Why should you use red and blue teams?
Nov 26th, 2018 by Jesper Kråkhede
In the aftermath of the pentester´s failed attempt to get hold of Active Directory we started to discuss the long lead time of getting a pentester onsite. Sure, it´s mainly a question of resources and money but there is an underlying challenge seldom thought of. Today security functions is not static or passive. They have active components, they are updated, they work in conjunction with humans and are a lot more fluid in their functions than before. The standard pentest is normally just some person coming in testing a solution not taking the active defenses into account. The deliverable is a report explaining the identified flaws and we are sitting there with a long (or short) list of actions to take.
This isn´t good enough. You would want to have something more similar to the real world attacks. Entering the red and blue team. So, what is that in reality? Well the blue team is your Cyber Defence Centre doing it´s daily work and the red team is bunch of pentesters trying to find ways into the environment. The strength is the mutual learning when the red team explains how they did attacks and the blue team explains how they responded. With an ongoing campaign you will end up with a security level far surpassing anything you have today. And by the way, drop that IDS project, will you?