Best tools for red and blue teams are methodology, experience

red blue tools

In many ways, parenting and security have a lot in common. No book exists that provides all of the answers. There is no silver bullet, and both roles can be overwhelmingly stressful. Getting into the mind of the enemy, though, might be a little easier done than understanding the inner workings of the teenage mind.

Parents are the blue teams that want to know how susceptible their children are to life's many temptations and pitfalls. The red teams, all of the possible dangers that could hurt a child, are those who want to get in. The greater challenge is for the blue team to protect their domain by finding that one vulnerability that can be exploited without putting too many limitations and restrictions on users. 

That's why many of the tools in red and blue team security toolkit are not actual products as much as they are methodologies. When security teams take a step back to reflect upon what they need in their toolboxes, they might find that the answer is less about technology than it is about people and process.

Peter Wood, CEO of ethical hacking firm First Base Technologies, said,"Red teaming involves multiple stages, from open source research, through social engineering, end point and network exploitation, to data exfiltration, so the tools required are many and varied."

Red teams can use a variety of tools depending on their preferred method of social engineering. "Searches of Google maps, job boards, pastebin, LinkedIn, Twitter, Facebook, Instagram, recon-ng, metagoofil and spiderfoot; port scanning and banner grabbing using Ncat, Netcat, and Nikto," said Wood are only some of the tools commonly used.

"For in-person network compromise without credentials red teams can use native software, Burp Proxy, Iceweasel, Wireshark, and many others in addition to proprietary software and techniques," Wood said.

Matt Rodgers, head of security strategy, E8 Security said, "I’ve done a little bit of both red team and blue team work. To try to figure out what needs to go into the toolbox, they first have to understand their goals. Learn as much as they can about the state of security in the organization, then put those learnings to good use."

For some folks, that response is frustrating because they want answers. "They like to get into the weeds around this particular technical goal," said Rodgers, "but in reality it is a combination of putting people, process, and technology to the test all at once."

Equally as important is to understand what physical security looks like. "Some of the social engineering exercises, such as dropping USB sticks in the parking lot, need to be added into the exercises as well," Rodgers said.

While the risks to a particular environment will determine specific tools that will help them achieve their security goals, practitioners also need a variety of traditional technologies regardless of their threat landscape.

"Metasploit is a tool used to run attacks, and NMAP is a common and well understood tool that allows them to do reconnaissance and put together an attack chain by hand," Rodgers said.

Many tools have been around for a long time on the red team side. "Those used for internal and external exposures include everything from wireless tools like Aircrack, a cracking tool for wireless networks. There are lots of ways to get into the internal and external resource exposures," said Rodgers.

Core Impact, what Rodgers defined as "Metasploit on steroids," is a commercial-based solution used for penetration testing. "There is also Safe Breach, a mechanism to automate red team tool sets. It's essentially an automated way of doing all those things they can do with Metasploit, but it automates and provides a report," Rodgers said.

What's most important for blue team's, said Rodgers, "Especially around phishing and vishing, is the ability to understand what types of controls exist in their environment. I've seen people finding controls in their network as they go through an exercise."

Because blue teams base their function off of their ability to collect and make use of the data they collect, log management tools, like Splunk, are important tools.

Rodgers said, "Another piece of the puzzle is understanding how to collect all of the data of what the team has done and record it in a high enough fidelity in postmortem exercises to determine what they did right or wrong and how to do it better."

Blue teams are challenged by staying vigilant in their defense, but David Kennedy CEO and Ben Mauch of TrustedSec said, "For red teams, it's usually more about methodology, rather than being tool-dependent. Knowing how to identify what you are going after is methodical based."

Still there are different tools that turn the methodologies of both red and blue teams into action. Guided by penetration testing execution standards, Kennedy said he has a methodical way of going after a company.

[ ALSO ON CSO: 8 penetration testing tools that will do the job ]

"You go step by step, through the methods of how to go after a target. Start off with intelligence gathering. Understand who your target is, why you want to go after them, do vulnerability analysis," Kennedy said.

Common tools across the board for hackers who are getting to know their targets are social media and online sites. "LinkedIn is one of the most valuable tools for hackers. You know what type of technology people use because they list it right on their profiles. Here's the firewall we use, and here is my experience with it," Kennedy said.

That's part of the reason why the tools that blue teams need is determined by their environments. "They need to ask 'What is this program doing? Why would it try to format your hard drive?' and then add technology that blocks unanticipated actions. The tools to test whether that technology was successful come from the red team," said Michael Angelo, chief security architect, Micro Focus.

Just because a child climbs on a jungle gym doesn't mean he is going to fall and break his leg. The same is true for security vulnerabilities. "Just because you have a vulnerability doesn't mean it's going to be exploited," said Angelo.

"Red teams can use tools like Nessus to find any open ports or vulnerabilities associated with some of the things on that machine. Then they can determine how to get in and test to see if it works. You might have a vulnerability, but is it realizable? Try to do the exploit," Angelo said.

Red teams first look to see what information is available, and then they do passive analysis. Angelo said, "They are not really engaging, they are just watching to see the traffic coming from there without rattling the doorknob. Then they walk over and do active analysis."

For the blue team, what is most valuable is the knowledge that people have in addition to tools. Angelo said, "As you get used to doing these things, you start to think, I’ve seen that, I’ve seen that, they do this, they do that, but I wonder if there isn’t a hole. If you only prepare for the things that are known, then you won't be prepared for the unknown." 

Asking questions is an invaluable tool that will encourage exploration into the unknown. Angelo said, "Don’t stop at preparing for the things that exist today. Assume there will be failures in your infrastructure."

That assumption, that there will be failures, that nothing is 100 percent secure, that we can no more create perfect children than we can perfect security might be the greatest tool anyone can find.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)