insights

Red Team vs Blue Team, much more than a game

 | 

Telecoms & High-tech

Over the years, we have seen the proliferation of a multitude of devices interconnected not only to the corporate network, but also to the Internet. Sectors where it was unthinkable before, now proliferate tiny devices that make use of an Internet connection for remote monitoring and management.

With the trend towards permanent connectivity and the technological advances available to any consumer, threats and attacks are also evolving. It is more than evident that interconnection facilitates our day-to-day performance, but at the same time, it can expose your most valuable asset and cause irreparable damage. This is why the paradigm around cybersecurity has changed, we have gone from “must implement” measures to “must implement” security measures and solutions. However, merely investing in protection is not enough, as General Michael Hayden said when the former CIA and NSA director retired, “Fundamentally, if someone wants to get in, get in. Okay, fine. Deal with it,” companies must have a security strategy, ensuring that investments in protection, detection and incident response are aligned. This is where the
Red Team
and the
Blue Team
.

Red Team and Blue Team exercises are not a new concept and, as it could not be otherwise, they have their origin in the military field, the idea is quite simple, to demonstrate the effectiveness of an attack by means of simulations. In cybersecurity, adopting the Red team/Blue team approach helps companies keep their most valuable assets safe. These teams are composed of highly qualified multidisciplinary personnel, with knowledge in multiple fields related to security, who are aware of the latest trends and know how current attacks that aim to exploit the most relevant vulnerabilities that could affect the company are produced.

The Red Team will be in charge of carrying out an attack on the company’s infrastructure trying to advance and break the company’s security controls, its mission is therefore to find vulnerabilities and exploit them in order to gain access to the company’s assets.

In contrast, the Blue Team is in charge of securing the company’s valuable assets, and in the event that the Red Team manages to find a vulnerability and exploit it, they will be in charge of remediating it as quickly as possible and documenting it as part of the lessons learned.

It is more than evident that for the business it is necessary to know what we are facing, companies must be able to obtain tangible data and evidence of what is happening in the sector in which they operate, what are the most frequent threats and provide a solution.

During these exercises, it is necessary for the Red Team to record the most important metrics for the business, which are usually the following:

  • Mean time to compromise the system or MTTC (Mean Time to Compromise): This value corresponds to the time from the time the Red Team initiates the attack to the time in which they manage to successfully compromise the target system.
  • Mean Time to Privilege Escalation (MTTP): This value corresponds to the time from the time the Red Team initiates the attack until the time they achieve administrator privileges on the target system.

On the other hand, it is more complicated for the Blue Team to establish metrics, since it does not necessarily know the exact moment at which the Red Team was able to compromise the system, so estimated times are usually recorded, to be highlighted:

  • Estimated Time to Detection (ETTD): this value corresponds to the time from when the Red Team initiates the attack until the Blue Team is able to detect it.
  • Estimated Time to Recovery or ETTR (Estimated Time to Recovery): this value corresponds to the time from when the Red Team starts the attack until the Blue Team manages to completely restore the system.

The job doesn’t end when the Red Team manages to compromise the system. There is much more to be done; collaboration between the two teams is necessary. A final report should be created that describes how the system was compromised, provide a timeline documenting the attack and the details of the vulnerabilities that were exploited to gain access and elevate privileges, as well as the business impact to the company and make a plan of action to address the deficiencies detected.

It is clear that Red Team vs Blue Team exercises are not just a game of four geeks getting together one afternoon, from this exercise our company will be able to more quickly identify an attack, improve the detection system and last but not least, reduce the time between infection and containment by having improved the effectiveness of the response process, keeping your most valuable assets safe.

Vicente Rosique Contreras

SATCOM On The Move (SOTM) para instalación vehicular y conexión estable en movilidad

SGoSat

Familia de terminales SATCOM On The Move (SOTM) para instalación vehicular y conexión estable en movilidad

SGoSat es una familia de terminales SOTM (Satellite Comms On The Move) de alta tecnología que se instalan en un vehículo, brindando la capacidad de apuntar y mantener una conexión estable con el satélite cuando el vehículo está en movimiento en cualquier tipo de condiciones.

La familia SGoSat está compuesta por terminales versátiles, que pueden instalarse en cualquier tipo de plataforma: trenes y buses, vehículos militares y / o gubernamentales, aeronaves, barcos, etc. Al haber sido diseñados originariamente para el sector militar, los terminales SGoSat son extremadamente fiables y robustos, ya que integran componentes de alto rendimiento que cumplen con las normativas medioambientales y EMI / EMC más exigentes. El producto utiliza antenas de bajo perfil y alta eficiencia, así como una unidad de posicionador y seguimiento de alto rendimiento, que permiten la operación del terminal en cualquier parte del mundo.

Con el fin de satisfacer las diversas necesidades de sus clientes, INSTER ha desarrollado terminales de banda única y terminales de doble banda en las frecuencias X, Ka y Ku.

La familia de terminales SGoSat también se puede configurar con una variada gama de radomos (incluidas opciones balísticas), adaptándose a los requisitos del cliente.