Cybersecurity Teams: An Introduction to Red Team

Red Teaming

In order to understand Red Team, it is important to be aware of the different cybersecurity roles (teams) and functions in the cybersecurity industry. Traditionally, the three primary cybersecurity teams are Red, Blue and Purple:

  • Red Team: Offensive Security
  • Blue Team: Defensive Security
  • Purple (team/function): the interaction between offensive and defensive teams.

A newer framework includes Green, Yellow, and Orange Teams. This framework was introduced by April Wright in the Blackhat presentation, “Orange is the new Purple“. In this framework, the three main “roles” are the three primary colors: offensive (Red), defensive (Blue), and builders/developers (Yellow). The Green, Purple and Orange Teams facilitate between Red, Blue, and Yellow Teams. These teams are presented by @proxyblue as an Infosec Color Wheel. It distills these different teams and functions, and provides an easy-to-follow visual guide to the different cybersecurity roles.

Red Team Infosec

Red Team: Test Blue Team Detection and Response

Red Team is a distinct part of offensive cybersecurity. The main goal of Red Team is to improve an organization’s defensive capabilities- their Blue Team. A Red Team aims to emulate threat actors, and their Tactics, Techniques and Procedures (TTPs), to see if an organization is able to detect and respond to these threats.

Red Team, Penetration Testing, and Vulnerability Assessments

Red Team is often confused with vulnerability assessments and penetration testing. A standalone vulnerability assessment provides a prioritized list of security issues for organizations to fix and protect their environments from threat actors. Red Team and penetration testers test these vulnerabilities with exploits to complete separate goals. Depending on the established rules of engagement, this can lead to Red Teams and penetration testers finding more vulnerabilities than a standalone vulnerability assessment, but that is not the Red Team or penetration testers goals. The vulnerability assessment’s goal is to provide a list of vulnerabilities.

Red Team vs Penetration Testing

Red Teams and penetration testers also have different objectives. Red Teams aim to test Blue Team’s detection and response to a real threat actor. This typically leads to a longer engagement time and a higher focus on stealth and evasion. Since the goal is to test the defensive posture of an organization, Red Teams often include social engineering or physical intrusion testing, which leads to a longer engagement time. Penetration testers aim to identify and exploit vulnerabilities with a specific goal in mind, like stealing customer data. Daniel Miessler further breaks down this comparison in this post.

The differences between Red Team and penetration testers are not strict and can change depending on the needs of the client and the rules of engagement.

Below is a table that summarizes many of these differences:

Red Team

Penetration Testing

Objective

Test Blue Team’s detection and response
Achieve client goals through vulnerability analysis and exploitation

Methods

Emulate real threat actors TTPs, often updating methods used by attackers
Typically, more common and industry standard tools

Time Frame

Longer engagements, “campaigns”, cans be multiple weeks or months

Shorter engagements are typically under a month (~ 1 week)

Considerations
Stealth and Evasion: minimize network footprint to remain undetected

Client objective (e.g. get administrative privileges, access customer data)

Domain
Typically, a range of domains: physical, application, network, social engineering
Often specifically focused (e.g. mobile application penetration test)

References: