Penetration testing

How are penetration teams structured?

Ravi Das
August 30, 2018 by
Ravi Das

In this article, we examine the structures of the various types of penetration teams that are being used today.

 

Basic team structure

 

In today's world of penetration testing, there is no set method dictating how the teams are actually organized. The number of actual penetration testers involved in a project will depend primarily on key three factors:

  1. The types of penetration tests being performed
  2. The size of the business or corporation in question (this can be a direct function of employee size)
  3. The complexity of the IT Infrastructure to be tested

For example, if the organization that wants a pentest done has fewer than 20 employees, one can assume that the IT Infrastructure is relatively simple. In this particular instance, a complete penetration testing team may not be needed: two or three pentesters could be sufficient to carry out the required tests and compile the report(s) which summarize their findings and recommendations.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

But if the organization which requires penetration testing is a large one (such as a Fortune 500 company with more than 10,000 employees) one can safely assume that the IT infrastructure is much more complex. Thus, a structured penetration testing team will be required. In these instances, there are usually two types of teams used:

 

The red team

 

This is the penetration testing team that actually launches the mock attack against the business's lines of defense. This team simulates real types of cyberattacks in order to discover any unknown security vulnerabilities or weaknesses. The testing would typically include both the hardware and software sides.

In terms of the former, this would include such as items as servers and the entire network infrastructure itself. In terms of the latter, this would involve such items as the database and any type of web application that is employee- or customer-facing.

 

The blue team

 

This is the penetration testing team that takes on the mock role of being the IT staff at the business or corporation. The Blue Team will be the ones monitoring all alerts, anomalies and any other forms of suspicious behavior from within the IT infrastructure. In the end, their job in the pentesting exercise is twofold: to fend off the cyberattack that's being launched by the Red Team and to give the real IT staff of the organization an idea of the required vigilance and proactiveness.

In some cases, there is also a third team. This is:

 

The purple team

 

This is a type of penetration testing team that is designed to ensure and maximize the efforts of both the Red Team and the Blue Team. They combine the Blue Team's defensive tactics with the threats and vulnerabilities found by the Red Team.

 

What is the blue team?

 

As described in the last section, the first, overarching task of the Blue Team is fight off the cyberattack launched by the Red Team. But apart from this, the Blue Team has other specific responsibilities. They include:

 

1. Preparedness

 

This will include testing all of the security technologies in place to make sure they are optimized to detect any sort of anomalies.

 

2. Identification

 

Every effort is made to correctly identify any potential cyberattack against the business or corporation.

 

3. Containment

 

This involves containing the damage caused by the cyberattack, using the incident response plan.

 

4. Recovery

 

This is the part where the mission-critical functions and processes of the business or corporation are brought back online, usually in a time span of 1-2 days.

 

5. Lessons learned

 

At this point, a forensics investigation team will be called in to conduct an exhaustive study of what happened. It will be the responsibility of the Blue Team to compile all of the data and findings into a report, as well as to formulate strategies as to how such incidents can be avoided in the future.

 

6. Operating system hardening

 

The goal here is to decrease the "surface of vulnerability" of all the operating systems that are currently being used.

 

7. Perimeter defense

 

The Blue Team will also ensure that all firewalls, network intrusion devices, routers, traffic flow devices, packet filtering devices and so forth are working in optimal condition.

 

What is the red team?

 

As we've discussed before, it's the Red Team that has the primary responsibility of launching an ethically-based cyberattack against a business or a corporation in order to uncover its true security vulnerabilities, weaknesses and holes. But it's important to note here that the Red Team is not particularly interested in what is being attacked: they are much more interested in the ways to get those targets.

The Red Team will use a large amount of creativity and even employ techniques you may never have heard of. Remember, the goal of the Red Team is to not just attack your lines of defense but breach them by any means necessary. To do this, they will think and act just like the real cyberattacker.

When a Red Team engages in its mock cyberattacks, they very often do not ask for a specific list of targets to hit. Rather, they are interested in those systems in your IT infrastructure that are "out of scope" as well. As a result, this gives the Red Team a much broader set of permutations to examine. Because of this, the Red Team will seek out vulnerabilities that are systemic in nature — ones you never imagined existed, because you were seeing the situation from a different angle.

A primary advantage of having a Red Team conduct your penetration testing is that they will offer an unbiased, all-encompassing view of the weaknesses not only in your IT infrastructure, but also in your employees and office location(s).

Unless they are specifically directed by the client, a Red Team really does not have a defined methodology in order to conduct their penetration testing exercises. In the end, their goal is to try to gain access to just about everything imaginable at the business.

 

What is the purple team?

 

The Purple Team is actually a combination of members from both the Red Team and the Blue Team. One may be asking at this point: why is this combination even necessary? It's important to keep in mind that Purple Teams are not required for every penetration testing engagement.

For example, if it was a much smaller business (again, using our example of the 20-size employee company), then there would not be a need for a Purple Team.

The objectives of a Purple Team may include the following:

 

1. Working with both the red team and blue team in a harmonious fashion

 

This includes making observations and notes as to how the two teams are working together and making any recommendations to change the team compositions or make any needed adjustments to the penetration exercise(s) themselves.

 

2. Understanding and visualizing the big picture

 

This means assuming the mindset, thinking processes and the responsibilities of both the Red Team and the Blue Team.

 

3. Assuming an overall responsibility for the penetration testing exercise(s)

 

This simply refers to analyzing and interpreting results for the client and taking any corrective actions that are needed. For example, this could include coming up with a schedule for downloading and implementing software patches and upgrades, providing recommendations to improve security awareness training for the employees of the organization that is being tested.

 

4. Delivering the maximum value to the client

 

By collecting information and data from both the Red Team and the Blue Team, the Purple Team can deliver a high-quality document to the client. The end result is that the lines of defenses will be that much more fortified.

 

How to break into the penetration testing field

 

When trying to land a job as a penetration tester on either a Red Team or a Blue Team, there are a number of key attributes that you must first possess.

(Please note that although not required, a college degree in Computer Science or Information Technology is highly recommended.)

  • Obtain the A+ Credential
  • Obtain either the CCNA or Network+ certifications if you want to enter penetration testing with a focus on network security
  • Obtain either the Security+, CISSP or TICSA certs if you want to enter penetration testing with a focus on information security
  • It is highly advisable that you learn a programming language such as Java, Perl or LISP. You should also have the ability to ability to write Unix/Linux command-line interfaces and be strong in SQL. The latter is needed in case that you're called upon to manipulate SQL databases and inject malicious commands into them
  • You should also possess the Certified Ethical Hacker (CEH) cert; this is currently offered by the Internal Council of Electronic Commerce Consultants (EC-Council)
  • You should possess strong social engineering skills as well. This is important to convince an unsuspecting victim to give you the information you need for further access when launching a Red Team cyberattack

 

Conclusion

 

This article has examined the different teams in a penetration testing exercise(s). These include the Red Team, the Blue Team, and the Purple Team. We also reviewed some of the requirements to become a truly qualified penetration tester. Good luck with your career!

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

 

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.