Defence is important for staying safe from cyber-attacks, but how do you make sure the defence is equipped enough to stop a full-fledged attack from a real threat actor? A Red Team’s action challenges an organisation’s security posture.   

The way the Red Team and Blue Team work to defend their organisation might be different, but in the scenario of a Red Team vs. Blue Team engagement, both teams must work together to test each other. This helps an organisation better understand its security posture in real-time and how well or worse it would perform against an attack from a real-world black hat hacker. 

Red Team

The Red Team will take up the role of a real-world attacker to emulate their steps to perform a proper attack on the organisation’s security infrastructure. For this, the Red Team will utilise their advanced technical abilities, social engineering, and physical attack methods to try to breach the organisation’s defence systems. The most crucial goal of a Red Team would be to identify, chain and exploit vulnerabilities, get into the target’s systems or network, and access and extract sensitive data, all while staying completely undetected by the organisation’s defence team (Blue Team).  

This will significantly help an organisation understand the weaknesses and security gaps in its employees, network infrastructures, applications, and physical security measures. 

Objectives

In a real-world attack scenario, the main objectives of a Red Team would be: 

1. Identify Vulnerabilities

Discover weaknesses and uncover exploitable vulnerabilities in the organisation’s security infrastructure, applications, and processes and evaluate the potential impact of these vulnerabilities. 

2. Exploiting Vulnerabilities

Red Team tries to exploit vulnerabilities identified in applications, networks, and even physical infrastructure to gain initial access to the internal network, systems data, or even the target’s physical location. 

3. Simulate Advanced Threats

The Red Team will employ TTPs (tactics, techniques, and procedures) employed by a proper black hat hacker; only then will they be able to simulate a real-world attack against the organisation. This would help the organisation evaluate and understand its complete ability to identify, combat, and bounce back from a proper and sophisticated attack. 

4. Social Engineering

Social engineering is the method of manipulating and baiting human resources (employees) of the target organisation. The Red Team tries to lure the targets into the phishing website and get them to submit their credentials (and session cookies) or download a malicious file that would give them initial access to their system. 

5. Gaining Persistent Access

When the Red Team has achieved a foothold inside the target environment, they will try to maintain a stable connection back and forth and attempt to move laterally or escalate the privileges, just as a real attacker would. 

6. Staying Under the Radar

Being careful not to get detected by the cyber security defence team is also very crucial in a Red Team assessment, so it’s important to use stealth tactics and avoid making excessive noise in the internal environment. 

7. Bypass Defences

Acting as real-world attackers, the organisation’s defence mechanisms will be tried to bypass through stealth tactics, persistence techniques, and creative and latest attack vectors. Read Payatu’s blog on AMSI bypass to learn more about bypasses. 

Blue Team

While the Red Team focuses on stimulating threat actors and attacking a company’s security posture, the Blue Team will defend the organisation’s cyber infrastructure by monitoring and improving the security of information systems to prevent breaches. The Blue Team’s responsibility is to protect the organisation’s security infrastructure.  

The Blue Team’s main tasks include identifying and neutralising threats, implementing cyber security best practices, and hardening systems to strengthen the organisation’s cyber security posture.   

The Blue Team forms a line of defence for the organisation using threat detection systems and all-over monitoring. In case of incidents, they perform incident response and other defence mechanisms to protect the organisation’s internal network and assets from intrusion. 

Objectives

The main objectives of a Blue Team are to strengthen the security posture of an organization are: 

1. Protect Critical Assets

The Blue Team ensures that an organisation’s critical assets, including sensitive data, systems, and infrastructure, are protected and guarded by implementing security controls to prevent malicious actors from gaining unauthorised access. This ensures that the organisational assets’ confidentiality, integrity, and availability are not negatively impacted. 

2. Detect and Respond to Threats

Continuously monitor the network and systems for signs of malicious activity or suspicious behaviour and detect and analyse threats in real-time to understand their nature, scope, and potential impact; the team should develop and implement incident response plans to contain and mitigate threats efficiently. 

3. Maintain Security Posture

The Blue Team will regularly assess the security posture and identify areas for improvement in the organisation. To strengthen the organisation’s defences, they will also adopt and enforce security best practices and standards. 

4. Prevent Future Attacks

The Blue Team must continuously implement new controls, deploy patches, improve configurations, and perform internal audits to strengthen the organisation’s security posture. 

Red Team Ops

The Red Team operates like a real adversary in a real-world attack scenario against the organisation. They collect all the publicly available information about the target through different methods and tools and use this information to craft an attack against the target to achieve initial access while bypassing their security mechanisms and achieving persistence in the target’s internal environment. 

Reconnaissance 

Picture credits: https://attack.mitre.org/ 

Reconnaissance is a collection of techniques for actively or passively gathering information that the Red Team uses to craft attacks and tactics for approaching the target.   

This information may consist of details about the target, such as the subdomains of their main domain(different levels of subdomains), Employee data (including their official mail IDs, Phone numbers, Job details, etc.), Git hub repos owned by the target company, or URLs from the Wayback machine, Network details (CIDR ranges, Network scans, publicly exposed IPs, Services exposed publicly), etc.   

For more information on Red Team reconnaissance techniques, check out Red Team Reconnaissance Techniques 

The reconnaissance is divided into two types: 

1. Passive Reconnaissance

2. Active Reconnaissance

Passive Reconnaissance

Gathering information passively involves obtaining publicly accessible information without engaging with the target directly. Since no network traffic is directed straight to the target, the target can’t detect anyone gathering information about them. The data collected through passive reconnaissance includes:   

• Scope Information 

• Target Email IDs, Phone Numbers, and Job details  

• Public Cloud Assets 

• Technology Stack 

• Target Network and IPs 

• Subdomains 

• JavaScript files  

Tools and Methods used:  

• Google Dorking 

• Phantom Buster, Phonebook.cz, ZoomInfo, Crosslinked 

• bgp.he.net, dig 

• wappalyzer 

• Subfinder 

• Anubis 

• Rengine  

• Shodan 

Active Reconnaissance: 

This is the method of reconnaissance when the information is gathered directly interacting with the target’s system assets or network. The information used for active reconnaissance will be mostly obtained from the passive reconnaissance part (like network IP ranges, publicly accessible services or ports, web applications, etc.).  

In the case of active reconnaissance, scanning and proxy tools like Nmap, nuclei, BurpSuite, Rustscan, Acunetix, etc., will be used to gather information actively by communicating with the target’s network and system assets directly.  

So, unlike active reconnaissance, this method carries a higher risk as it involves direct interaction with the target, which may alert them of our presence. 

The information gathered in this will include: 

• Open ports or publicly accessible services 

• Existing vulnerabilities (after any ports or services are discovered) 

• Directories or Endpoints 

Tools and Methods used: 

• nmap, Nessuss, Rustscan 

• Nuclei 

• Ffuzz, Dirsearch 

• Aquatone 

• Shodan.io 

Exploitation 

This is the stage where we try to exploit an existing vulnerability (which we found previously) in their applications, network, or employees (social engineering) to gain initial access to the target company’s internal assets (network, systems, servers, or cloud assets).  

We try to breach the organisation’s security defences by using real-world attack TTPs. This will not only help the Red Team gain initial access but also help the organisation understand the strength of its security defences in a proper and real attack from threat actors (or black hat hackers).  

The initial access will try to be gained by the team using the following methods: 

• Social Engineering 

Social Engineering is the method of exploiting human vulnerability by creating a luring pretext that baits our target employees into opening our mail, clicking on the link to our phishing website, and submitting their credentials (we would need session cookies in the real scenario). More information on setting up phishing infrastructure can be found here. 

• Penetration Testing

We used the information about applications (web, mobile, etc.) and network information in the active reconnaissance. We try to find more vulnerabilities or try to exploit the existing vulnerabilities in the discovered services that are being used by the organisation that could give us initial access into the network or hold of any sensitive information like any leaked credentials, more employee data (internal information), or defence technologies (EDR, XDR, AV, etc.). 

• Physical Testing

When a Red Team breaches physical security and enters the target organisation’s physical location without getting detected, it is physical testing. This could be conducted at the client’s request to assess the strength and awareness of the location’s security. Also, the Red Team can install physical devices (like LAN turtles, Rubber duckies, etc.) that could help breach their internal network. 

Persistence and Privilege Escalation

After gaining initial access to any assets of the organisation, we make sure the communication and control are set up properly and we have stable communication with the compromised machine or user account it can be an internal network-connected system, and we have to prioritise our first and initial task is to create persistent access to the breach we achieved. Persistence will be achieved using methods like Cronjobs, Systemd jobs, adding SSH keys, Windows registry, Scheduled Task, Windows services, Shortcut poisoning, Startup folders, etc. 

When persistence is achieved successfully, the next step is to try to escalate the privileges. Most probably, the foothold access we gained may be minimal privileged access, but we may not be able to perform some of the sensitive tasks that may be goal-oriented for the assessment. So, privilege escalation is always a crucial task in a Red Team assessment. For further information about persistence techniques, check this blog. 

The privilege escalation can be done through various methods like SUID/SGID files, Exploiting Cron jobs, Misconfigured sudo privileges, Path variable manipulation, writeable /etc/passwd, Insecure service configuration, AlwaysInstallElevated, Token Impersonation, DLL Hijacking, UAC Bypass, etc. 

For more information, check out this blog by Payatu: RedTeaming from zero To one 

Blue Team Defence

The Blue Team’s job is to come up with and carry out plans to protect the organisation from attacks. They work on things like setting up secure configurations, keeping an eye on network activity, and regularly checking for vulnerabilities to spot any weak spots that could be exploited. These include implementing safe configurations, monitoring the network regularly, conducting frequent and thorough vulnerability assessments to understand the vulnerable components that could become a security threat, and keeping the incident response plans updated so they can act fast and more efficiently in case of a breach or an attack.  

So, the Blue Team vs Red Team approach helps the defence team improve the organisation’s security posture by strengthening its ability and capacity to identify an attack and stop an actual threat actor. 

Advanced Threat Detection Techniques

The Blue Team uses various detection methods, like monitoring network traffic to identify malicious activity. The advanced threat detection includes more strategies like: 

• Network Traffic Monitoring 

Monitoring the network involves various activities, such as capturing packets and analysing and inspecting the flow across the network. This will help the Blue Team detect anomalies, malicious activities, or potential intrusions. Network traffic monitoring includes Full Packet Capture, NetFlow analysis, Deep Packet Inspection, etc. 

• Signature-based Detection 

This technique of advanced threat detection uses known patterns or signatures of the malicious files or the behaviour to identify threats; the signatures and patterns of behaviour of certain malicious files will be identified based on databases of pre-existing attack signatures and patterns to match against malicious activity.  

This type of detection is used by tools like IDS and IPS and within SIEM platforms. 

• Behavior-based Detection 

Behaviour-based threat detection is a security technique that detects threats by looking for abnormal behaviours in systems or network activity, and this offers a more proactive and efficient approach than the typical signature-based threat detection techniques. This threat detection uses methods like user and entity behaviour analytics (UEBA), which are frequently enhanced by machine learning and help significantly spot unusual activity and reduce threats. This also makes the behaviour-based threat detection system capable of detecting growing threats such as fileless malware or zero-day exploits by identifying the unusual patterns and seeing the unexpected behaviour that the affected assets may display 

Incident Response Tactics 

Incident response is a crucial component of security programs and is very important to an organisation’s security posture and defence hardening. It helps them identify, contain, and mitigate the impact of a possible security incident or an already-happened incident, which is why this is often known as Digital Forensics and Incident Response. 

The key elements of DFIR involved are: 

• DFIR (Digital Forensics and Incident Response) Process 

The DFIR mainly involves preparation where the incident response playbook will be created, and tools and infrastructure will be set up. After that, the identification step will be carried out where a security incident will be detected. The initial triage will be done by the Blue Team, in which the severity of the incident will be determined; after that, the process of containment, where the affected resources and assets will be contained to minimise further damage; it can be in either short-term or long-term containment. After the containment of the malicious file, the deletion process for this file will be done, and the recovery for the affected system restoration will be done; then, the affected resource and the other important assets will continue to be monitored. Based on the lessons learned by the IR team, the Incident Response playbook will be updated and reviewed. 

• Triaging Method 

By analysing the system logs and network traffic and using some automated tools, investigators and the defence team can efficiently identify indications of compromise (IoCs) and analyse the nature of the attack. In the case of digital forensics and incident response (DFIR), the triage phase mainly consists of a quick assessment of the incident’s scope and criticality to understand and decide on the most appropriate action. The Blue Team conducts more extensive research, such as memory analysis, checking the integrity of files, and network traffic analysis, to gather more evidence on the incident. Recognising potential threats and speeding up the triage process hashing technique is very useful, where the files and disk images will be compared to known malicious signatures. 

Endpoint and Network Hardening 

With attackers constantly changing and improvising their attack tactics, defenders need to employ a sophisticated defence approach to strengthen endpoints and network systems. Implementing strong endpoint and network security solutions is very important for reducing the potential for attack and the possibility of something vulnerable getting exploited. The endpoint and network hardening process involves the implementation of EDRs (Endpoint Detection and Response) tools, firewalls, and anomaly-based and behaviour-based detection systems to foresee, stop, and respond to malicious activity.  

A technical understanding of Endpoint and Network Hardening are: 

• Endpoint Hardening

EDRs are a vital and very important part of Endpoint Hardening. They mainly monitor system activities, provide real-time visibility, and secure the endpoints. They also detect suspicious behaviour and respond to threats. The EDRs assist organisations in preventing and responding to cyberattacks by detecting harmful activities like process injection, fileless malware, C2 (Command and Control) communication, attempts to escalate privileges, etc.   

Some popular EDR tools include CrowdStrike Falcon, Carbon Black, and MDE (Microsoft Defender for Endpoint). These security solution tools offer continuous monitoring, threat detection, automated responses, and good forensic analysis capabilities. 

• Network Hardening

Firewalls are crucial to network security because they control traffic flow between internal and external networks. Next-generation firewalls (NGFWs) have advanced capabilities like deep packet inspection and intrusion prevention. Effective security relies on proper firewall configuration, which entails implementing least privilege rules, optimising rules, and maintaining comprehensive logs. Firewalls are used to segment the network, filter applications, and prevent intrusions. Anomaly-based detection systems function alongside firewalls to discover unexpected patterns in the network or user behaviour, giving a proactive approach to threat detection. While powerful, anomaly detection systems might encounter issues such as false positives and necessitate careful baseline maintenance. 

Conclusion: Red Team vs Blue Team Approach 

In conclusion, this approach will be more effective in strengthening an organisation’s security posture. In this approach, while the Red Team launches a real-world attack against the security infrastructure, the Blue Team can try to defend the Red Team’s actions and understand the real-time performance of their defensive mechanisms.  

To know more about the Red Team vs Blue Team approach, check this out. 

The Red Team’s attacks would include all the parts from Red Team operations so the Blue Team can observe and understand how it would appear on their radar when and if a real attacker is gathering data on the organisation or crafting any kind of attack against them. This would greatly help the Blue Team anticipate upcoming attacks and act accordingly to strengthen their defence. 

Extra links: 

https://www.esecurityplanet.com/networks/red-team-vs-blue-team-vs-purple-team/#:~:text=Red teams simulate or actually collaborate with the other two. 

https://www.geeksforgeeks.org/difference-between-red-team-and-blue-team-in-cyber-security

https://attack.mitre.org