Think Red, Act Blue: How Thinking Like an Attacker Enhances Cybersecurity

At a Glance:

 

• “Think Red, Act Blue” is a proactive cybersecurity approach in which one team of analysts thinks and behaves like an attacker (red team) while another team figures out how to adequately stop them (blue team).
• By understanding both the technical and human elements of security, teams can identify weaknesses faster and build more resilient systems.
• At Brite, our SOC and Intelligence teams use red, blue, and purple team tactics to anticipate threats, enhance detection, and keep people and their data secure.

 

When battling an opponent, it’s important to consider how they think and how they are likely to act.

In sports, coaches base their game plans around what they expect the other team to do. Military leaders do the same thing when devising their combat strategies.

This principle is also true in cybersecurity. Thinking like a threat actor helps teams anticipate what tactics they may use or which weaknesses they could exploit in their attack. As a result, these teams can adjust their defenses and act accordingly to protect people and their data.

This mindset is known as, “Think Red, Act Blue.” Essentially, it means thinking like an attacker while acting like a defender.

Let’s delve deeper into how this approach enhances cybersecurity and how we employ Think Red, Act Blue at Brite.

 

Know Your Enemy and Yourself

 

The concept behind Think Red, Act Blue can be summed up by a quote from Sun Tzu’s Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

So how exactly does Think Red, Act Blue work in cybersecurity? In simple terms, a group of professionals acting as the red team simulates real-world cyber attacks to uncover weaknesses in an organization’s systems and processes. On the other side, a blue team works to defend those systems through monitoring, detection, and incident response.

Thinking Red and Acting Blue allows for information security teams to go beyond their own biases and consider how an outsider may see their defenses. Looking at an architecture or infrastructure and finding weaknesses to attack is the fastest and most effective way to patch holes. You cannot defend against what you don’t know. This strategy also allows for more rapid detection, as viewing activities from the attacker’s perspective can provide valuable insights.

Additionally, Think Red, Act Blue helps to go beyond the limited perspective of seeing cybersecurity as purely defensive. Understanding why this is important begins with the key concept that security starts with the weakest link: people.

It’s very easy to get lost in fancy SIEM/XDR systems and data science systems. Yet, what often causes a breach is people, and this issue can’t be fixed with technology for the most part. It requires thinking about the end user and thus how an attacker could abuse that.

This harkens back to information security legend Kevin Mitnick’s timeless wisdom: “The ‘bad guys’ will always look for the weakest link in the security chain. In my opinion, most often these are people, not technology.”

 

Red, Blue, and Even Purple

 

To achieve its security goals, Brite relies on the expertise of its Security Operations Center (SOC) analysts and the Brite Intelligence Team (BIT). Both groups employ, to different extents, red (offensive), blue (defensive), and purple (offensive and defensive) team tactics.

In purple teaming, the red and blue teams work closely together, with the red team providing insights into their tactics, techniques, and procedures. The blue team then gains a deeper understanding of how to detect and respond to threats effectively.

These dynamic measures allow Brite to meet challenges not just as they appear, but often before they become an issue.

 

People at the Core of Cybersecurity

 

Security starts and ends with people. The technology and digital systems that cybersecurity teams employ are simply tools that achieve a goal designed by humans or to store data used by humans.

Security teams can add countless layers of technology in between. However, if they don’t consider the user alongside how they meld with the technology and processes, the measures don’t matter.

Think Red, Act Blue allows for a conceptual framework that breaks down some of these issues. By understanding how hackers think and how users respond, security teams can adjust their defenses accordingly. As a result, clients and their data are even safer than before.