Red vs. Blue and Purple Teaming: IR training camps
How quickly does your Blue Team detect offensive actions? Is the severity correctly classified and how long does it take to successfully fend off the attack? Red vs. Blue Teaming or Purple Teaming optimizes these values.
Theory of colors: Red-Blue-Purple
Testing a threat scenario in a realistic way
Red Teaming is about testing an entire threat scenario under the most realistic conditions possible.
- The attackers (Red Team) are given a target and try to achieve it step by step.
- The defenders (Blue Team) are not privy to it.
- The goal of the attackers is to reach the defined scenario goal and to remain undetected, if necessary over several attempts and paths.
A well-trained Blue Team in the 1st or 2nd league.
You need a well-trained and well-practiced Blue Team that is technically and professionally capable of detecting and handling professional attacks that also occur "under the radar". In addition, your security monitoring, for example the SIEM, must be well developed, because our Red Team knows the usual blind spots.
Newly established Security Operation Centers (SOC) or Cyber Defense Centers (CDC) usually can't do that yet and will view the entire assessment as an disgrace. Understandably so, because it's a bit like pitting a county league team against the last Champions League winner and asking afterwards why they lost so badly.
Test and optimize the detection capabilities of the Blue Team.
In Red vs. Blue Teaming, individual attack actions are defined. The objective is not for the Red Team to achieve a set goal by hacking, but to simulate the various attack steps it would take. For each of these steps, it is then checked whether and how quickly the Blue Team detects it and when a response is made.
- The attackers (Red Team) receive whitebox information and prepare all attack steps.
- The defenders (Blue Team) either know that something is going on, but of course not what, or they don't know anything about it.
- The goal is to execute the defined set of small test actions in a certain period of time and measure the detection and reaction of the Blue Team. Together with the Blue Team, the steps are analyzed afterwards and - if necessary - optimized.
An established Blue Team with mature detection technology.
A high level of maturity in security monitoring tools (SIEM or EDR) is a mandatory requirement for detecting anything at all. Otherwise, without the appropriate tools, you will only learn what you cannot detect.
In addition, your Blue Team and associated escalation processes should already be in place. After all, Red vs. Blue Teaming is about correctly classifying an incident as quickly as possible and initiating the right response. If it is clear to you that this is not yet running smoothly, table top exercises are much more economical and constructive.
You can find more information about Red vs. Blue-Teaming on this page below.
Incident response training in the professional league.
Purple Teaming starts where Red vs. Blue Teaming leaves off: You have recognized an attack, or in practice rather one of the many steps that happen, and have initiated further steps. Now it is about understanding quickly and professionally what is really behind the alarm, whether danger is imminent and which countermeasures have to be initiated.
- The attackers (Red Team) receive whitebox information and prepare all attack steps, or artifacts that are left behind.
- The defenders (Blue Team) know about the assessment, after all they have a lot of work to do. However, they do not know any details.
- The goal is to use the defined set of attack actions to measure the maturity of the incident response in the Blue Team and - if necessary - to optimize it.
A Blue Team of the 1st League with detection technology and incident response processes.
Your well-trained and practiced Blue Team must have defined and trained incident response processes with runbooks or playbooks in addition to security monitoring tools (SIEM or EDR). Purple Teaming is not about detection and initial classification, but about triage and response with the associated steps of containment, analysis and remediation.
Then Purple Teaming further sharpen and train these processes. And we can still identify optimization potential in the procedures, individual skills and tools used.
You can find more information about Purple Teaming on this page below.
Red vs. Blue Teaming
The perfect solution if you want to know how well your external or internal SOC is performing.
Red vs. Blue Teaming is not about successfully completing a specific attack scenario and identifying vulnerabilities in systems and applications, but about executing or simulating a broader range of attack actions. These may or may not belong to a specific threat scenario.
The Blue Team is basically "on board" here; it is a cooperative assessment. However, it is not aware of any planned attack actions in advance. The Blue Team can be put on heightened alert, leading to more ambition and motivating results. In any case, representatives of the Blue Team must be informed in order to have appropriate resources available and to be able to de-escalate.
The process of a Red vs. Blue Teaming
At the beginning we define the goals of the project, adapted to the level of the Blue Team, in order to have challenging but still feasible test cases.
Then, a detection hypothesis and appropriate parameters are defined for each test case.
In the execution phase, the test cases are executed one by one. This can be done in one concentrated action or spread out over a longer period of time.
After a test case is triggered, we observe whether the attack action is detected and reported to the Blue Team. We measure the "Time to Detection" (TTD) and the "Time to Reaction" (TTR) for this purpose. The Blue Team is then immediately informed and - if necessary - the situation is de-escalated.
Red vs. Blue Teaming delivers the most sustainable success when it is not designed as a single project, but is carried out on a regular basis. In this way, we can train different aspects and measure continuous progress.
Do you want to test and improve your Blue Team?
he detection of security incidents is important, the correct response to them is crucial.
Purple Teaming is not about successfully completing a specific attack scenario and identifying vulnerabilities in systems and applications, but analyzing the response to detected incidents. These may or may not belong to a specific threat scenario.
The Blue Team is basically "on board" here; it is a cooperative assessment. However, it does not know any details about the simulated incidents in advance.
The process of a Purple Teaming
At the beginning, we define the goals of the project, adapted to the level of the Blue Team, in order to have challenging, yet feasible test cases.
Then, for each test case, the expected results are defined and preparations are made to generate the necessary traces and artifacts.
In the execution phase, the test cases are executed one by one and the Blue Team is informed about each one.
After a test case is triggered, we observe how the Blue Team gets an overview of the initial situation, classifies the severity, secures evidence, initiates immediate actions (containment), performs root-cause analysis, identifies potential damage, and what remediation and recovery actions are advised.
Purple Teaming brings the most sustainable success when it is not designed as a stand-alone project, but is conducted on a regular basis. This way, we can train on different aspects and measure continuous progress.