Remote work and corporate digitization initiatives are driving productivity gains across the supply chain. These new workflows have a greater dependence on functionality across numerous critical applications and data repositories. Each of these connections becomes potential points of exposure, disruption, and loss. Manufacturers integrate internal security teams to help build a defense against downtime caused by cyber attacks. They are known as blue teams.
Our goal in this article is to explain blue teams, their role within an organization, how blue teams enhance cybersecurity, and how blue team exercises further help blue teams protect against cyber attacks that can cause business disruption and financial loss. We will also explain purple teams and what happens during a purple team assessment.
What is a blue team?
Similar to a red team, blue teams comprise of a group of individuals that assess a network to identify any potential vulnerabilities that affect devices or critical systems that a business owns. Unlike a red team that will instead attempt to exploit the identified vulnerabilities, blue teams seek viable means to improve the ability to avoid, deter, resist and respond to probable threats that are likely to become loss events. The role of the blue team is to serve as the defender for all electronic assets owned by an organization, whether internally or externally hosted.
Many manufacturers and producers use automated security tools to help identify and remediate vulnerabilities to protect against cyber attacks. However, if a business does not use policies, controls, monitoring, logging, patching, incident management, you will be forced to react to incidents blindly.
Blue teams are responsible for monitoring, detecting, and reacting to security threats. We find that many manufacturers are completing some of these requirements, which is why cyber criminals continue to focus on manufacturers. No one is responsible for performing these essential roles. During a breach, blue teams are incredibly useful, as they will follow the policies and protocols to isolate compromised systems to prevent escalation of attacks, such as ransomware, from spreading throughout the business network.
What are the blue team exercises?
Blue team exercises become controlled attack simulations that test the effectiveness of a blue team and their capabilities to detect, block, and mitigate attacks and breaches. Blue team exercises model threats that are probable to cause a loss event for an organization today. During the blue team exercise, a red team will begin attacking the organization’s assets to exploit vulnerabilities of systems, devices, and applications across the network. As more attacks and actions occur across the business environment, the blue team’s goal is to respond to the attacks and perform the necessary measures to isolate infected assets.
At the end of the blue team exercise, the red team will discuss the attack methods used and the actions taken afterward. This information is later used by the blue team to evaluate and prioritize changes required to prevent a similar attack from being successful again. In some cases, red teams and blue teams will directly interact with each other to time the simulated attacks, measure the effectiveness of attack response and provide help with how to deal with the threat if the blue team experiences any difficulty. These types of assessments are generally known as purple team exercises.
What is the difference between blue teams and red teams?
While red and blue teams both work with manufacturers and producers to help improve their cybersecurity, there are substantial differences between the two. The first difference between the red and blue teams is their specialty and background in cybersecurity. Red team members often specialize in offensive security practices, where their focus is finding vulnerabilities that can affect a business, and develop custom exploits and tools to use during engagements.
Blue teams, on the other hand, focus on using their background in cybersecurity to help protect companies by identifying vulnerabilities, applying required security patches, and develop custom tools and filters to detect attacks. Blue teams also specialize in developing security practices and policies that evolve based on the needs of the business and the current state of cyber threats.
Another difference between red and blue teams is their role and involvement with a business. Red teams are not associated directly with the company. They are often considered a “third party” that’s contracted for a period of time to assess the current security of any given business. Their role is to operate as a malicious actor and simulate a realistic controlled series of cyber attacks against the organization. Blue teams are considered an internal resource for a business, where the blue team members work for the company and do not perform work for any other business. Blue teams comprise several team members that work in shifts to provide 24/7 protection for the business’s assets.
How does a blue team identify and prevent attacks?
Just as penetration testers and red team members use and create tools to help find and exploit vulnerabilities, blue team members also use specialized tools to monitor network traffic and create specific filters to identify attacks that are taking place quickly. Some of the tools used by blue team groups include intrusion detection and prevention, packet analysis, log and packet aggregation, active endpoint detection and response, and honeypots.
Intrusion detection and prevention tools serve as the first line of defense for identifying and preventing attacks from outside the network. Blue teams can utilize these tools to determine what assets are targeted, and even help identify potential machines actively being targeted. Blue team members can use this information to investigate later if the targeted devices had any vulnerabilities that could have resulted in a successful breach.
Packet analysis tools, such as Wireshark, allow blue team members to analyze and string together individual packets sent across the network. If a device on the network is attacked, blue team members can analyze the traffic from the victim’s device, which can help identify the IP address of the attacker and understand the traffic communicated to and from the attacker and victim device. In cases where an exploit is used, it is sometimes possible to see the commands used against the compromised devices.
Log and packet aggregation tools are commonly used to organize web traffic logs for attack analysis. Similar packet analysis, log aggregation is used to recreate attack chains or events that lead to an attack and breach, that can allow a blue team to analyze the behavior of a cyber attack. Log aggregation can also be used to help create firewall rules and custom alert filters for network traffic that can help prevent future attacks while also alerting the blue team of the attack quicker.
Active endpoint detection and response (ActiveEDR) is essential to blue teams. It solves the problems of EDR as we know it by tracking and contextualizing everything on a device. ActiveEDR can identify malicious acts in real-time, automating the required responses and allowing for easier threat hunting by searching in a single console. ActiveEDR has some similarities to other EDR solutions, but unlike those, it does not rely on cloud connectivity to make a detection. This effectively reduces dwell time to run time. The agent uses AI to decide without depending on cloud connectivity. The ActiveEDR continously draws stories of what is happening on the endpoint. Once it detects harm, it is capable of mitigating not only malicious files and operations but the entire storyline.
Honeypots are another fascinating tool that is sometimes used by blue team members to learn about new threats and techniques while still ensuring the security of the business network. Honeypots are decoy assets deployed to look like prime targets and intentionally designed to be easy to breach. Honeypots allow the blue team to analyze attacks and new exploits to understand better how attackers are gaining access to the honeypot machines and what attack methods are used after the system is compromised.
You’ve mentioned purple team assessments, what are they and how do they work?
In typical Red vs. Blue team assessment, red team members will use various tools and techniques to emulate targeted cyber attacks. The blue team is evaluated on their capabilities for responding to and defending against these attacks. Due to the limited interaction between these two teams during the engagements, there is potential that important lessons or information could be missing from either team. Purple team assessments allow for collaboration between the red and blue teams to share important information and increase shared understanding.
Purple team assessments work in a manner where both the red and blue teams begin preparing for the assessment after discussing the tactics, techniques, and procedures, or TTP’s, and the desired outcomes of the evaluation. This initial meeting includes an information exchange, whereas the blue team would share sensitive information about the environment that the red team would use to inform strategies and tactics further. After the initial meeting between the red and blue teams, the red team will begin preparing attacks and exploit techniques based on the TTP’s and goals discussed, as well as designing the environments needed for the assignment. The blue team will begin preparing the test environment for the red team, potentially replicate systems that the target company uses, install and configure the current security tools and software used, and create user and administrator accounts with the needed credentials for those systems.
Once teams are prepared, they will coordinate a time to begin the assessment. As the evaluation commences, the red team will inform the blue team of the attacker IP addresses, delivery methods, user interactions, privilege gained, and the tools or exploits used. As the red team launches these attacks, they will also track the time that attacks are launched, and whether the attack was successful or not. The blue team will use this information to help identify and respond to the attacks, while tracking any actions taken in the case that assets are compromised due to a failed attempt to stop the attack. At the end of the assessment, both teams will discuss their observations during the purple team assessment, which allows both teams to learn about the detection methods of the attacks for future reference. The red team will use the captured data to produce an after actions report that covers the results from the assessment.
Certitude Security® is an Ohio based cybersecurity services company that protects manufacturers, throughout the United States, from injustice. If you are interested in learning more about our assessment services or talking about how your leadership team desires assistance to understand cyber risk better, please visit our website to speak to one of our representatives.