Defending organizations’ computer networks and data has never been more challenging for technology and cybersecurity professionals. A report from consulting firm Accenture reveals that respondents reported an average of 270 separate attacks against their infrastructure in 2021, a 31% increase from the previous year.
With cybersecurity threats on the rise, private companies and government agencies are looking to invest in security, even with the threat of a possible economic downturn in the United States and elsewhere. Research firm Gartner predicts an 11% increase in security spending between 2022 and 2023, with the total reaching $187 billion next year.
Some of this spending will likely go towards strengthening defenses against various cybersecurity threats, which means more investment in Red Team and Blue Team engineers. These two highly specialized groups, which are sometimes found in-house or hired through consulting firms, help test defenses against attacks, as well as offer recommendations for improving cybersecurity.
“As for the way the teams work together: it’s a symbiotic relationship between sparring partners. Red and blue teams exchange ideas, make changes, and gradually improve each other’s knowledge, understanding, and posture,” said Tim McGuffin, director of adversarial engineering at LARES Consulting.
What are the differences between the red and blue teams?
While the red and blue teams work together, their roles are distinct.
The engineers of the red team, for example, play the role of the adversary. They “attack” networks and infrastructures to look for weak points and bad security configurations. “This role includes performing adversary emulation, a type of red team exercise where the red team emulates the functioning of an opponent, following the same tactics, techniques and procedures, with a similar specific objective. to that of realistic threats or adversaries. This may also include the creation of custom implants and [command-and-control] frameworks to evade detection,” according to the SANS Institute.
A Blue Team Engineer (or Blue Teamer) can have multiple titles and is typically an in-house security professional responsible for engineering and architecture, triage and incident response, administration of security tools and more, according to SANS. Their main objective during a tabletop security drill is to stop the red team attacker and neutralize the threat.
For technology or cybersecurity professionals looking to advance or try a new career, engineers on the red and blue team can have significantly different salaries. A red teammate currently earns a base salary of around $108,400 in the United States, according to Glassdoor statistics. A Blue team engineer, however, can expect a base salary of around $48,900, according to the same data, but that could also climb up to $108,000, with many companies offering a salary of much higher base.
What skills are needed for engineers on the red and blue team
The engineers of the Red and Blue teams need specific skills to take on these tasks.
For example, a Blue Teamer needs in-depth knowledge of the specific domain they are protecting within their organization (e.g. architecture and cloud platforms), as well as a working knowledge of how how this area of the business interacts with and affects other departments and divisions. If the engineer is working within a Security Operations Center (SOC), they will need to understand defensive monitoring and triage alerts, how these are generated in the system, what the logging pipeline looks like, and the ability to infer the origin of any future malicious activity.
“It goes back to operational security fundamentals as well as a solid understanding of the business, system components and connections, accounts involved, and institutional knowledge,” McGuffin told Dice. “This will help triage and quickly escalate true positives so they can react quickly, as threat actors like ransomware operators seek speed and impact, so minutes lost in triage can be bad.”
The skills are different for a red team engineer. They must understand threat actors and their abilities and techniques, as well as how to perform some of these techniques in a simulated situation to test defenses.
“Using this combination of knowledge and skills, a Red team member looks for opportunities for an attacker to compromise processes, data, or identities within the enterprise,” Director Aaron Turner told Dice. SaaS protection technique at Vectra. “The broader the experience of the Red Teamer team, in physical and network security, supply chain and vendor operations, the more effective it is. For example, a good Red collaborator will analyze physical security controls around technology infrastructure where a physical weakness could be exploited to gain privileged access to networks, data, or identity infrastructure.
While both positions can serve as entry-level careers for those interested in cybersecurity, Blue Teamers tend to have greater responsibility. “It’s possible for someone to get an entry-level position in each of these disciplines, but the progression generally applies, it’s easier to break things than to fix them. So blue teams usually have a greater responsibility and therefore need to keep abreast of a wider area of knowledge,” Turner added.
Justin Wynn, senior consultant for adversary operations at security consultancy Coalfire, noted that the most difficult tasks in these exercises are usually the responsibility of blue team engineers. “The blue team is a grueling job – even though they’ve secured everything as best they can, there’s always the looming threat of a zero day, which can compromise an asset and force them to respond to an incident. in real time,” Wynn tells Dice. “The red team only needs to get lucky once and advanced threats can have undisclosed exploits or sit and wait for an opportunity to present itself.”
Whether technologists and cybersecurity experts are drawn to red or blue teams, Wynn noted that preparing for these roles requires a similar mindset and attention to specific detail and training.
“Each role requires a deep technical understanding of how technologies work and the security issues associated with them,” Wynn added. “The skills required to effectively manage these requirements are endless, often requiring a well-rounded team with a deep understanding of networking, full-stack development, common security vulnerabilities, and more, all while staying on the cutting edge developing security issues. ”
Where can aspiring Red and Blue Teamers start?
Generally, only the largest private companies can house both a red team and a blue team within their security organization. In many cases, companies will have blue teams in-house and look to consulting firms to provide red teams to help with tabletop exercises and testing defenses.
Several experts have noted that aspiring red and blue teammates can find plenty of opportunities to test their skills. “For people who are just starting their journey and want to get involved with the Red Team, the best thing to do is find an organization without a lot of resources and volunteer to do some work,” Turner said. from Vectra. “For example, city governments and public school districts all need to secure their environments, but typically don’t have the budget to pay for a full red team engagement. By working through local safety organizations like ISSA or InfraGard, a beginner could build relationships to create a volunteer red team organization, much like how volunteer firefighters work.
For those looking to add certification to their resume, the SANS Institute offers several courses for cybersecurity professionals. For example, SANS recommends its course “SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise” for Blue Teamers. Meanwhile, his “SEC565: Red Team Operations and Adversary Emulation” course is for Red Teamers.
“There is fundamental knowledge that should be required for both teams,” McGuffin added. “One person doesn’t have to know all of them, but at least one member of the team should have knowledge in these areas and share that knowledge if needed. Network and system architecture, operating system and systems administration fundamentals, and a functional understanding of their organization’s core business and assets are all good to know.