Do you ever play computer games such as Halo or Gears of War? If so, you’ve definitely noticed a game mode called Capture the Flag that pits two teams against each other – one that is in charge of protecting the flag from adversaries who attempt to steal it.
This type of exercise is also used by organizations to gauge their ability to detect, respond to, and mitigate a cyberattack. Indeed, these simulations are key for pinpointing weaknesses in organizations’ systems, people and processes before attackers take advantage of them. By emulating realistic cyberthreats, these exercises let security practitioners also finetune incident response procedures and beef up their defenses against evolving security challenges.
In this article, we’ve look at, in broad brush terms, how the two teams duke it out and which open-source tools the defensive side may use. First off, a super-quick refresher on the roles of the two teams:
- The red team plays the role of the attacker and leverages tactics that mirror those of real-world threat actors. By identifying and exploiting vulnerabilities, bypassing the organization’s defenses and compromising its systems, this adversarial simulation provides organizations with priceless insights into chinks in their cyber-armors.
- The blue team, meanwhile, takes on the defensive role as it aims to detect and thwart the opponent’s incursions. This involves, among other things, deploying various cybersecurity tools, keeping tabs on network traffic for any anomalies or suspicious patterns, reviewing logs generated by different systems and applications, monitoring and collecting data from individual endpoints, and swiftly responding to any signs of unauthorized access or suspicious behavior.
As a side note, there’s also a purple team that relies on a collaborative approach and brings together both offensive and defensive activities. By fostering communication and cooperation between the offensive and defensive teams, this joint effort allows organizations to identify vulnerabilities, test security controls, and improve their overall security posture through an even more comprehensive and unified approach.
Now, going back to the blue team, the defensive side uses a variety of open-source and proprietary tools to fulfill its mission. Let’s now look at a few such tools from the former category.
Network analysis tools
Arkime
Designed for efficiently handling and analyzing network traffic data, Arkime is a large-scale packet search and capture (PCAP) system. It features an intuitive web interface for browsing, searching for, and exporting PCAP files while its API allows you to directly download and use the PCAP and JSON-formatted session data. In so doing, it allows for integrating the data with specialized traffic capture tools such as Wireshark during the analysis stage.
Arkime is built to be deployed on many systems at once and can scale to handle tens of gigabits/second of traffic. PCAP’s handling of large amounts of data is based on the sensor’s available disk space and the scale of the Elasticsearch cluster. Both of these features can be scaled up as needed and are under the administrator’s full control.
Snort
Snort is an open-source intrusion prevention system (IPS) that monitors and analyzes network traffic to detect and prevent potential security threats. Used widely for real-time traffic analysis and packet logging, it uses a series of rules that help define malicious activity on the network and allows it to find packets that match such suspicious or malicious behavior and generates alerts for administrators.
As per its homepage, Snort has three main use cases:
- packet tracing
- packet logging (useful for network traffic debugging)
- network Intrusion Prevention System (IPS)
For the detection of intrusions and malicious activity on the network, Snort has three sets of global rules:
- rules for community users: those that are available to any user without any cost and registration.
- rules for registered users: By registering with Snort the user can access a set of rules optimized to identify much more specific threats.
- rules for subscribers: This set of rules not only allows for more accurate threat identification and optimization, but also comes with the ability to receive threat updates.
Incident management tools
TheHive
TheHive is a scalable security incident response platform that provides a collaborative and customizable space for incident handling, investigation, and response activities. It is tightly integrated with MISP (Malware Information Sharing Platform) and eases the tasks of Security Operations Center (SOCs), Computer Security Incident Response Team (CSIRTs), Computer Emergency Response Team (CERTs) and any other security professionals who face security incidents that need to be analyzed and acted upon quickly. As such, it helps organizations manage and respond to security incidents effectively
There are three features that make it so useful:
- Collaboration: The platform promotes real-time collaboration among (SOC) and Computer Emergency Response Team (CERT) analysts. It facilitates the integration of ongoing investigations into cases, tasks, and observables. Members can access relevant information, and special notifications for new MISP events, alerts, email reports, and SIEM integrations further enhance communication.
- Elaboration: The tool simplifies the creation of cases and associated tasks through an efficient template engine. You can customize metrics and fields via a dashboard, and the platform supports the tagging of essential files containing malware or suspicious data.
- Performance: Add anywhere from one to thousands of observables to each case created, including the option to import them directly from an MISP event or any alert sent to the platform, as well as customizable classification and filters.
GRR Rapid Response
GRR Rapid Response is an incident response framework that enables live remote forensic analysis. It remotely collects and analyzes forensic data from systems in order to facilitate cybersecurity investigations and incident response activities. GRR supports the collection of various types of forensic data, including file system metadata, memory content, registry information, and other artifacts that are crucial for incident analysis. It’s built to handle large-scale deployments, making it particularly suitable for enterprises with diverse and extensive IT infrastructures.
It consists of two parts, a client and a server.
The GRR client is deployed on systems that you want to investigate. On each of these systems, once deployed, the GRR client periodically polls the GRR frontend servers to verify if they are working. By “working”, we mean executing a specific action: download a file, enumerate a directory, etc.
The GRR server infrastructure consists of several components (frontends, workers, UI servers, Fleetspeak) and provides a web-based GUI and an API endpoint that allows analysts to schedule actions on clients and to view and process the collected data.
Analyzing operating systems
HELK
HELK, or The Hunting ELK, is designed to provide a comprehensive environment for security professionals to conduct proactive threat hunting, analyze security events, and respond to incidents. It leverages the power of the ELK stack along with additional tools to create a versatile and extensible security analytics platform.
It combines various cybersecurity tools into a unified platform for threat hunting and security analytics. Its primary components are Elasticsearch, Logstash, and Kibana (ELK stack), which are widely used for log and data analysis. HELK extends the ELK stack by integrating additional security tools and data sources to enhance its capabilities for threat detection and incident response.
Its purpose is for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.
Volatility
The Volatility Framework is a collection of tools and libraries for the extraction of digital artifacts from, you guessed it, the volatile memory (RAM) of a system. It is, therefore, widely used in digital forensics and incident response to analyze memory dumps from compromised systems and extract valuable information related to ongoing or past security incidents.
As it’s platform-independent, it supports memory dumps from a variety of operating systems, including Windows, Linux and macOS. Indeed, Volatility can also analyze memory dumps from virtualized environments, such as those created by VMware or VirtualBox, and so provide insights into both physical and virtual system states.
Volatility has a plugin-based architecture – it comes with a rich set of built-in plugins that cover a wide range of forensic analysis, but also allows users to extend its functionality by adding custom plugins.
Conclusion
So there you have it. It goes without saying that blue/red team exercises are essential for assessing the preparedness of an organization’s defenses and as such are vital for a robust and effective security strategy. The wealth of information collected throughout this exercise provides organizations with a holistic view of their security posture and allows them to assess the effectiveness of their security protocols.
In addition, blue teams play a key role in cybersecurity compliance and regulation, which is especially critical in highly regulated industries, such as healthcare and finance. The blue/red team exercises also provide realistic training scenarios for security professionals, and this hands-on experience helps them hone their skills in actual incident response.
Which team will you sign up for?