Cybersecurity 101: What’s the Difference Between Red Team vs. Blue Team?

Many cybersecurity tactics are inspired by military wargaming, but none more so than red teaming and blue teaming. A form of ethical hacking, red teaming and blue teaming involve companies hiring highly trained cybersecurity experts to infiltrate their computer systems, networks, and servers.

The point of hiring an ethical hacker is to strengthen the organization’s cybersecurity defenses by finding and remediating weaknesses during a simulated attack, and create incident response plans that align with real-world conditions.

What is red teaming?

Red teaming is a method developed by the German military in the 19th century. Initially, military officials used a board game consisting of terrain pieces and battle tokens to simulate battle sequences. The idea was to get a better command of unpredictable events (known as “frictions”) in military conflict. In modern cybersecurity, red teaming is a full-blown multi-layered attack simulation designed to measure how well an organization’s computer networks, software applications, and physical security controls can withstand an attack from a real cybercriminal.

While penetration testing focuses on a predefined scope of attack (such as testing certain applications or operating systems) while minimizing service interruptions, red teaming is a no-holds-barred approach leveraging social engineering as well as physical, application, and network penetration. In fact, the physical aspect includes testing security assets like motion sensors and cameras, data centers, and warehouses.

“Red teams look for any way in and that can mean doing anything, even impersonating a pizza delivery guy and walking into somebody’s office,” said Anand Mohabir, founder and CEO of Elteni, a cybersecurity consulting firm.

What is blue teaming?

Some organizations will also hire a “blue team” of defensive security professionals who are responsible for maintaining internal network defenses against attacks. Red teams simulate attacks against blue teams to test the network’s security.

The purpose of these cybersecurity exercises is twofold:

1. Avoid reputational or revenue-based damage (the average cost of a single cyber-attack is $1.1 million)
2. Protect an organization’s most valuable assets, such as computer systems, intellectual property, or trade secrets

Red teaming is labor-intensive and costly (outsourcing a high-quality red team costs roughly $250 an hour), so this type of cybersecurity testing tends to be done in high-security industries that provide essential services, like utility companies that generate gas, electric, water, and nuclear power. What’s more, seeing as cybercriminals are quick to form new attack strategies, red teaming must be done at regular intervals in order to be effective.

“I’ve never seen any official stats on this, but based on my own experiences, government agencies do it the most,” said Mark Adams, a cybersecurity consultant and mentor for Springboard’s Cyber Security Career Track. “Beyond that, it’s mostly companies that have high risk profiles such as banks and financial institutions.”

What is the difference between red teaming and penetration testing?

Penetration testing is when an organization carries out a simulated cyberattack to test its security defenses. A legal contract is drawn up stipulating the scope of the attack and terms of engagement, and every step is carefully planned out. In other words, it’s like a scheduled fire drill, where people are apprised on what to expect ahead of time.

Related Read: 12 Best Penetration Testing Courses & Certificates

Red teaming, on the other hand, is an anything-goes full-scale attack on an organization, which, just like a real cyberattack, isn’t conveniently scheduled to happen on a Saturday or confined only to a specific type of attack. Once an attacker is in the system, they typically use privilege escalation techniques, where they attempt to steal the credentials of an administrator who has access to critical information.

Red team exercise examples

Red teams start by gathering information about the target’s technology stack. They’ll start by uncovering which operating systems are in use (eg: Windows, macOS or Linux), each of which have their own weaknesses, identifying the make and model of networking equipment (servers, firewalls, switches, routers, access points, computers). Using this information, they’ll create a map of the network to determine what hosts are running which services, and where traffic is being sent. If they plan to perpetrate a physical attack in-person, such as stealing a hard drive, rather than mounting a remote attack, they’ll also investigate what physical controls are in place such as doors, locks, cameras and security personnel.

• Penetration testing: Simulated cyberattacks configured around a set of test goals.
• Social engineering: Psychologically manipulating someone into divulging sensitive information
• Phishing: Contacting a victim by phone, email, or text message while pretending to represent a legitimate organization.
• Intercepting communication software tools: Intercepting emails, phone calls, and other electronic communications to view their contents.
• Card cloning: Stealing data from payment cards with EMV chips and using them to create magnetic stripe cards.

Blue team exercise examples

Blue teams typically consist of incident response consultants who advise IT teams on how to respond to cyberattacks. Before an attack, the blue team gathers data, documents what systems need to be protected and carries out a risk assessment. A risk assessment is the process of identifying and analyzing potential threats. They then work to establish security measures to protect key assets of the organization.

• DNS audits to prevent phishing attacks
• Conducting digital analysis to create a baseline of network activity and more easily spot unusual activity
• Installing endpoint security software on external devices such as laptops and smartphones
• Deploying IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) software as a detective and preventive security control
• Ensuring perimeter security measures such as firewalls and antivirus software are installed and configured properly.

Does red teaming vs. blue teaming actually work?

In theory, it makes the most sense to have red teams and blue teams face off against each other—a practice known as purple teaming—so that organizations can develop an incident response plan in real time, but in the real world, blue teams and red teams aren’t very good at catching each other out. A 2019 survey by security management platform Exabeam found that over one third of organizations surveyed said their blue teams failed to catch offensive red teams. Red teaming is more commonplace, used by 72% of organizations surveyed, while just 60% conduct blue team exercises intended to test a defensive team’s ability to stop cyber attacks.

“Red teaming is always more exciting, but not as exciting as most people think,” said Adams. “People don’t see the hours spent on research, testing exploit code, using trial and error to see what works and what doesn’t. That’s 99% of it. The other 1% is penetrating the target system.”

While the rise of automated hacking has made cybercriminals more dangerous than ever, it has also led to the advent of automated hacking tests for company networks, which brings down the cost of conducting red teaming exercises.

Platforms like Rootshell and Randori offer ‘Red Team as a Service’ software that offers continuous penetration testing, which simulates the entire life cycle of a real-world cyber attack. Automated hacking tools, which predominantly use bots that are programmed to do one or more tasks repetitively, can learn new environments, expose vulnerabilities and flaws and exploit them for gains with minimal human intervention.

How do you get started in red teaming?

Red teams often consist of independent ethical hackers who specialize in offensive security. If you like taking things apart to better understand how they work and then putting them back together again, red teaming might be the path for you. War games and pen testing labs like Hack the Box and Virtual Hacking Labs are a great way to get your feet wet and determine if this career is right for you. Blue teams, on the other hand, consist of cybersecurity professionals (see here what cybersecurity analysts do) who specialize in defensive security, such as incident response and computer forensics. If playing detective and responding to emergencies appeals to you, you might be better off on a blue team.

Mohabir says that acquiring red teaming skills can prepare you for a career in both offensive and defensive security, since understanding how to break into a system helps you mount a stronger defense. “When you’re designing the systems to withstand certain types of attacks you have to understand the attack methodology,” he said of how he became involved in ethical hacking. “For me it came organically because a lot of what I was trying to do day to day was protect systems.”

Adams recommends pursuing an Offensive Security Certified Professional (OSCP) certification for those who aspire towards a career in red teaming or blue teaming.

“The OSCP is far more respected and sought after than the Certified Ethical Hacker (CEH) certification,” he said. “Certifications are not required, but they do help provide credibility.”

Since you’re here…
There are hundreds of thousands of vacant cybersecurity jobs, and one of them has your name on it. You can enter the industry in 6 months flat with our Cybersecurity Course. We’ve helped over 10,000 students make huge career changes with our fully flexible mentor-led bootcamps. Explore our free cybersecurity course curriculum today to start your career switch story.