Red, blue, and purple teams: Cybersecurity roles explained

By Chris Jackson

A lot of people talk about red teams, blue teams, and purple teams when they talk about cybersecurity. But what’s the difference between each team, and why does it matter? In this article, we explain how these teams divide cybersecurity responsibilities and why purple teams are critical to a robust defense.

Prep for the (ISC)²® CC℠ (Certified in Cybersecurity) examination with this course.

Dividing cybersecurity responsibilities among team members helps define their role within the cybersecurity department. When each team member has an assigned role and/or duty, the team can create a strong cybersecurity strategy and work towards the same mission. 

As with organized team sports, there are offensive actors that seek to discover and exploit vulnerabilities (like a goal) in the adversarial team. Defensive actors, on the other hand, are tasked with protecting the vulnerable areas and preventing offensive actors from successfully exploiting vulnerabilities (or scoring goals). Without role allocation, teams might have an unbalanced cybersecurity strategy and risk greater vulnerabilities as a result.

The red team represents the offensive security team, which is responsible for discovering security vulnerabilities through penetration testing. Once they discover these vulnerabilities, they may even try to attack them to test the reaction of the organization’s security controls. They’ll launch realistic attacks by mimicking the techniques, tactics, and tools real threat actors use.

When the red team completes their testing, they’ll generate a report detailing the methods they used to discover vulnerabilities and how those vulnerabilities can be exploited by threat actors.

The blue team represents the defensive security team, which monitors for suspicious activity and implements security controls that prevent security incidents. Blue teams take a proactive approach to cybersecurity and leverage Security Information and Event Management (SIEM) platforms to monitor network traffic and investigate security events. Blue team members defend against real threat actors, as well as members of the red team.

As the name suggests, the purple team is a hybrid approach to cybersecurity that focuses on collaboration between the red and blue teams. It’s less a dedicated team and more a way for the red and blue teams to work together to strengthen an organization’s overall security.

Traditionally, blue teams are not notified when red teams begin penetration testing. That way, they can test their detection and response capabilities in real time. With a purple team, however, the blue team is notified when the red team begins testing and simulating real-world tactics used by Advanced Persistent Threat (APT) groups.

The red team can also use open-source intelligence tools, like Shodan, to see what public information is available to APT groups and how that information can be leveraged in their pen-testing. The blue team can then leverage cybersecurity threat intelligence feeds, from sources like Mandiant, to learn about the methods and tools that are being used by APT threat actors, and use that intel to prepare defenses accordingly.

Purple teams break away from the isolated red and blue team approach. When red and blue teams work together, red teams can better simulate the actual attack patterns and tools used by adversaries that would likely target their organization. And the blue teams can cater their defense and security controls based on those specific techniques. 

For instance, if the red team mimics an APT’s serverless execution technique, in which serverless functions are leveraged to execute malicious code, the blue team can set up detection security controls that monitor for recently modified and created function activity. In other words, the blue team isn’t tasked with defending against unlikely attacks. Instead, they can practice defending against threats that mimic real-world scenarios and use their resources more effectively against the red team.

Purple teams rely on collaboration between the red and blue teams, which makes communication essential to success. With the traditional two-team methodology, the red team only alerts the blue team after completing their testing. This leaves the blue team in a reactionary state with a long list of cybersecurity findings to address. 

But when the red team informs the blue team about the scope of their pen testing ahead of time, they can work together from a place of shared knowledge. Together, they can discuss specific areas of security and focus on realistic attack methods in a much more manageable fashion. The blue team can better defend against three scoped and measured objectives, for example, than a list of 35 findings. Bringing these teams together promotes collaboration and leads to faster remediation of discovered vulnerabilities and reconfiguration of ineffective security controls.

So, how do you get a purple team started? The initial stages of purple team collaboration should start off slowly. Have the red team create a short list of defined pen-testing objectives, like detection of initial malicious actor access or installation of malicious tools or code within the environment. 

As the purple teams matures, they can leverage more APT techniques to create more realistic offensive pen-testing. At the same time, the blue team can incorporate their defensive methods into more robust response plans. Once the blue team’s time-to-detection and response times are established, the purple teams can use these metrics to subjectively measure the performance of defensive security controls. Metrics can then be used to determine the allocation of team resources and performance grading.

If you’re interested in learning more about cybersecurity, check out my course Applying DevSecOps to AWS Web Apps. This will teach you about the DevSecOps methodology, Application Security, and how to secure web apps on AWS.