Why is a Red team usually more successful than a Blue team?

Over the last ten years we performed more than one hundred red team assessments and only in three cases we failed to completely obtain protected assets, information or data.

In general, as the red team, we are almost always on the winning side. But why? Are we so much smarter than the blue team? Or is it because to defend is harder than to attack?

To answer the question, why is the red team significantly more successful, we performed a short analysis of the assessments aimed at assessing the difficulty of obtaining protected data. Based on the analysis, we present three basic, continual activities of the blue team that significantly reduces the red team’s success.

Time for “spring clean-up” or do you know your assets? Red team does!

Even thought you would like to, it’s not necessary to immediately throw away all old apps and systems on long time forgotten servers. But, do a “clean-up” in your assets inventory. We know, setting up new vulnerability scans and finding new air gap vectors is more fun. However, this attack vector is complicated. In a real world, we are going to find an old web application purchased by the marketing department for a campaign finished three years ago and exploit it. It is always “the low hanging fruit” first. Remember we are doing for your improvement not a conference show case.

Asset inventory is the most important basic line of defence. You need to know about every item you are protecting. Therefore, we recommend to set a basic, the most important target for the Blue team, to update the asset inventory every week. That is all. If your are doing this continuously, the attacker will not have an easy work, because with this measure you will eliminate “the lowest hanging fruit”.

Curiosity is good or learn to detect the anomalies!

What is your detection capability? Yeah, we know, you probably have IDS and IPS, firewalls, correlation engine and all those cool stuff. But do you know how usually we got backconnect from the cracked machine? Meterpreter TCP. A bit more challenging is using OpenVPN on port 443 / TCP. Sometimes it is necessary to use a more complicated approach, let’s say like Raspberry PI with LTE modem. And occasionally we use sat link (OK, full disclosure here we wanted to try it, it’s was not really needed).

If you have properly set up an asset management and detection capability, you should uncover our activities immediately (because we had to put something into your network) – so no big deal.

To be able to detect anomalies, we recommend to set a simple target – always know everything about egress traffic. Egress is more important than ingress because you can detect a successful attack in the egress traffic.

Practice makes perfect or train for incident response

When I had a role in the purple team, I had many interviews with blue and red team members. Funny thing, how much the red team and the blue team do not know each other. The blue team expects super-elite hackers who will use the never-seen techniques and tools. The red team expects that the blue team is able to detect an attack in the style of “Minority Report”. None of these is true.

Practice makes perfect. Therefore, you should do periodic incident response exercises. Do you know how much harder it would be for an attacker if your operator would be work with an analyst and upon detection there would be a clear list of actions and countermeasures?

In conclusion, I would like to share with you this tip from Twitter account Picard’s management tips (by the way, a great Twitter account, try it):

If you know how to manage incident red team is going to have hard time.
Run crisis drills when all is well. A real calamity is not a good time for training.

What do you think? We agree with Mr. Picard!