Modern malware actors get into the companies’ networks and steal any sensitive data they need. One of the effective ways to keep the security of any organization strong and up-to-date is to rely on the exercises of both red and blue teams. Specialists need to understand the way malware actors think and know how they can act. Moreover, cybersecurity experts have to predict and prevent attacks, make enterprises safe. And the key to this is special training.
Red and blue teams are a usual method to define security weaknesses. The exercises work like this: a red team tries to compromise the system, and a blue team detects and responds to the intrusion. This combined work improves any company’s security. And this technique is worth a try.
Let’s discuss what each team is responsible for and what exercises can help them for training.
Security operators from a red team pretend to be hackers and try to penetrate the system. The test of security programs looks like a real attack. The exercises have a big variety of tactics, from phishing to more sophisticated ones. After this simulation, the red team gives feedback on how to improve the defense.
The exercise usually takes a lot of preparation. The red team often doesn’t know about the defense strategies. So, the main goal is to gather information about OSs, the network, and even staff and camera placements. Then according to the plan based on the collected information, specialists identify the vulnerabilities. After that comes the attack. A red team tries to get into the network and steals the sensitive data.
Different techniques and tools can help operators to exploit the weak points and break into the network. They may infect hosts with malware or even bypass physical security controls.
Here are the most used types of exercises used by a red team:
- Penetration testing to gain access to a system with software tools.
- Social engineering to make staff reveal credentials or give access to a restricted area.
- Phishing to send fake emails and trick employees, to make them give up passwords, or going to fake websites.
Security professionals from a blue team protect the organization against any kind of threat. So if we consider a red team as an offense, then a blue one has a defense role.
These operators know the security policy of the company. And their goal is to enhance the organization’s protection.
The blue teaming includes risk estimation, finding out what data must be safe, staff training, and others. Specialists check suspicious activity, monitor the system, analyze traffic, scan weaknesses. As a result, they have a defensive plan that helps to improve incident response.
Here are the most used types of exercises used by a blue team:
- Security audits to avoid phishing attacks and others.
- Analysis to track activity and detect signatures that might indicate a breach of security.
- Reverse engineering.
- Designing risk scenarios.
- Installing security, IDS software, and keeping it updated.
- Log and memory analysis.
- Analyzing logs and memory to reveal an attack.
Training of teams
Training should be a necessary step in a company’s security strategy. Learning different tactics from an attacker and defender side may give you efficient protection. Adversarial and defensive methods build a strong safety program.
Today we’ll give you an example of how you can have a red and blue team training with ANY.RUN.
Red team exercise
This task can be an example of how you can trace the blue team’s steps while analyzing a threat. First of all, the file of the letter downloads, then the archive in it opens. After that, the exe file launches and it turns out to be malicious. You can also try other OS versions to investigate whether it works the same way there.
One way to improve a red teamer’s skills is to understand how the set of their actions will work out on different systems. Moreover, they can investigate what step can cause challenges. For example, if the mentioned task had a Word document instead of the exe, a specialist would need to click and enable macros.
ANY.RUN also serves as a preparation tool as the red team can step in a user’s shoes and predict the possible actions.
The platform can be a part of a blue training, too. Let’s have a look at what task can be useful here.
Blue team exercise
The blue team has a wide range of scenarios where ANY.RUN can be used in. Including detection, threat analysis, monitoring how samples execute, and others. But today we’d like to investigate one more example that is suitable for a blue team.
You can take a look at how different malware samples and campaigns affect OS and what artifacts they leave. Also, you can test adversary simulation tools such as the APT simulator. Just run tools with desired parameters on different systems and research how those actions affect them. If tools created some output files, you may download them from the task. Such activities inside working virtual machines allow us to see actions made by systems and tools in real-time and analyze them in detail later.
To expand the abilities of network analysis just download the PCAP file from your task and take a deeper look at captured traffic in tools such as Wireshark. It’s also possible to download SSLkey from the task so SSL/TLS traffic can be decrypted in third-party tools. Check out the sample for a blue team for the training.
Red and Blue team cooperation
Communication between the two teams is the essential point in team exercises.
The blue team should know new methods for improving security and share the results with the red team. The red team should always be aware of new threats and penetration techniques used by hackers and advise the blue team on prevention techniques.
When the simulation is over both teams collect the results and report on them. The red team advises the blue one on how to prevent and stop similar attacks. The blue team in its turn should let the red one know if they identified the attempted break-in.
That’s why the idea of a purple team has appeared. Its goal is to unite red and blue teams and make them work as one team to share results.
The red versus blue team, a concept that is always argued about. There is a perception among cybersecurity specialists that these techniques can exist only separately. However, the best results can work out only from the joint work, like purple teaming.
Companies need to encourage this cooperation: plan, develop, and implement stronger security controls together. As it is the only way to improve security.
This approach to security is very effective. Especially when it is performed once a year, or when there are some major changes in the company. Used in combination with security audits, staff education, and tools like ANY.RUN, you can be sure that all weak points will be eliminated and your security is strong.