Over the years, we have seen the proliferation of a multitude of devices interconnected not only to the corporate network, but also to the Internet. Sectors where it was unthinkable before, now proliferate tiny devices that make use of an Internet connection for remote monitoring and management.
With the trend towards permanent connectivity and the technological advances available to any consumer, threats and attacks are also evolving. It is more than evident that interconnection facilitates our day-to-day performance, but at the same time, it can expose your most valuable asset and cause irreparable damage. This is why the paradigm around cybersecurity has changed, we have gone from “must implement” measures to “must implement” security measures and solutions. However, merely investing in protection is not enough, as General Michael Hayden said when the former CIA and NSA director retired, “Fundamentally, if someone wants to get in, get in. Okay, fine. Deal with it,” companies must have a security strategy, ensuring that investments in protection, detection and incident response are aligned. This is where the
Red Team
and the
Blue Team
.
Red Team and Blue Team exercises are not a new concept and, as it could not be otherwise, they have their origin in the military field, the idea is quite simple, to demonstrate the effectiveness of an attack by means of simulations. In cybersecurity, adopting the Red team/Blue team approach helps companies keep their most valuable assets safe. These teams are composed of highly qualified multidisciplinary personnel, with knowledge in multiple fields related to security, who are aware of the latest trends and know how current attacks that aim to exploit the most relevant vulnerabilities that could affect the company are produced.
The Red Team will be in charge of carrying out an attack on the company’s infrastructure trying to advance and break the company’s security controls, its mission is therefore to find vulnerabilities and exploit them in order to gain access to the company’s assets.
In contrast, the Blue Team is in charge of securing the company’s valuable assets, and in the event that the Red Team manages to find a vulnerability and exploit it, they will be in charge of remediating it as quickly as possible and documenting it as part of the lessons learned.
It is more than evident that for the business it is necessary to know what we are facing, companies must be able to obtain tangible data and evidence of what is happening in the sector in which they operate, what are the most frequent threats and provide a solution.
During these exercises, it is necessary for the Red Team to record the most important metrics for the business, which are usually the following:
- Mean time to compromise the system or MTTC (Mean Time to Compromise): This value corresponds to the time from the time the Red Team initiates the attack to the time in which they manage to successfully compromise the target system.
- Mean Time to Privilege Escalation (MTTP): This value corresponds to the time from the time the Red Team initiates the attack until the time they achieve administrator privileges on the target system.
On the other hand, it is more complicated for the Blue Team to establish metrics, since it does not necessarily know the exact moment at which the Red Team was able to compromise the system, so estimated times are usually recorded, to be highlighted:
- Estimated Time to Detection (ETTD): this value corresponds to the time from when the Red Team initiates the attack until the Blue Team is able to detect it.
- Estimated Time to Recovery or ETTR (Estimated Time to Recovery): this value corresponds to the time from when the Red Team starts the attack until the Blue Team manages to completely restore the system.
The job doesn’t end when the Red Team manages to compromise the system. There is much more to be done; collaboration between the two teams is necessary. A final report should be created that describes how the system was compromised, provide a timeline documenting the attack and the details of the vulnerabilities that were exploited to gain access and elevate privileges, as well as the business impact to the company and make a plan of action to address the deficiencies detected.
It is clear that Red Team vs Blue Team exercises are not just a game of four geeks getting together one afternoon, from this exercise our company will be able to more quickly identify an attack, improve the detection system and last but not least, reduce the time between infection and containment by having improved the effectiveness of the response process, keeping your most valuable assets safe.
Vicente Rosique Contreras