8.2. Red and blue confrontation

8.2.1. Concepts

The concept of red-blue confrontation originated from the American exercise in the 1960s. The exercise refers to the army conducting large-scale actual military exercises. The exercise is usually divided into the red army and the blue army. The blue army usually refers to the simulated confrontation exercise in the army. The troops that play the role of the imaginary enemy and conduct targeted training with the Red Army (representing our frontal troops), this method is also called Red Teaming.

This is where the concept of cybersecurity red-blue confrontation comes from. As the defender of the enterprise, the Red Army ensures the safety of the enterprise through security reinforcement, attack monitoring, emergency response and other means. As the attacker, the blue army aims to discover security loopholes and obtain business rights or data, and uses various attack methods to try to bypass the layers of protection of the red army and achieve the established goal. What may be confusing is that in Europe and the United States, the red team is generally used to represent the attacker, the blue team to represent the defender, and the colors represent the opposite.

8.2.2. Cyber ​​Attack and Defense Exercises

The more influential exercises include “Locked Shields” and “Cyber ​​Storm”. The “Lock Shield” is held annually by the NATO Cooperative Cyber ​​Defence Centre of Excellence (CCDCOE). “Cyberstorm” is led by the U.S. Department of Homeland Security (DHS) and has been held every two years since 2006.

Compared with the APT attack, the offensive and defensive exercises are relatively short, only 1 to 4 weeks, and there is a defensive target. The APT attack target is unique, the duration can reach from several months to several years, and it is more stealthy.

8.2.3. Focus

The work content of the enterprise network blue army mainly includes penetration testing and red-blue confrontation. The technologies used in these two methods are basically the same, but the focus is different.

Penetration testing focuses on digging out more security vulnerabilities in a short period of time, and generally does not pay much attention to whether the attack behavior is detected by monitoring. The purpose is to help business systems expose and converge more risks.

The red-blue confrontation is closer to the real scene, and it is biased towards actual combat, and the scenes faced are complex and various technologies. Focus on bypassing the defense system and silently achieve the goal of obtaining business permissions or data. Do not seek to discover all the risk points, because the more attacking moves, the greater the probability of being discovered. Once discovered, the Red Army will kick the Blue Army out of the battlefield. The purpose of the red-blue confrontation is to test the defense-in-depth capability, alert operation quality, and emergency response capability in a real attack.

8.2.4. Objectives

  • Assess the effectiveness of existing defense capabilities, identify weaknesses in defense systems, and propose specific countermeasures

  • Use real and effective simulated attacks to evaluate the potential business impact caused by security issues, and provide effective data for security management to quantify the ROI of security investment

  • Improve company security maturity and its ability to detect and respond to attacks

8.2.5. Preliminary preparation

  • Organization Chart

  • Network topology

  • Logical structure diagram of each system

  • Calling relationship between systems

  • data flow relationship

  • Asset sorting

    • List of core assets

    • business system assets

    • equipment assets

    • Outsourced/Third Party Service Assets

    • legacy assets

  • business asset information

    • business system name

    • Type of business system

    • server type

    • Domain name/IP address

    • service port

    • Version

    • System deployment location

    • Development Framework

    • middleware

    • database

    • Responsible

    • Maintenance personnel

  • Equipment Asset Information

    • device name

    • Device version number

    • Firmware version number

    • IP address

    • Deployment location

    • Responsible

    • Maintenance personnel

  • Outsourced/Third Party Services Asset Information

    • Manufacturer contact information

    • system name

    • system type

    • IP/URL address

    • Deployment location

    • Responsible

    • Maintenance personnel

    • Manufacturer contact information

    • third-party on-duty staff

  • Risk sorting

    • infrastructure risk

    • Sorting out account permissions

    • Internet Risk Check

    • Converging attack surface

  • emergency response plan

  • business continuity plan

  • Disaster Recovery Plan

8.2.6. Action Flow

  • Attack preparation

    • Clarify the scope of authorization, test objectives, restrictions, etc.

    • Reporting and Authorization Process

    • Action Costs and Budgets

  • Attack execution

    • within the time period of the record

    • within the target range of the filing

    • Recorded attack IP and network environment

  • Attack done

    • restore all changes

    • remove all persistent controls

    • Submit attack reports and suggestions for improvement

8.2.7. Notes

  • report before the test

  • Communicate in advance when it may affect the operation of the business

  • Vulnerabilities and business communication are confirmed before issuing a work order to fix

  • Vulnerability closed loop