Security in Plain English: What are Red, Blue, and Purple Teams?

May 21, 2018

Most organizations test their security systems and protocols on a regular basis - and your company is probably among those that do. So you may have heard terms like "Red,” “Blue," or even "Purple" teams being tossed around in the context of cybersecurity. What are these teams, what do they do, and how do they operate in your organization? Read on to find out!

A note on names: While the actual origin of the names "Red" and "Blue" are hard to pin down, a common theory is that they come from the early days of Player versus Player video games. Since the teams on each side of a Player versus Player battle can be randomly picked, identifying who was on each team was critical - a player who was on your team last round could be an opponent this round. One way many games made the team affiliation obvious to all players was to color the armor or uniforms of each team differently; red on one side, blue on the other. 

 

When testing the effectiveness of security protocols within a company, someone has to go out and actually attack those protocols and protections to see if they hold up. In the same vein, someone else needs to learn what worked and what didn't, and take action to defend the systems during and after the testing. Thus, we have the origin of two distinct teams of security professionals who are all working for the good of the company, but doing it in opposing ways.
 

Red Teams are the attackers. While not strictly required, Red Teams are usually outside contractors - since the best testing is done by a team with a lot of knowledge of how to break in, but no knowledge of what security is already in place. Knowing what security is being used can lead to some attacks being automatically avoided because there is security in place - which can lead to vulnerabilities being missed if that security isn't properly configured. Very large organizations do have internal Red Teams, but even they tend to supplement them with contracted firms to provide periodic, independent testing. Red Team members are adept at all forms of digital attack, as well as social engineering and other methods to find ways to break into the systems of a company - but are bound by employment agreements or legal contracts to not disclose what they find to anyone but the company that is being tested. They also work under an agreement not to remove or alter information they do access except within the limits of the test, and to destroy any company data they acquire once the testing and auditing are complete. The company, in turn, formally acknowledges that the Red Team is going to try everything they can to hack into sensitive systems. This allows the Red Team to throw everything they have at the data systems of a company while remaining shielded from legal attack if they succeed and get into private or privileged systems; and lets the company feel secure in the knowledge that nothing was held back in the testing.
 

Blue teams are the defenders. This team almost always works as employees of the company that is undergoing the testing, and are usually members of the IT Security or Data Security divisions of the company's IT group. Blue Teams have two major areas of operations. They continually attempt to harden security around and within the company's data systems and networks - even when no testing is going on. They can also act as an active part of the defensive systems when the Red Team is attacking.  That may sound counter-productive, but keep in mind that Red Team testing occurs in several phases over a period of time. The first attack probably won't involve the Blue Team directly, but re-attacks to test if the vulnerabilities have been patched or shielded will involve the Blue Team in a cooperative fashion. Blue Teams act independently of the Red Team even if they all work for the same company - and therefore can specialize in defensive operations entirely.
 

Both teams will work together to provide a complete audit of every test that was performed, what succeeded, what didn't, and why. The Red Team will also provide detailed logs of all the operations they performed, and the Blue Team will completely document all the corrective actions that were taken to address the issues that were found during the testing. 

 

With the constant pressure for companies of all sizes to harden their defenses and test their security, a new team type - Purple Team - has become common in the security world over the last several years. Purple Teams are (as their name would suggest) a single group of people who do both Red and Blue testing and securing of a company.  They may be a consulting group brought in for an audit, or employees of the company directly, but they do not focus exclusively on attacking or defending - they do both. Often, individual team members will take turns on each side of the equation to keep everyone's skills as sharp as possible; though each member may have a specialty. Purple Teams are effective for spot-checking systems in larger organizations as well, but it is generally best to have opposing and independent teams whenever possible.

 

Red Teams and Blue Teams (and their Purple counterparts) are vital to making sure data systems and networks get safe and stay safe. Without constant testing using the latest vulnerabilities, there's no way for a company to know if they're secure or not.  You may not see these teams in action, but you will definitely see the results of their work in better security and safer systems.

 

Your Security Definitions of the Day: Vulnerabilities and Exploits - a vulnerability is a potential pathway that could be used to gain access to a system or data, or to otherwise compromise a system. An exploit is an actual attack against a vulnerability which gains access to a system or data - or performs the compromise itself.

  • Penetration testing

Suggested reads

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!