Select Page

Sep 21, 2021

Cybersecurity Red Teams, Blue Teams: Rivals or Allies?


Cybersecurity teams for large enterprises and other organizations are typically divided into two “teams,” red and blue. The blue team is usually focused solely on defensive cybersecurity, i.e., setting security policies, monitoring for potential threats, and mitigating any attacks that should occur. The red team, by contrast, is normally tasked with continuously testing all things that IT touches, including the network, physical security and social engineering receptiveness, for vulnerabilities or weaknesses. They then devise tactics and techniques to better defend the against threats, attacks, and intrusions.

Examples of blue team members’ titles might be cybersecurity analyst, specialist, or engineer, while those of red team members include penetration tester, ethical hacker or vulnerability analyst. Enterprises often employ external vendors’ red teams for organized cybersecurity exercises. Given the vast differences in duties and viewpoints of the two teams, though, it’s quite common for them to be in an adversarial or competitive relationship.

The red team’s penetration testing, for example, might reveal a policy misconfiguration by the blue team, resulting in embarrassment or worse for that team. Or the blue team might discover an attack on a vulnerability that the red team “should” have detected in its testing, with similar results.

However, the cybersecurity landscape is changing and evolving quickly. Ransomware, for example, has become a widespread threat that can devastate business operations and exfiltrate sensitive customer information. With the changing landscape, red and blue teams need to work cooperatively while maintaining their friendly competitive edge – “coopetition,” if you will. Rather than rivals, they need to become allies in the important work of protecting the network and other IT assets.

Red + Blue = Purple

This blurring of the lines between red and blue teams is beginning to extend to cybersecurity vendors like Hillstone Networks as well. Our main product lines – next generation firewalls, web application firewalls, intrusion prevention systems, server breach detection systems and application delivery controllers – are all mostly on the blue team’s (or defensive) side.

Many of our products incorporate our industry-leading artificial intelligence (AI) or machine learning (ML) technologies, which use advanced security automation techniques for threat detection, analysis, hunting and response. AI applies advanced analysis and logic-based techniques (like ML) to understand security events, help automate decision-making, and give admins the deep visibility and understanding needed to take effective action against threats and attacks. These capabilities augment the defensive tactics and techniques of the blue team, while helping to discover security “holes,” much as a red team would.

The Importance of Collaboration

We’re actively working with vendors of technologies that reside on or closer to the red team’s side. Just as the traditional red and blue teams need to work together to discover and mitigate security risks, we believe that so, too, should security vendors, regardless of which team’s side they’re on. The cybersecurity landscape, especially ransomware, is simply changing too fast. In our view, it doesn’t take a village – rather, it takes an ecosystem of security technologies working together to counter the shape-shifting, multi-stage and multi-layer threat environment of today.

The benefits for Hillstone customers are numerous and include more efficient risk detection and mitigation, as well as automation to correlate and integrate inputs from other devices into Hillstone’s solutions. The end result will be stronger security postures with fewer unsecured attack surfaces for hackers to explore and leverage – all while easing the workloads of both red and blue teams and allowing them to operate at maximum efficiency.