Adaptive Segmentationmicro-segmentation February 3, 2016

Red Teams, Blue Teams, and Being the Good Guy for Once

Jimmy Ray Purser,

Nearly everyone wants to be the “baddy.” In movies, video games, and more, being the Bad Dude is just the best. Of course, folks could apply all levels of psychology to it, but I’m an engineer and know less about psychology than I do about vegan cooking. From an engineering point of view, bad dudes do not have to think in a linear fashion.

Red Team/Blue Team games

For example, in Red Team-Blue Team security exercises, what is the first thing a blue team leader does? Breaks out a damn checklist. When that happens, the blue team has already lost.

Why? Because red-teamers think in 3-D graphs. They are ALWAYS going to win because while the blue team has thousands of vectors to think about, the red team only needs to find one.

So as a public service, let me share a few tips based on what I’ve learned from some of my red team successes to help the blue team win a few.

  1. Stop thinking that your objective is to stop attacks. Your goal is to increase the red team’s requirements to win. You are playing a time game designed to wear them down. Trying to stop attacks means you’ll miss their countermoves. Blue teams are analysts, not ex-red-teamers that crossed over. That notion works in Hollywood, not in the data center.
  1. Spend less time monitoring, and more time visualizing. Tons of today’s security tools are legacy tools that keep the install base happy and speed the time to market delivery. They provide limited traffic visibility and simple filtering capabilities. They are so bad that many blue teams are using Wireshark with RegEx expressions because current systems just cannot adapt to the evolving network. Red teams use encrypted traffic to bypass controls or hiding threats in obsolete SSL sessions. Red teams think visually. They have to because they have so many possible vectors.
  1. Realize there is no such thing as white/gray/black hats. Security has nothing to do with fashion, Zoolander! Red and blue teams are NOT equals on separate sides. Categorizing them like that allows teams to misjudge the other’s contribution and place loyalty in vendor buzzwords. This can result in some of most crazy data center designs that look like something that Rube Goldberg created. Hairpinning traffic or building the same complexity on prem in the cloud, then defending both? No No No! Red teams will ALWAYS use implementation over architecture.
  1. Read and then read some more. Blue teams should compare what read teams are doing with hardening guides from FIPS, NIST, CIS, NSA (Info Assurance) and question their recommendations as compared to yours. Also, take a look at the KATAKRI from Finland. Excellent guide!

Adaptive Segmentationmicro-segmentation
Share this post: