Blackhat presentation, “Orange is the new Purple“. In this framework, the three main “roles” are the three primary colors: offensive (Red), defensive (Blue), and builders/developers (Yellow). The Green, Purple and Orange Teams facilitate between Red, Blue, and Yellow Teams. These teams are presented by @proxyblue as an Infosec Color Wheel. It distills these different teams and functions, and provides an easy-to-follow visual guide to the different cybersecurity roles.

Red Team: Test Blue Team Detection and Response

Red Team is a distinct part of offensive cybersecurity. The main goal of Red Team is to improve an organization’s defensive capabilities- their Blue Team. A Red Team aims to emulate threat actors, and their Tactics, Techniques and Procedures (TTPs), to see if an organization is able to detect and respond to these threats.

Red Team, Penetration Testing, and Vulnerability Assessments

Red Team is often confused with vulnerability assessments and penetration testing. A standalone vulnerability assessment provides a prioritized list of security issues for organizations to fix and protect their environments from threat actors. Red Team and penetration testers test these vulnerabilities with exploits to complete separate goals. Depending on the established rules of engagement, this can lead to Red Teams and penetration testers finding more vulnerabilities than a standalone vulnerability assessment, but that is not the Red Team or penetration testers goals. The vulnerability assessment’s goal is to provide a list of vulnerabilities.

Red Team vs Penetration Testing

Red Teams and penetration testers also have different objectives. Red Teams aim to test Blue Team’s detection and response to a real threat actor. This typically leads to a longer engagement time and a higher focus on stealth and evasion. Since the goal is to test the defensive posture of an organization, Red Teams often include social engineering or physical intrusion testing, which leads to a longer engagement time. Penetration testers aim to identify and exploit vulnerabilities with a specific goal in mind, like stealing customer data. Daniel Miessler further breaks down this comparison in this post.

The differences between Red Team and penetration testers are not strict and can change depending on the needs of the client and the rules of engagement.

Below is a table that summarizes many of these differences:

Red Team

Penetration Testing

Objective

Test Blue Team’s detection and response

Achieve client goals through vulnerability analysis and exploitation

Methods

Emulate real threat actors TTPs, often updating methods used by attackers

Typically, more common and industry standard tools

Time Frame

Longer engagements, “campaigns”, cans be multiple weeks or months

Shorter engagements are typically under a month (~ 1 week)

Considerations

Stealth and Evasion: minimize network footprint to remain undetected

Client objective (e.g. get administrative privileges, access customer data)

Domain

Typically, a range of domains: physical, application, network, social engineering

Often specifically focused (e.g. mobile application penetration test)

Download our Capabilities Brief

Cybersecurity

Table of Contents

Red Team: Test Blue Team Detection and Response

Red Team, Penetration Testing, and Vulnerability Assessments

Red Team vs Penetration Testing

Red Team

Penetration Testing

References:

Lessons From the City Of Dallas Ransomware Attack

Active Directory Series: AS-REP Roasting

Active Directory Series: Silver Ticket Attack

KEV Catalog: Apache CouchDB Remote Privilege Escalation (CVE-2022-24706)

KEV Catalog: “Ghostcat” Apache Tomcat Improper Privilege Management Vulnerability (CVE-2020-1938)

KEV Catalog: “Drupalgeddon2”: Drupal Module Configuration Vulnerability CVE-2018-7600

KEV Catalog: “Spring4Shell” Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)

KEV Catalog: Debian-specific Redis Server Lua Sandbox Escape Vulnerability (CVE-2022-0543)

KEV Catalog: Apache Airflow “Example DAG” Command Injection (CVE-2020-11978)

KEV Catalog: VMware Spring Cloud Gateway Code Injection Vulnerability (CVE-2022-22947)

KEV Catalog: VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability (CVE-2022-22963)

KEV Catalog: Red Hat Polkit “pwnkit” Out-of-Bounds Read and Write Vulnerability (CVE-2021-4034)

KEV Catalog: SaltStack Salt Authentication Bypass (CVE-2020-11651)

Ready For a Free Consultation For Any Size Solution?

Company

Services

Contact Us