Information Security
Red Team vs Blue Team
SolarWinds 2020: attackers were active for 9 months before detection. FireEye - a company employing some of the best red teamers in the industry - discovered the breach accidentally when an attacker registered a red team tool with a new device. The blue team had not detected 9 months of adversarial activity. This is the gap between having a red team and having a blue team that can actually stop them.
- **Bangladesh Bank SWIFT heist 2016**: $81M stolen via SWIFT network. Attackers demonstrated red-team-level discipline: months of recon, spearphishing, lateral movement, and off-hours transaction fraud. No active threat hunting detected the intrusion.
- **FireEye/Mandiant SolarWinds 2020**: detected only when an attacker used a registered tool on a new device, triggering 2FA alert. 9 months of adversarial presence went undetected by one of the world's top security teams.
- **MITRE ATT&CK Evaluations 2023**: top EDR vendors achieved 90%+ visibility but only 70%+ detection on APT29 TTPs. C2 over encrypted HTTPS remained a consistent blind spot across all evaluated products.
Red Team: Authorized Adversary Simulation
A red team simulates a real adversary to test organizational defenses under realistic conditions. Unlike a penetration test focused on finding vulnerabilities, a red team engagement tests whether defenders can detect and respond to an attack. The goal is not to compromise as many systems as possible - it is to achieve a specific objective (e.g., exfiltrate sensitive data) while evading detection.
In 2016, attackers stole $81 million from Bangladesh Bank via the SWIFT network. They had red-team-level discipline: months of reconnaissance, spearphishing for initial access, lateral movement to SWIFT terminals, and transaction fraud during off-hours. The Bangladesh Bank had no team that was actively hunting for adversarial behavior.
What distinguishes a red team engagement from a standard penetration test?
Blue Team: Detection and Response
The blue team is the defensive side: SOC analysts, threat hunters, and incident responders. Their tools are SIEM (log aggregation and correlation), EDR (endpoint detection and response), and NDR (network detection and response). Blue team effectiveness is measured by mean time to detect (MTTD) and mean time to respond (MTTR).
FireEye (now Mandiant) - a company with one of the most sophisticated red teams globally - discovered the SolarWinds breach only when an attacker registered their red team tool license with a new device, triggering a two-factor alert. The detection was accidental, not systematic. Even top-tier blue teams face adversaries who evade detection for months.
What do MTTD and MTTR measure in a blue team context?
Purple Team: Closing the Feedback Loop
Purple teaming is a collaborative exercise where red and blue teams work together in real time. The red team executes a technique; the blue team observes whether it is detected and by which alert. If detection fails, the blue team creates a new detection rule immediately. This closes the feedback loop that traditional separate red/blue exercises leave open for weeks.
Palo Alto Networks' 2023 Unit42 report found that organizations that conduct quarterly purple team exercises reduce MTTD by 40% compared to those relying solely on traditional annual pentests. The real-time feedback loop accelerates detection engineering significantly.
What problem does purple teaming solve that a traditional red team engagement does not?
Adversary Emulation: MITRE ATT&CK Evaluations
Adversary emulation reproduces the specific TTPs (Tactics, Techniques, and Procedures) of a known threat group. MITRE ATT&CK provides documented TTPs for groups like APT28, Lazarus, and Carbanak. MITRE Engenuity ATT&CK Evaluations test EDR products against these documented TTPs, providing independent benchmarks.
MITRE ATT&CK contains 14 tactic categories and 400+ techniques as of 2024. The framework is used by both offensive teams (to plan realistic attack paths) and defensive teams (to map detection coverage). Organizations use ATT&CK heatmaps to visualize which techniques have detection coverage and which are blind spots.
What makes MITRE ATT&CK Evaluations more useful for purchasing EDR products than vendor-provided benchmarks?
Summary
- **Red team** simulates a realistic adversary to test detection and response, not just to find vulnerabilities. The objective is achieving a goal (data exfiltration) while evading detection.
- **Blue team** measures effectiveness via MTTD and MTTR. Mandiant M-Trends 2023 global median MTTD: 16 days. Mature SOC target: under 24 hours.
- **Purple teaming** closes the detection feedback loop in real time. Red executes a technique, blue creates a detection rule immediately if it fails. Reduces MTTD by 40% vs annual pentests.
- **Adversary emulation** reproduces specific APT TTPs using MITRE ATT&CK. ATT&CK heatmaps visualize detection coverage gaps across 400+ documented techniques.
Related Topics
Red/Blue team operations draw on offensive tools and connect to monitoring infrastructure:
- Tools: Nmap, Burp, Metasploit — Red teams use these tools during engagement execution; blue teams build SIEM detection rules specifically for their traffic patterns.
- SIEM and Security Monitoring — Blue team effectiveness depends entirely on SIEM detection coverage. Purple team exercises directly improve SIEM rule quality.
- Incident Response — Red team reports identify detection gaps; incident response procedures are tested and validated during red team exercises.
Вопросы для размышления
- FireEye detected SolarWinds by accident, not through systematic monitoring. What specific monitoring controls could have detected the C2 beaconing over HTTPS earlier?
- A red team achieves its objective without triggering any SIEM alerts. Is this a red team success or a blue team failure - or both?
- How does an ATT&CK heatmap help prioritize which detection rules to build first?