We often hear the question: “Should we perform Red Team Testing without a Blue Team?” The answer is yes and let’s explain this answer by starting with a reminder of the objective of performing Red Team Testing – to verify the effectiveness of the security controls implemented in the organisation’s people, process, facilities and technology. In short, to test if the organisation could withstand a real-world cyber-attack.
The objectives of a Red Team
While each Red Team test can and should be scoped to meet the organisation’s specific risk management goals and objectives, the typical objectives are to first collect all publicly available information associated with the target organisation: the business locations and operations, suppliers, services, customers, employees and information, communication, and technology systems – anything and everything available through researching open sources.
This process of Open-Source Intelligence (OSINT) collection is critical to the testing, as this is what any serious Threat Actor would carry out prior to conducting an actual attack to increase their chances of success.
The Red Team would then assess this information to identify attack vectors and security vulnerabilities associated with these components, which if exploited, could result in unauthorised and undetected access to the target systems. The team’s objective would be to find the “path of least resistance” into the systems. The path with the least or weakest controls is implemented to prevent unauthorised access. Be it a path through people, processes or technology.
Once identified, the Red Team would then seek to design and execute attacks simulating real-world Threat Actor methodologies to exploit these vulnerabilities and gain access to the systems and exfiltrate data undetected.
Overall, a Red Team’s objectives are simple and straightforward: Exploit any vulnerability found anywhere to obtain authorised access. The point is that these are the real-world objectives of any significant Threat Actor targeting an organisation.
The objectives of a Blue Team
A Blue Team, on the other hand, is a different animal altogether. A Blue Team is typically a group of cyber security analysts who perform real-time assessments of an information technology system to ensure its security integrity, identify technical security vulnerabilities, verify the effectiveness of the technical security controls implemented to prevent unauthorised access and detect attempts to bypass these controls.
Most often the Blue Team responsibilities are associated with the deployment of a Security Operations Centre (SOC) continuously monitoring the security integrity of the organisation’s systems to identify security incidents anomalies and attempted breaches.
A Blue Team largely depends on a methodology of reviewing Security Information and Event Management (SIEM) output and performing traffic and data flow analysis and comparing this to threat intelligence data to spot suspicious anomalies and incidents.
Their primary objective is to keep their finger on the security pulse of the technical systems and identify and respond to, any and all, potential attempts of unauthorised access.
Most current threats, like malware or phishing, will be stopped dead by automated tools deployed at the system’s perimeter through the use of endpoint security products and threat detection platforms.
A Blue Team’s overall objective is to provide vital human intelligence and interpretation to the output of these tools and technologies in order to (both proactively and reactively) defend the organisation from an attack. This is, of course, a critical goal for any organisation.
A Blue Team response (or lack thereof) to a Red Team’s technical attacks provide validation of the organisation’s capability to detect, deter, respond and recover to a technical cyber attack on their systems.
What if there’s no Blue Team in place?
So back to the question: “Should we perform Red Team Testing even though we don’t have a Blue Team?” The answer is still yes. Remember, Red Team Testing seeks to verify the effectiveness of all security controls implemented in the organisation’s people, process, facilities, and technology whereas a SOC deployed Blue Team is only monitoring the security controls implemented to protect the organisation’s systems.
At best, Blue Team activities could identify and respond to technical attacks conducted on the systems by the Red Team. But other potential attack vectors associated with the organisations, people process, and operating locations are left open and unmonitored presenting a “path of least resistance” to the Red Team.
What is your objective?
This is the real question behind this debate.
Conducting Red Team testing with or without a Blue Team – is in our book, the most cost-effective way to put the whole of your security budget to the test – and shouldn’t that be your objective?
Need more reasons, give us a call to discuss.