Red, Blue, and Purple Teams distinguished
There is some amount of confusion with regards to the definitions of Red, Blue, and Purple Teams within cybersecurity. This blog details definitions and concepts connected with them.
Definitions
- Red teams are internal or external entities devoted to evaluating the effectiveness of a security program by mimicking the utilities and strategies of probable attackers in the most realistic way possible. The practice is similar, but not identical to, pentesting, and consists of the pursuit of a single or more objectives – usually executed as a campaign.
- Blue Teams refer to the internal security team that provides defence against both legitimate attackers and Red Teams. Blue Teams should be distinguished from traditional security teams in most organizations, as most security operations team do not possess a mentality of constant vigilance against attack, which is the mission and viewpoint of a true Blue Team.
- Purple Teams exist to ensure and maximize the effectiveness of the Red and Blue Teams. They do this through integration of the defensive tactics and controls from the Blue Team with the threats and vulnerabilities identified by the Red Team into a singular narrative that maximizes both. Ideally Purple ought not to be a team at all, but instead a permanent dynamic between Red and Blue.
Red Teams
Red Teams are usually mistaken with penetration testers, however, while they have massive overlap in skills and functionality, they are not the same.
Red Teams have an array of attributes that demarcate them from other offensive security teams. Most critical amongst these are:
- Emulation of the TPPs leveraged by adversaries the target is probable to encounter, for example, leveraging similar utilities, exploits, pivoting methodologies, and objectives as a provided threat actor.
- Campaign-based testing that runs for an extended period of time, for example, several weeks or months of emulating the same assailant.
If a security team leverages traditional pentesting utilities, executes their testing for only one or two weeks, and is attempting to achieve a traditional grouping of objectives – like pivoting to the internal network, or stealing data, or getting domain admin – then that’s a pentest and not a Red Team engagement. Red Team engagements leverage a tailored set of TTPs and objectives over a prolonged duration of time.
Red Teams don’t just evaluate for vulnerabilities, but do so leveraging the TTPs of their probable threat actors, and in campaigns that run continuously for an extended duration of time.
It is of course feasible to develop a Red Team campaign that leverages the best-of-the-best TTPs available to the Red Team, which leverages a combo of typical penetration testing tools, strategies, and objectives, and to execute that as a campaign (modelling a Pentester adversary), but we believe the purest variant of a Red Team campaign mimics a particular threat actor’s TTPs – which will not necessarily be the same as if the Red Team were attacking itself.
Blue Teams
Blue Teams are the proactive defenders of an organization from a cybersecurity standpoint.
There are an array of defence-oriented InfoSec tasks that are not broadly considered to be Blue-Team-worthy, for example, a tier-1 SOC analyst who has nil training or interest in offensive strategies, no curiosity with regards to the interface they’re looking at, and no creativity in following up on any possible alerts.
All Blue Teams are defenders, but not all defenders are part of a Blue Team.
What makes a Blue Team vs. just performing defensive things is the mentality. Here’s how we make the distinction: Blue Teams / Blue Teamers have and leverage:
- A proactive vs. reactive mindset
- Endless curiosity with regards to things that are out of the ordinary
- Ongoing improvement in detection and response
It’s not about if someone is a self-instructed tier-1SOC analyst or some hotshot former Red Teamer from Carnegie Mellon. It’s with regards to curiosity and a desire to consistently enhance.
Purple Teams
Purple is a cooperative mindset between attackers and defenders operating on the same side. As such, it should be perceived of as a function instead of a dedicated team.
The actual purpose of a Red Team is to identify ways to enhance the Blue Team, so Purple Teams should not be required in enterprises where the Red Team / Blue Team interaction is healthy and functioning accurately.
The ideal utilization of the term that we’ve observed are where any group not acquainted with offensive strategies wishes to learn about how assailants think. That could be an incident response group, a detection group, a dev group – whatever. If the good guys are attempting to learn from Whitehat hackers, that can be considered a Purple Team, exercise.
Broken Purple Team Analogies
We have a few analogies that we came up with for detailing how the concept of a devoted Purple Team is a bad idea.
- Waiters who don’t deliver food: A restaurant is facing trouble getting their waiters to pick up food from the kitchen and bring it to tables. Their answer is to hire “kitchen-to-table coordinators”, who are specialists in table delivery. When administration is asked why they hired this additional person to do this instead of having the waiters do it themselves, the answer was:
The waiters stated it wasn’t their job.
- Elite Chefs who keep the food in the kitchen: An expert is hired to figure out why a restaurant is facing troubles when they possess all of this top-end chef talent. Evidently clients are waiting forever and usually not getting any food. When the reviewer goes into the kitchen they identify stacks of beautiful, ideally-arranged plates of food sitting next to stoves. They query the chef why this food hasn’t gone out the tables, and the chef responds:
- We know a lot more about food than these idiotic waiters and stupid clients. Do you know how long I’ve been studying and preparing to create food like this? Even if I gave them permission to eat it they wouldn’t comprehend it, and they wouldn’t appreciate it. So we keep it here.
- Great, so we have waiters who refuse to take food to the tables, and we have chefs who don’t give permission for their dishes to leave the kitchen. That’s a Red Team that refuses to work with the Blue Team.
If you have this issue, the solution is to rectify the Red Team / Blue Team interaction dynamic – not to create an independent group that’s tasked with performing their job for them.
What are Yellow, Orange, and Green Teams?
On top of the well-known Red, Blue, and Purple team concepts, April Wright put forth a few other team variants in a Blackhat talk called, Orange is the New Purple.
In that talk, she put forth the concept of the Yellow Team, which are the builders, and then brought them together with Blue and Red to generate the other colours. We believe this is really intelligent, but disagree somewhat with a few of the characterizations of the combos. We captured our own interpretation of these interactions is what we’re referring to the BAD pyramid below, which is essentially a form of April’s work.
We also don’t care much for the word “team” being allocated to all these colours, since we believe in a majority of scenarios they’re actually mindsets, or functions, instead of dedicated groups of people. Yellow, for instance, already has a name, they’re referred to as Developers. And the Green, Orange, and Purple designations should really be modifications to either developers or Blue Team behaviours.
A summarization of security function colours
- Yellow: Builder
- Red: Attacker
- Blue: Defender
- Green: Builder Learns from Defender
- Purple: Defender Learns from Assailant
- Orange: Builder learns from Assailant
Typical problems with Red and Blue Team interactions
Red and Blue Teams operate in tandem, in ideal harmony with one another, as two hands that form the ability to clap.
Like Yin and Yang or Attack and Defence, Red and Blue Teams could not be more opposed in their strategies and behaviours, but these variations are precisely what make them part of a healthy and effective whole. Red Teams attack, and Blue Teams defend, but the main objective is shared between them: enhance the security posture of the organization.
Some of the typical problems with Red and Blue Team cooperation include:
- The Red Team thinks of itself as too elite to share data with the Blue Team.
- The Red Team is pulled inside the organization and turns neutered, limited, and demoralized, eventually having the outcome of a catastrophic reduction in their effectiveness.
- The Red Team and Blue Team are not developed to interact with every other on an ongoing basis, as a matter of course, so lessons learned on every side are basically lost.
- Information Security administration does not observe the Red and Blue Team as part of the same effort, and there is no shared data, management or metrics shared amongst them.
Organizations that are impacted from one or more of these ailments are most probable to think they require a Purple Team to solve them. However, “Purple” ought to be perceived of as a function, or a concept, instead of as a permanent additional team. And that concept is cooperation and mutual advantage toward a common objective.
So probably there’s a Purple Team engagement, where a third-party undertakes analysis of how your Red and Blue Teams function with one another and recommends fixes. Or probably there’s a Purple Team exercise, where somebody monitors both teams in realtime to observe how they function. Or perhaps there’s a Purple Team meeting, where the two teams undergo bonding, share stories, and talk about several attacks and defences.
The theme of unification is getting the Red and Blue team to concur on their shared objective of organizational enhancement and not to introduce yet another entity into the mixture.
Perceive of Purple Team as a marriage counsellor. It’s fine to have somebody function in that role in order to rectify communication, but under no scenario should you decide that the new, permanent way for the husband and wife to interact is through a mediator.
Conclusion
- Red Teams mimic attackers in order to identify flaws in the defences of the organizations they’re employed for.
- Blue Teams defend against attackers and work to consistently enhance their organization’s security posture.
- A correctly functioning Red / Blue Team implementation features regular know-how sharing between the Red and Blue Teams in order to facilitate ongoing enhancement of both.
- Purple Teams are usually leveraged to facilitate this ongoing integration amongst the two groups, which fails to tackle the fundamental problem of the Red and Blue teams not sharing data.
- The Purple Team should be conceptualized as a cooperation function or interaction point, and not as independent and ideally redundant entity.
- In a mature enterprise, the Red Team’s sole purpose is to enhance the efficiency of the Blue Team, so the value furnished by the Purple Team should be natural part of their interaction in opposition to being forced through an extra entity.
- If you bring together Yellow (Builders) with Red and Blue you can wind up with other functions, like Green and Orange, that assist in spreading the attacker and defender mindsets to other parts of the enterprise.