May 13, 2021

Maximizing Red/Blue Team Effectiveness

Red teams are critical for maturing security programs. Whether operated by third party consultants or an internal capability, these assessments offer a robust offensive perspective to help your cybersecurity team plug tactical gaps and rethink their strategic approach. But while red teaming is on the rise, most organizations stand to reap more benefits by adopting a purple team approach.  

A purple team approach merges efforts between your defensive (blue) and offensive (red) teams. Purple team exercises are most effective when they focus on existing workflows. Enabling direct collaboration offers a much more rapid feedback loop between red and blue teams than traditional assessments, yielding more robust outcomes and defensive capabilities. Some of the strongest leverage points for a purple team effort include:

  1. Detection Development - EDR/SIEM rule development
  1. Threat Hunting - Searching for unknowns and creating baselines
  1. Tabletops - Testing how the teams will react to certain incidents
  1. Tiger Team - Breach or incident response scenarios
  1. Research & Development - R&D for a variety of items including detections, hunts, tabletops, etc.

Fusing the efforts of red, intel, hunt, incident response, and detection teams enables analysts to cross-train, collaborate, and eventually respond more effectively during an incident. It is important to break apart the functions and the processes each team follows to find out how you can integrate them.  

Beyond the immediate benefit of sharper findings from red team efforts, purple teaming synergies can ease, or even resolve, common challenges faced by most cybersecurity programs.

  1. Retention: Integrating red and blue teams creates an exciting dynamic and empowers them to learn from each other and build new skills.  
  1. Training: Each fusion is a way to enable cross-training. Analysts commonly learn more working with other functions and teams than they do during live incidents.
  1. Collaboration: The strongest cyber security teams talk openly and collaboratively identify and resolve process, capability, and efficiency gaps.
  1. ROI/Analytics: Mapping ROI and consolidating analytics enables the teams to focus more on the objectives instead of them trying to showcase their own value against the other teams.
  1. Effective response efforts: The cross-training and collaboration gets you from crawling to running much faster during a live incident. There have been incidents where red teamers have saved me hours of research especially when you see an attacker using a specific toolkit.  

Implementing a purple team approach does not come without challenges and it is important to keep an eye out for them. Commonly, different teams want to be able to find the answers on their own, even when they have other teams at their disposal. Think back to a recent incident and consider how much more efficient it would have been to get a red teamer’s perspective – or, more specifically, think about how you approached the SolarWinds incident and who took responsibility for each action. Would you change what team members did and were there team members duplicating efforts?

A specific workflow to consider would be detection research and development. A detection team working in isolation may feel confident in signatures or rules that did not account for practical variations of attacks that are commonly known to red teams, or for behavioral variations known to intel teams, or perhaps miss a more effective detection vector known to the engineering team. These are great examples of leverage points for team ‘fusion’ meetings because they are all trivially identifiable with the right set of eyes.

In conclusion, properly leveraging your teams is not easy - especially for organizations that do not have those capabilities in-house. The outcomes are there, however, and many organizations should look for fusion opportunities in their security teams. Through these activities you can note where certain teams could have existed until they are in play and leverage external teams as needed.

If you are interested in building or maturing your team to take advantage of purple teaming in existing processes and to create fusion between all teams, sign up for my session at the SANS Purple Team Summit on May 25 at 12:25pm Eastern. Registration is free: https://bit.ly/2QiuYas.  You can also reach out to me or any of our MOXFIVE Technical Advisors at [email protected] or through our website at www.moxfive.com/contact .

Michael Rogers

Michael Rogers is a Sr. Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a master’s degree in cyber security and is accredited through SANS for the GCFA, GCIA, GDAT, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 

HOW WE CAN HELP

Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More