Why is a Red team typically more successful than a Blue team?

Over the last ten years we performed more than one hundred red team assessments and only in three cases we failed to completely obtained protected assets, information or data.

In general, as the red team, we are almost always on winning side. But why? Are we so much smarter than the blue team? Or is it because defending is harder than breaking?

To answer the question, why is the red team significantly more successful, we performed a short analysis of realized tests aimed at assessing the difficulty of obtaining protected data. Based on the analysis, we present three basic, continuous activities of blue team that significantly reduce the attacker’s / red team’s success.

Time for “spring clean-up” or do you know your assets?

Even thought it would be the best, it’s not necessary immediately to throw away all old apps and systems forgotten on servers. But, make a “clean-up” in your assets inventory. We know, setting up vulnerability scans and finding new air gap vectors is more fun. However, this way of attack is complicated. Why these attacks to do so complicatedly? In reality, for example, we are going to find an old web application ordered by the marketing department for a campaign three years ago and we exploit it. It is always “low hanging fruit” at first.

Asset inventory is the most important basis of defence. You need to know every item you are protecting. Therefore, we recommend to set a basic, most important target for a Blue team, to update the asset inventory every week. That is all. When you will going to do this target correctly and continuously, the attacker will not have an easy work, because with this measure you will eliminate “lowest hanging fruit” (the easiest way to obtain protected assets).

Curiosity is good or learn detect the anomalies!

What is your detection capability? Yeah, we know, you probably have IDS and IPS, firewalls, correlation engine and all the cool stuff. But do you know how usually we got backconnect from the cracked machine? Meterpreter TCP. A bit more challenging was using OpenVPN on port 443 / TCP. Sometimes we needed to use a more complicated approaches like Raspberry PI with LTE. And occasionally we used sat link (OK, honestly here we wanted to try it, it’s not really needed).

If you have properly set up asset management and detection mechanisms, you should uncover us in these activities (because we had to input something into the network) – so no big deal.

To be able to detect anomalies, we recommend to set a simple target – always to know everything about egress traffic. Egress is more important than ingress, because you can detect a successful attack in the egress traffic

Practice makes perfect or training for incident response

When I had a role in purple team, I had many interviews with blue and red team members. Do you know what’s funny? How much the red team and the blue team do not know each other. The blue team was expecting super elite hackers which will use the never-seen techniques and tools. The red team was expecting that the blue team will be able to detect in the style of “Minority Report” (Minority Report is a film), it means to detect even the most basic port scan. But none of this is true.

Practice makes perfect. Therefore, you should conduct periodic incident response exercises. Do you know how much harder it would be for an attacker, if your operator would be work with an analyst and upon detection there would be a clear list of actions and countermeasures?

In conclusion, the tip from Piccards management tip (by the way, a great Twitter account, try it):

Picard management tip: Run crisis drills when all is well. A real calamity is not a good time for training.
Run crisis drills when all is well. A real calamity is not a good time for training.

What do you think? We agree!

Author: Jozef Mareš, founder.