Something I mentioned in the last session, was referring to Red and Blue teams. In the security space Red teams and Blue teams work as attackers and defenders to improve an organisation's security.
Both teams work toward improving an organisation's security posture but in different ways.
The Red team has the role of the attacker by trying to find vulnerabilities in code or infrastructure and attempting to break through cybersecurity defences.
The Blue team defends against those attacks and responds to incidents when they occur.
A very good way to understand and better a company's security posture is to run these exercises between the Red and Blue teams. The whole idea is that this scenario is there to mimic a real attack. Some of the areas that this approach will help are the following:
- Vulnerabilities
- Hardening network security
- Gaining experience in detecting and isolating attacks
- Build detailed response plans
- Raise overall company security awareness
NIST (national institute of standards and technology) describes the Red Team as:
“a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.”
They are playing the bad actor in the scenario or simulation of the attack.
When we speak about both Red and Blue team it is possibly wider than the DevSecOps process and principles of a software lifecycle but knowing this is not going to hurt and practices from DevSecOps will ensure overall that you have a better security posture.
The Red team, is tasked with thinking like the attacker which we covered in the last session. Think about social engineering and including the wider teams within the business to manipulate and gain access to the network and services.
A key fundamental of the Red team is understanding software development. Understanding and knowing how applications are built, you are going to be able to identify possible weaknesses, then write your programs to try and gain access and exploit. On top of this though you may have heard the term "penetration testing" or "pen testing" the overall aim for the Red team is to identify and try to exploit known vulnerabilities within an environment. With the rise of Open Source software, this is another area that I want to cover in a few sessions time.
NIST (national institute of standards and technology) describes the Blue Team as:
“the group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers.”
The Blue team is playing the defence, they are going to be analyse the security posture currently in the business and then take action on improving that to stop those external attacks. In the Blue team you are also going to be focused on continuous monitoring (something we covered in the end of 2022 regarding DevOps) monitoring for breaches and responding to them when they occur.
As part of the Blue team you are going to have to understand the assets you are protecting and how to best to protect them. In the IT landscape today we have lots of diverse options to run our workloads, applications and data.
-
Assessing Risk - through the form of risk assessments is going to give you a good understanding what are the most critical assets within the business.
-
Threat Intelligence - What threats are out there? There are thousands of vulnerabilities out there possibly without a resolution how can you mititgate risk of those services without damaging the use case and the business need?
As Cybersecurity grows in importance with all the big brands getting hit there is a need for more than just the Red and Blue teams when it comes to security within a business.
- The Yellow Team are our builders, the engineers and developers who develop the security systems and applications.
"We have our Red and Blue Teams just as we always have, but now with the introduction of a Yellow Team, we can have secondary coloured teams (Orange, Green and Purple) dedicated to mixing skills between attackers, defenders and coders — making code more secure and the organisation more secure."
The above abstract was taken from the top resource listed at the end of the post.
Red, Blue, Yellow are primary colours, combine them and we start to understand where the other colours or secondary colours come into play, again a really great explanation in that first link.
-
Purple Team - The special team! If you take Blue and Red you get Purple. If you integrate defence with offence and you collaborate and share knowledge between the teams you overall provide a better posture throughout.
-
Green Team - Feedback loop, the Green team are going to take insights from the Blue team and work closely with the Yellow team to be more efficient. Mix Blue and Green and what do you get?
-
Orange Team - Much like the Green team working with the Blue team for feedback, the Orange team works with the Red team and pass on what they have learnt to the Yellow team to build better security into their code.
When I got into researching this I realised that maybe I was moving away from the DevOps topics but please anyone in the DevSecOps space is this useful? correct? and do you have anything to add?
Obviously throughout we have the plan to dive into more specifics around DevSecOps and the different stages so I was being mindful that I did not want to cover those areas that will be covered in future sessions.
Also please add any additional resources.
See you on Day 5.