As RED and BLUE teaming is such a large topic, I have decided to split this SQA article into six-parts over the next six weeks.
- What is a Red Team
- What is a Blue Team
- Top 5 Red and Blue Team skills
- Which is more important Red or Blue?
- Test, Test, Test again
Top 5 Red team and Blue team skills
The characteristics and mindsets of red teams and blue teams are as different, as the operating procedures they use.
Below are the key skills the different teams require to achieve their goals. It may also help you better understand your skills sets, traits and which team you naturally fit in to.
Red team skills
- Think outside the box: This, in my opinion, is the main characteristic of a red team member. As a red teamer, you must constantly find/develop new tools and techniques to test the companies security systems. Having a bit of a rebellious attitude can help, but remembering your part of an overarching team which includes the blue teamers.
- Deep knowledge of systems: Some of the best red teamers are system administrators, having that deep knowledge of computer systems, protocols and known methodologies will help achieve the end goal.
- Software development: It is highly beneficial to have development skills to build custom tools and reverse engineer existing applications. Writing code comes with a lot of practice and continuous learning, but the ability to write scripts and tools can be vital.
- Penetration testing: The ability to perform a pentest and follow a framework will help the red team identify vulnerabilities and any potential threats. Penetration testing is an essential part of red teams and is part of their “standard” procedures. The knowledge of how to use standard pen-testing tools will provide the foundation of any exercise.
- Social engineering: It may be required to manipulate people into performing actions, which may lead to the exposure of sensitive data or building access. Human error is one of the most frequent reasons for data breaches and leaks.
Blue team skills
- Organised and detail-oriented: Someone who is more procedural driven and with a scientific mindset is more geared towards being a blue team member. An organised and methodical mindset is needed to prevent leaving gaps in a company’s security infrastructure.
- Cybersecurity analysis and threat profile: When assessing the security of a company you need to create a risk/threat profile. A good profile contains information about previous industry breaches, threat actors and previously identified weaknesses in the company’s security systems.
- Hardening techniques: It is essential that the hardening of operating systems, exposed services, and network devices is carried out. Using vendor and industry best practices will help mitigate the attacks. There are no “one shoe fits all” when hardening a system it will take time, effort and testing, but will help reduce the overall attack surface.
- Network profiling: Be familiar with normal business network traffic this can help identify any unusual and possibly malicious activity. Network profiling will also assist with understanding which systems need to communicate, on which protocol and port, enabling you to successfully implement internal network segregation; it’s important to remember that it’s not all about the perimeter.
- Monitoring and Alerting: Security Information and Event Management (SIEM) is a solution which offers real-time analysis of security events. It collects logging data from different sources and provides the ability to perform analysis of data based on specific criteria.
Contact SQA on how we can assist your company to develop and test your team’s skills.