Penetration Testing: Understanding Red, Blue, & Purple Teams

Data breaches are growing more expensive by the day. The average cost of a data breach is projected to reach $5 million by the end of 2023, up from $4.35 million in 2022.

Penetration testing, or pen testing, helps you uncover unknown vulnerabilities and compliance gaps within your organization's cybersecurity posture so you can be better prepared in the future against such damaging cyberattacks.

Information security requires teamwork. Many organizations have adopted a red team/blue team approach to adversary attack and defense simulation testing. As defined by the National Institute of Standards and Technology (NIST), the red team/blue team approach is:

“A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.”

In 2017, a security expert suggested expanding these teams to include yellow and intersecting red, blue, and yellow teams to create purple, orange, and green teams, as well as a white team.

Red team/blue team penetration testing is a powerful method for putting your defenses to the test. Understanding how it works and the roles involved can help strengthen the information security posture of your organization, enabling you to be more resilient against cyberattacks, social engineering, and phishing.

Understanding Roles in Penetration Testing

There are three main roles involved in team penetration testing — red (attacker), blue (defender) and the newly introduced yellow (builder). Exercised simulations utilizing this team approach helps organizations better prepare for the unexpected.

The yellow team prepares your security system by building software solutions, scripts, and other programs your blue team will use in the penetration test. The yellow team is made up of programmers, application developers, software engineers, and software architects. During the test, the red team will attempt to get past your defenses (blue team) using various hacking techniques including:

• Gathering information from employees using phishing or social engineering
• Using information previously exposed on the dark web
• Exploiting vulnerabilities in your website and software

The blue team uses the yellow team's security programs to defend your system against both red team attackers and legitimate cyber threats.

Another commonly referenced term is the purple team. The purple team is less of a team and more of a process coordination between red and blue teams — it serves to collect lessons learned and maximize the capabilities of the two primary teams in devising comprehensive security solutions for the future. This final step is essential for getting the full picture of what each team discovered during the test.

Color-Coded Teams in Penetration Testing

Each team in a red team/blue team penetration test plays a valuable role in evaluating and strengthening your defenses. Here are how the responsibilities typically break down.

Red Team

Although red teams are often confused with penetration testers due to their overlapping skill sets, the two are not necessarily the same. A red team is most often tasked with achieving a specific objective (to access target data or systems), while the goal of a penetration tester is usually to uncover as many exploitable vulnerabilities as possible.

Typically, the red team includes specialized outsourced third parties with experience in performing highly targeted penetration testing of various systems. Leveraging this expertise allows organizations to utilize best offensive testing scenarios as part of their penetration testing.

A typical red team exercise follows this process:

1. Planning: The planning phase defines the Rules of Engagement, context understanding and comprehension of penetration testing scope and goals. It also covers an extensive review of various testing methods, such as penetration testing, social engineering, and phishing, and selecting the most applicable techniques.
2. Analysis: Once the red team has gained an understanding of the organization's systems and findings, they will develop a comprehensive plan that utilizes the specified attack methods and techniques.
3. Scanning: The red team then uses vulnerability scanning tools to identify targets and potential ways to exploit them.
4. Testing: The test begins when the red team uses the intelligence gathered in the previous steps to begin attempting to access your systems and data. Red team members leverage every potential weakness through a wide range of attack vectors to break past the defenses, preferably without the blue team noticing.
5. Reporting: Finally, both teams will form a dynamic party — the purple team — to report their findings and provide information security hardening recommendations.

This collaborative report will outline specific steps your company can take to improve your cybersecurity posture and ensure compliance with key industry regulations.

Blue Team

The blue team is responsible for defending against both real threats and red teaming in an information security test.

Here is what a test usually looks like for the blue team:

1. Planning: The blue team is responsible for defending against both real threats and red teaming. Before the test, the blue team will perform a risk assessment to analyze defenses and identify any vulnerabilities that may exist. They will also evaluate the effectiveness of the security tools in place to make sure they are as strong as possible. The blue team must also identify the organization’s critical assets, rank the importance of these assets to the business, and detail what impact the absence of these assets will have. It is important to recognize that blue teams are your organization's proactive defenders — as such, they are trained and experienced in offensive techniques.
2. Strengthening: Utilizing their expertise and in collaboration with the yellow team, the blue team will ensure the organization's information security is hardened against the red team's attacks. They may also provide additional training to staff if needed.
3. Monitoring: During the test, the blue team will be on the lookout for unusual activity as always. Monitoring tools are often utilized, allowing information regarding access to the systems to be logged and checked for unusual activity. Part of the test is determining how long it takes before your organization discovers a breach, which is a helpful metric to use for future testing.
4. Reporting: When the test has concluded, the blue team will collaborate with the red team to produce a joint report that includes key insights for improving your security posture. Now acting as a dynamic member of the purple team, they will ensure most comprehensive findings and learnings are considered.

To get the most accurate idea of how your organization would respond to a real cyberattack, keep the blue team unaware of the test. Ideally, the only person who should know is the team's leader, who can help manage the situation if the perceived threat escalates.

Purple Team

Often times, the red team can successfully penetrate the company's protections without the blue team ever realizing it. Without the red team's report, the blue team is unlikely to gain the knowledge they need to improve your security. That is where the purple team comes in.

The purple team is a dynamic team made up of both red and blue team members. This team drives the exercise of findings, learnings, and recommendations accumulation based on insights gained during the testing process.

Purple teaming is critical for a successful red team exercise. In this step, the red team contributes information on the tactics, techniques, and procedures (TTPs) they used to gain entry to their system. They will also share which TTPs were successful and which ones failed.

Your blue team then uses that feedback to strengthen your organization's defenses. For example, if the red team executed successful phishing attacks, the blue team could focus on training your staff to recognize and respond to similar phishing attacks in the future.

Other Teams in Penetration Testing

Sometimes, companies will include additional teams in their tests, such as:

• Yellow team: The yellow team represents the builders and consists of software developers and security architects who are responsible for building cybersecurity systems.
• Orange team: The orange team is a combination of the red and yellow teams that includes IT personnel who use insights gained from the red team to help the yellow team be more security conscious in their development.
• Green team: The green team combines the blue and yellow teams to use the blue team's reporting to improve upon the yellow team's security code. In some organizations, they may also automate blue team tasks like threat detection.
• White team: The white team is the all-knowing, neutral, third-party which set the rules of engagement, makes a plan, organizes the other teams, and monitors progress. This could include elements of Compliance, Management, Analysts, and/or logistics.

Depending on the makeup of your organization's IT department, your testing strategy may include all the above teams, or it might include merged instances of these teams with shared responsibilities.

Trust Compass IT Compliance with Your Penetration Testing Needs

Red team/blue team exercises help companies uncover vulnerabilities within their systems, defend against data breaches and ransomware, and ensure compliance with key cybersecurity regulations and standards such as HIPAA, NIST, GLBA, and PCI DSS.

To learn more about how a red team/blue team security assessment could bolster your cybersecurity posture, contact the Compass IT Compliance team. We offer multiple types of penetration testing services, including red team/blue team penetration testing exercises, to provide comprehensive insights into your current cybersecurity posture.

Take your security into your own hands. Contact us online today to get started!