How many teams there are in your company?

There are companies which has already realised they need security engineers to protect services and the information. These companies have at least one or two people who are in charge of the information security. There are also companies which have employees who work with security standards such as PCI-DSS, ISO 27001 or regulations such as GDPR. These people work with lots of paperwork and they have to check procedures, policies, strategies, etc. What’s more, there are also companies which hire a hacking team to know about bugs, misconfigurations and weaknesses that these companies have in their services. However, there are increasingly more people working in the information security. Today, I’m going to write about three new teams: Red Team, Blue Team and Purple Team.

Penetration Testing and Ethical Hacking are well known by most companies which want to identify vulnerabilities and risks on systems and they also want to know if systems can be compromised easily by an attacker. However, Red Team is a group of people who work as adversaries and they are going to test many environments instead of one or two like a pentester does. In addition, it is usually a multidisciplinary team because members come from IT administration, network engineers, Windows and Unix administrations or even developers.

There are many tools which are really useful for the Red Team. For instance, I wrote about RedHunt last month, which is an adversary and intelligence emulator. RedHunt includes security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta. However, there are many other interesting tools for the Red Team. For example, FlightSIM is a utility used to generate malicious traffic such as DGA traffic, requests to known active C2 destinations, etc. Blue Team Training Toolkit (BT3) is another interesting utility that creates realistic computer attack scenarios. Therefore, there are many tools ready for the Red Team.

On the other hand, the Blue Team is a group of people who work to detect attacks and prevent security incidents. They have to identify attacks and intrusions on systems. They have to be alert for reactive or preventive actions as well as they have to block attacks before they succeed. Therefore, they are going to work along with the Red Team. While the Red Team attacks the company, the Blue Team defends the company.

There are lots of well known tools ready for the Blue Team. Antimalware software is a must for endpoints and servers. Network firewalls are installed in most companies. Web Application Firewalls (WAF) are also installed in many companies. SIEM appliances are increasingly installed in companies which want to get logs for analysis and visibility. The Blue Team is more common in most companies than the Red Team.

I think the Red Team and Blue Team tasks are already well understood. However, there are another team, the Purple Team, which is between the Red and Blue teams. The Purple Team is going to use the defensive tactics and controls from the Blue Team and the threats and vulnerabilities found by the Red Team with the aim of maximizes the knowledge of both teams.

Regards my friends. How many teams there are in your company?