Red Team vs Blue Team Defined

In a red team/blue team exercise, the red team is made up of offensive security experts who try to attack an organization's cybersecurity defenses. The blue team defends against and responds to the red team attack.

Modeled after military training exercises, this drill is a face-off between two teams of highly trained cybersecurity professionals: a red team that uses real-world adversary tradecraft in an attempt to compromise the environment, and a blue team that consists of incident responders who work within the security unit to identify, assess and respond to the intrusion.

Red team/blue team simulations play an important role in defending the organization against a wide range of cyberattacks from today’s sophisticated adversaries. These exercises help organizations:

  • Identify points of vulnerability as it relates to people, technologies and systems
  • Determine areas of improvement in defensive incident response processes across every phase of the kill chain
  • Build the organization’s first-hand experience about how to detect and contain a targeted attack
  • Develop response and remediation activities to return the environment to a normal operating state
2021-cyber-front-lines-report-cover

Front Lines Report

Every year our services team battles a host of new adversaries. Download the Cyber Front Lines report for analysis and pragmatic steps recommended by our services experts.

Download Now

What is a red team

In a red team/blue team cybersecurity simulation, the red team acts as an adversary, attempting to identify and exploit potential weaknesses within the organization’s cyber defenses using sophisticated attack techniques. These offensive teams typically consist of highly experienced security professionals or independent ethical hackers who focus on penetration testing by imitating real-world attack techniques and methods.

The red team gains initial access usually through the theft of user credentials or social engineering techniques. Once inside the network, the red team elevates its privileges and moves laterally across systems with the goal of progressing as deeply as possible into the network, exfiltrating data while avoiding detection.

What is red teaming and why does your security team need it?

Red teaming is the act of systematically and rigorously (but ethically) identifying an attack path that breaches the organization’s security defense through real-world attack techniques. In adopting this adversarial approach, the organization’s defenses are based not on the theoretical capabilities of security tools and systems, but their actual performance in the presence of real-world threats. Red teaming is a critical component in accurately assessing the company’s prevention, detection and remediation capabilities and maturity.

What is a blue team

If the red team is playing offense, then the blue team is on defense. Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats. The IT security team is then responsible for maintaining the internal network against various types of risk.

While many organizations consider prevention the gold standard of security, detection and remediation are equally important to overall defense capabilities. One key metric is the organization’s “breakout time” — the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network.

CrowdStrike typically recommends a “1-10-60 rule,” which means that organizations should be able to detect an intrusion in under a minute, assess its risk level within 10 minutes and eject the adversary in less than one hour.

Learn More

Learn how to prepare your cybersecurity team to defend against targeted attacks

Download: Red Team / Blue Team Exercise Data Sheet

Benefits of red team/blue team exercises

Implementing a red team/blue team strategy allows organizations to actively test their existing cyber defenses and capabilities in a low-risk environment. By engaging these two groups, it is possible to continuously evolve the organization’s security strategy based on the company’s unique weaknesses and vulnerabilities, as well as the latest real-world attack techniques.

Through red team/blue team exercises it is possible for the organization to:

  • Identify misconfigurations and coverage gaps in existing security products
  • Strengthen network security to detect targeted attacks and improve breakout time
  • Raise healthy competition among security personnel and foster cooperation among the IT and security teams
  • Elevate awareness among staff as to the risk of human vulnerabilities which may compromise the organization’s security
  • Build the skills and maturity of the organization’s security capabilities within a safe, low-risk training environment

Who is the purple team?

In some cases, companies organize a red team/blue team exercise with outside resources that do not fully cooperate with internal security teams. For example, digital adversaries hired to play the part of the red team may not share their attack techniques with the blue team or fully debrief them on points of weaknesses within the existing security infrastructure — leaving open the possibility that some gaps may remain once the exercise concludes.

A so-called “purple team is the term used to describe a red team and blue team that work in unison. These teams share information and insights in order to improve the organization’s overall security.

At CrowdStrike, we believe that red team/blue team exercises hold relatively little value unless both teams fully debrief all stakeholders after each engagement and offer a detailed report on all aspects of project activity, including test techniques, access points, vulnerabilities and other specific information that will help the organization adequately close gaps and strengthen their defenses. For our purposes, “purple teaming” is synonymous with red team/blue team exercises.

Red Team vs Blue Team Skills

Red team skill set

A successful red team must be devious in nature, assuming the mindset of a sophisticated adversary to gain access to the network and advance undetected through the environment. The ideal team member for the red group is both technical and creative, capable of exploiting system weaknesses and human nature. It’s also important that the red team be familiar with threat actor tactics, techniques and procedures (TTPs) and the attack tools and frameworks today’s adversaries use.

For example, a Florida teenager recently used spear-phishing tactics as well as social engineering techniques to obtain employee credentials and access internal systems at Twitter, resulting in a high-profile breach of more than 100 celebrity accounts.

A member of the red team should have:

  • A deep awareness of computer systems and protocols, as well as security techniques, tools and safeguards
  • Strong software development skills in order to develop custom made tools to circumvent common security mechanisms and measures
  • Experience in penetration testing, which would help exploit common vulnerabilities and avoid activities that are often monitored or easily detected
  • Social engineering skills that allow the team member to manipulate others into sharing information or credentials

Blue team skill set

While the blue team is technically focused on defense, much of their job is proactive in nature. Ideally, this team identifies and neutralizes risks and threats before they inflict damage on the organization. However, the increasing sophistication of attacks and adversaries makes this an all but impossible task for even the most skilled cybersecurity professionals.

The blue team’s job is equal parts prevention, detection and remediation. Common skills for the blue team include:

  • A full understanding of the organization’s security strategy across people, tools and technologies
  • Analysis skills to accurately identify the most dangerous threats and prioritize responses accordingly
  • Hardening techniques to reduce the attack surface, particularly as it relates to the domain name system (DNS) to prevent phishing attacks and other web-based breach techniques
  • Keen awareness of the company’s existing security detection tools and systems and theiralert mechanisms

How Do the Red Team and Blue Team Work Together?

Red Team Blue Team Exercise Path

Scenarios When a Red Team/Blue Team Exercise Is Needed

Red team/blue team exercises are a critical part of any robust and effective security strategy. Ideally, these exercises help the organization identify weaknesses in the people, processes and technologies within the network perimeter, as well as pinpoint security gaps such as backdoors and other access vulnerabilities that may exist within the security architecture. This information ultimately will help customers strengthen their defenses and train or exercise their security teams to better respond to threats.

Since many breaches can go undetected for months or even years, it is important to conduct red team/blue team exercises on a regular basis. Research shows that adversaries dwell, on average, 197 days within a network environment before they are detected and ejected. This raises the stakes for companies in that attackers can use this time to set up backdoors or otherwise alter the network to create new points of access that could be exploited in the future.

One important differentiator in the way that CrowdStrike approaches red team/blue team exercises is in terms of the overall strategy. We use red team activities to seed the environment with data so the blue team can gauge the risk associated with each incident and respond accordingly. As such, we don’t treat this exercise as a proverbial war game where our clients attempt to block each and every red team action, but effectively assess and prioritize those events that the data reveals to be the greatest threat.

Red Team Exercise Examples

Red teams use a variety of techniques and tools to exploit gaps within the security architecture. For example, in assuming the role of a hacker, a red team member may infect the host with malware to deactivate security controls or use social engineering techniques to steal access credentials.

Red team activities commonly follow the MITRE ATT&CK Framework, which is a globally-accessible knowledge base of adversary tactics, techniques and methods based on real-world experience and events. The Framework serves as a foundation for the development of prevention, detection and response capabilities that can be customized based on each organization’s unique needs and new developments within the threat landscape.

Examples of red team activities include:

  • Penetration testing in which a red team member attempts to access the system using a variety of real-world techniques
  • Social engineering tactics, which aim to manipulate employees or other network members into sharing, disclosing or creating network credentials
  • Intercepting communication in order to map the network or gain more information about the environment in order to circumvent common security techniques
  • Cloning an administrator’s access cards to gain entry to unrestricted areas

Blue Team Exercise Examples

Functioning as the organization’s line of defense, the blue team makes use of security tools, protocols, systems and other resources to protect the organization and identify gaps in its detection capabilities. The blue team’s environment should mirror the organization’s current security system, which may have misconfigured tools, unpatched software or other known or unknown risks.

Examples of blue team exercises include:

  • Performing DNS research
  • Conducting digital analysis to create a baseline of network activity and more easily spot unusual or suspicious activity
  • Reviewing, configuring and monitoring security software throughout the environment
  • Ensuring perimeter security methods, such as firewalls, antivirus and anti-malware software, are properly configured and up-to-date
  • Employing least-privilege access, which means that the organization grants the lowest level of access possible to each user or device to help limit lateral movement across the network in the event of a breach
  • Leveraging microsegmentation, a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network

Learn More

Learn about the benefits of tabletop exercises and what The CrowdStrike Service's team can deliver to your team

Am I Ready? The CrowdStrike Tabletop Exercise

How to Build an Effective Red Team and Blue Team

CrowdStrike Red Team Blue Team Comparison

How CrowdStrike® Services can be the right solution for organizations:

Adversaries are constantly evolving their attack TTPs, which can lead to breaches going undetected for weeks or months. At the same time, organizations are failing to detect sophisticated attacks because of ineffective security controls and gaps in their cybersecurity defenses. Security teams need to make sure they are ready for a targeted attack, and the ability to withstand one type of attack does not mean the team has the tools and visibility to withstand a more sophisticated attack.

The CrowdStrike Adversary Emulation Exercise is designed to give your organization the experience of a sophisticated targeted attack by real-world threat actors — without the damage or costs of experiencing a real breach. The CrowdStrike Services team leverages real-world threat actor TTPs derived from intelligence collected by CrowdStrike experts in the field responding to incidents and through the CrowdStrike Falcon® platform, which identifies trillions of events and millions of indicators every week. CrowdStrike Services develops a targeted attack campaign specific to your organization and aimed at users of interest, just as an adversary would. The team takes an objective, goal-oriented approach to the attack, focusing on demonstrating access to critical information in your organization to help show the impact of a breach to your leadership without having to suffer through a real breach. This exercise will help you answer the question, “Are we prepared for a targeted attack?

JJ Cranford is a Senior Manager of Product Marketing at CrowdStrike primarily responsible for Incident Response and Advisory Services. JJ previously held roles at Cybereason, OpenText and Guidance Software where he drove go-to market strategy for XDR, EDR and DFIR product suites. JJ provides insight into market trends, industry challenges, and solutions in the areas of incident response, endpoint security, risk management, and ransomware defense.