An example of different approaches to security: red and blue teams. We figure out what you need to learn to participate in them, and how to choose between Offensive or Defensive Security.

Traditional cybersecurity strategy focuses on protection. The proactive shift to telecommuting using telecommuting and the implementation of BYOD (Bring your own device) requires a shift in focus to detection and response. In this case, it is necessary to create a defending and attacking team.

Difference between Offensive and Defensive Security

The existence of Offensive security at the company allows for continuous improvement of protection, following the “assume breach” model. The purpose of such “wars” is to find weak points and strengthen them, as well as reduce the response time to a minimum.

In some companies, the red / blue team exists on a permanent basis. For example, at Microsoft, a team of employees is doing a comprehensive validation of the resilience of the Azure cloud platform. There is something similar at Google, McAfee and Tesla. In other companies, such teams only meet during the exercise; the red team is provided by a third-party organization that specializes in this.

Defensive and Offensive security can be represented not only by the blue and red teams. Sometimes only one penetration tester attacks the infrastructure, and, for example, a cybersecurity analyst protects. Depending on the size and scope of the company, it may only need penetration testing, or it may need both pentesters and the red team (their goals are different, more on that below).

Each of the teams should consist of specialists who are the best in different areas in order to get the most original solutions and a full assessment. The red team, for example, will include a dedicated social engineering, network security testing and security audit.

We tell you what skills are needed for the members of each team, and give examples of their interaction.

Attacking guys

Offensive security can be presented in several formats. 

Most often confuse activity red team (red teaming) and traditional pentesting , as many of the required skills and testers execute commands function the same, but the purpose and results of their work are different.

1. The goal of pentesters is to search for vulnerabilities in order to assess possible risks. The goal of Red teaming : using targeted attacks to understand how well the system is protected, and employees are savvy in terms of security.

2. Pentesters have a standard set of techniques to achieve their goals: gaining domain administrator privileges, stealing data, penetrating the internal network, etc. Red teams use a set of techniques and tactics individually for each case.

3. The workflow of pentesters includes the search for known vulnerabilities, their analysis, and in some cases, exploitation. Red teams are also looking for threats of zero day (0-day) and try to use flaws to compromise the object under study

4. Search time . For pentesters, it is limited: from a few days to a couple of weeks to exclude false positive scenarios. Red teams are not limited in time.

5. Format of the report . For the red teams, it is presented in the form of a history, while for pentesters it can simply be a listing of the vulnerabilities found.

Required knowledge and skills for Red team members

You do not need to understand all these areas in detail. It is enough to understand how it all works and be a master at one thing. Skills go from more general to more specialized. A member of the red team must:

  • knowledge of the threat landscape for the customer’s industry;
  • understanding how to carry out attacks;
  • creative, informal thinking – you need to constantly look for new techniques and tools;
  • proficiency in penetration testing methods;
  • OSINT ;
  • proficiency in threat emulation methods;
  • the ability to create your own exploits;
  • the skill of carrying out physical attacks, understanding the physical means of protection;
  • social engineering skills;

Technology stack :

  • OS and software packages;
  • various network protocols and algorithms;
  • wireless connection;
  • encryption;
  • Python, Ruby, Perl, PowerShell, etc .;
  • BAD USB;
  • advanced systems administration and engineering;
  • custom applications, protocols and other technologies;
  • networks;
  • breaking locks (Lock picking).

Examples of tasks

  • by any means violate the security of the company and obtain information, penetrate the system or physically enter the territory of the organization. Up to arriving at the office, introduce yourself as a courier and ask to quickly carry the parcel to the desired office. Then just insert the flash drive into the PC of someone from employees or even management;
  • avoid detection by the blue command;
  • test security tools for penetration;
  • identify and exploit mistakes and weaknesses in the company’s infrastructure.

The defensive guys

Defensive security can be implemented in the classic format of the company’s cybersecurity department. If this is the format of an exercise or continuous safety testing, then a blue team is formed separately. Most often it is recruited from internal employees. Unlike a standard cybersecurity department, the team is in constant anticipation of an attack.

Like the red team, the blue team evaluates the security of the network and identifies possible vulnerabilities. They do it in other ways. Enhances security, recognizes, counteracts and tries to weaken the red team. Blue needs to react quickly to attacks from opponents, close the holes discovered if possible and document the results.

Defensive security includes such areas of cyber security as security operations center (SOC), threat intelligence (TI), forensics, cyber intelligence, etc.

Required knowledge and skills for the Blue team

  • the ability to search and analyze the main threats – OSINT will help here ;
  • ability to think through risk scenarios;
  • possession of techniques and tools to enhance security;
  • SIEM (Security Information and Event Management).
  • DNS audit;
  • reverse engineering;
  • risk analysis;
  • analysis of digital traces;
  • DDoS testing;
  • firewall protection;
  • antivirus programs;
  • analysis of logs;
  • IDS (Intrusion detection system) and IPS (Intrusion Prevention System);
  • pcap.

Examples of tasks

  • identify critical company objects;
  • assess risks and prioritize them;
  • introduce measures that will be aimed at strengthening weaknesses and, at the same time, will be economically viable;
  • check if existing security measures are working as they should. If SIEM is silent, this does not mean that there are no opponents there. The system may be poorly configured and visibility is impaired;
  • track suspicious traffic and recognize indicators of violations;
  • understand what phase the incident is in and take appropriate action;
  • quickly suppress any attempts to compromise. In case of detection, save and verify evidence, determine the type of incident (it may be necessary to involve another department or law enforcement agencies), cover the violation, fix the vulnerability;
  • identify connections of members of the red team and block them.

Interaction of the red and blue team

The goal of the red team is to improve the blue one. If the communication between the teams is debugged, they help each other and there are positive results of work, then their interaction is limited to the following points:

  • work on the final report after checking some of the objects;
  • planning and developing new solutions to enhance protection;
  • sharing knowledge: blue ones talk about new protection technologies, and red ones – about new threats and penetration testing techniques.

Sometimes it may be necessary to create a purple team . It works on the effectiveness of both teams and usually consists of their own members. The purple team is an intense, temporary teamwork of reds and blues – this is a kind of training.

The tasks of the purple team:

1. Establish a better understanding of the infrastructure of both teams.

2. Reinforce the practice of regular feedback.

3. Allow both teams to study each other’s work process. Red team – how best to influence existing defense tactics, and blue – how to improve attack mitigation and hunt for intruders.

4. Analyze the results and take action. For example, more complete training of employees.

Red teaming examples

1. Getting administrative access to Active Directory . Case from Group-IB .

One of the group’s subsidiaries was hacked and a VPN was discovered between the local networks of the divisions. The network connection was well secured. The team used a Kerberos “golden ticket” attack to bypass “low-level” smart card security. Using the trust mechanism between Active Directory domains, the team obtained administrative rights at the head office.

2. Testing using social engineering . Case from QCC Global .

Phishing attacks were carried out to collect user data. Also, members of the red team called employees, including those from the IT support department, and tried to get confidential information from them. 80% of the attempts were successful.

Without naming names, QCC Global provided the report and also drew up a one-to-one training plan for employees based on the gaps found. A year later, a retest was carried out, which showed significant improvements. The QCC Global team used the same methods and gained much less access.

3. Scenarios of cyber exercises from BI.ZONE, they also provide the red command.

1) The attacking team wants to steal confidential customer data .

Actions of the blue team during the incident: stop the attack as soon as possible, minimize the stolen information and keep the service up and running.

2) Criminals gained privileged access through a phishing attack .

Blue team investigation of an incident that has already occurred:

  • A request was recorded to the command and control center. The blue team received data about some of the compromised hosts: a memory dump, an event log, etc. Actions of the blue team: use methods and tools of computer forensics.
  • The same incident, but different indicators of compromise. EDR agents collect telemetry and send it to the Threat hunting platform. There, the collected data is analyzed and anomalous activity is identified. Blue Team Action: Threat Hunting Approach.

As a result of two rounds, a dossier of these incidents should be formed for law enforcement agencies.

How to choose a team?

If you still haven’t decided on the direction, then here are some options that will help you with this.

1. Take part in attack / defense CTF . In this type of competition, your team will simultaneously attack the applications of other teams and defend their own. Examples of such contests can be found here .

2. Try your hand at the annual cyber battle the Stand Off . A virtual city that includes all the real technologies and vulnerabilities of banks, offices, mobile operators, transport systems, industrial facilities, sports infrastructure, etc.


To be successful on the side of a defending or offensive team, you still need to understand your opponent’s techniques. To defend well, you need to know how to attack, and vice versa: your attacks will be much more effective if you are knowledgeable about the tools and techniques of defense.