Within cyber security there are many vastly different roles, but they all hold the same aim of creating more secure systems. The terms “red team”, “blue team” and “purple team” are commonly used to categorise these roles. This article explores what these categorisations mean and what their roles entail.
A security team, typically internal, responsible for protecting the organisation against attacks – both real and simulated. “Blue team” is a broad discipline, with numerous differing roles. However, all blue team roles share the common goal of defending systems from attacks. The majority of specifically defined roles in these different teams fall under “blue team roles”.
During simulated attacks, the blue team have the same responsibility as they would if it were a real attack.
Some blue team roles include:
SOC analysts are responsible for monitoring an organisation’s IT systems, reducing the chance of threats sneaking past any security.
There are multiple tiers within the Security Operations Centre role.
Those with the lowest amount of experience. Analysts in this tier handle the simplest tasks of the 3:
Opening tickets.
Closing false positives.
Basic investigation of alerts.
Basic mitigation.
Prioritise incidents.
Manage and utilise monitoring tools – examples include SIEM products/software such as Splunk.
Personnel with more experience than tier 1. Analysts at this level get involved when a tier 1 analyst flags something that requires deeper investigation.
Deep investigation into issues raised by tier 1.
Complex mitigation.
Plans to counteract threats.
This is also referred to as threat hunting. These are the senior professionals in this field – the experts.
Advanced investigation into threats.
Research and investigation into emerging threats.
Utilise threat intelligence.
Aim to uncover lurking threats in the network that may have been missed by tier 1 or 2.
Software reverse engineering is the process of dissecting and analysing software. This allows the engineer to understand the functionalities and inner workings of the software in question.
Malware reverse engineering is the same concept, but with malware. It is conducted because:
It helps us learn how to create security defences.
It allows us to learn how to remove the malware from an infected device.
Security Engineers implement and design security systems and measures in an organisation. This is a varied role, requiring proficiency across the board. Responsibilities include network security, application security, cloud security and infrastructure security but will differ role to role dependent on the organisation and its requirements.
Forensics computer analysts have the task of investigating digital evidence to uncover security incidents and cybercrimes. They work across all devices, conducting data analysis in a methodical manner. Each step of their work must be recorded, so that their findings are presentable if they were to be needed in a court of law.
Those in digital forensics may be responsible for investigating breaches or attacks targeting their organisation, aiming to provide insight into the damage caused, the vulnerabilities exploited, and/or track the perpetrator.
The red team is a security team that is tasked with imitating a cyber attacker during attack simulations. The red team works together to gain access to what is often a set of predetermined objectives – this is what differentiates red teaming to penetration testing. The aim of the red team is to access information that achieves their unique goal.
Red team attacks include evasion and persistence, something penetration tests do not. Those in the red team are not typically provided with any information about the systems that they are attacking, and the blue team are sometimes not informed of the attack. This creates greater realism, allowing for a true simulated attack with real responses. The red team will utilise penetration testing, vulnerability assessments, and often social engineering.
The red team is often outsourced/a third party, but larger companies may have internal teams. They aim to provide the blue team with practice, and test where an organisation’s security measures are lacking. Furthermore, a red team attack enables an organisation to see how far an attacker could get into a system and what privileges they could gain before they are detected and halted by the blue team.
Red Team Operator
Red Team Member
Red Team Engineer
Red Team Manager
Furthermore, there are jobs on the market that use the skills and abilities that a red teamer would need, under a different role. These include:
Penetration tester
Ethical hacker
Security auditor
The “purple team” is typically not a physical team. Some organisations may structure their cyber teams in a way that has a separate purple team, but it usually refers to a cooperative mindset that exists between red teamers and blue teamers, one which encourages efficient communication and collaboration between the two teams. The red team and the blue team, whilst on opposite sides of the attack in a simulated attack, share a common goal. This common goal is to improve the organisation’s security systems. Collaboration is key to achieving this goal, and allows for continuous improvement of both teams and therefore of the organisation’s security.
The essence of a red and blue team attack simulation relies on cooperation. The red team is testing the blue team’s response capabilities, then both teams can analyse the results to improve the defences of the organisation. They can share their knowledge in doing so, as both sides have different expertise.
This cooperative approach is the most efficient way of mitigating risk using red and blue teams and is the recommended approach for all organisations. In this sense, all organisations with a cyber security department should have a “purple team”, whether it is defined as such or not.
