Over the last decade, I’ve seen the industry embrace red teaming, with more and more organizations employing red teams to help augment their security function. While I don’t love that so much of the industry still appears to be hung up on red teaming basically being “a more advanced penetration test”, I am happy to see more and more organizations taking this proactive step to evaluate and improve their security.
With the rise of the red team in cybersecurity, we also became more and more familiar with the term “blue team.” In the context of cybersecurity, this term is typically reserved for folks who serve the incident response function. If the red team breaks into the organization, surely the blue team is the specific people responsible for responding to the break in, right? Well… I’m not so sure.
Perhaps the most motivating factor for this piece, though, is the rise (at least in online thought leader think pieces) in calling other teams by other colors. The orange team. The purple team. The yellow team. Etc.
Color teams as a temporary function
The red team and blue team are, in my opinion, only meant to be short-term names during the course of an exercise that necessitates a red team and a blue team. When not actively engaged in an exercise, even people who professionally red team are still employed by the company to help improve the organization.
Additionally, there may be people who engage in red team activities in a part-time capacity for the course of an exercise, such as volunteers or subject matter experts. We don’t say “The red team plus Bob” when talking about the adversary in this exercise - it’s just “The red team.” Similarly, I think it’s incorrect to say “The blue team plus Alice.” It’s just “the blue team.”
Importantly, at the end of the exercise, the “Red vs Blue” line in the sand gets wiped away, and we’re all back to being employees of an organization that we’re trying to improve. Until the next exercise starts, we’re all just trying to improve the security of the organization. This is also, in my opinion, why the need for a “purple” team is misguided. You don’t need a purple team, you need a red team function that remembers that their job is to help improve the blue team functions.
Blue Team != Incident Response
I think the catalyst of starting to name teams by colors is undoubtedly blamed by the understanding of the red team and blue team roles. While I think the red team role is commonly understood to be “pretending to be the adversary,” I think the blue team role has been unfairly and incorrectly narrowed.
In the origins of the Red vs Blue paradigm, the red team served as the adversary, and the “blue team” inherently meant “ More specifically, the red team was the adversary - the Soviet Union, and the blue team was "the United States." If you're interested in more about the history of this term, I cannot recommend Red Team: How to Succeed By Thinking Like The Enemy enough. ” I think this is actually good, because I haven’t taken a single security awareness training in my entire career that didn’t tell me I was part of the first line of defense for the company.
I think the more accurate representation of blue team should be “anyone not currently actively engaged in a red team campaign against the organization.” But short of that, it should definitely not just be a synonym for “incident response.” Incident response already has a name, incident response. Digital forensics has a name. Security architecture has a name. Security engineering has a name. Application security has a name. Infrastructure security has a name.
Blue team is just meant to be an aggregate term for the receiving end of a red team exercise.
Red Team != Offensive Security
A similar issue with the “color team” naming convention is that a number of organizations and security leaders appear to believe that “red team” is a general term for all offensive security work. Blue = defense, so red = offense.
Red teaming may fall within an organization’s offensive security function, but offensive security also tends to include things like penetration testing, deep security research to find 0day vulnerabilities, and maybe even control validation functions. It’s sort of like that thing where all squares are rectangles but not all rectangles are squares.
Except not all red teams are even “offensive security.” There’s also alternative analysis red teaming, bringing the skills of contrarian thinking to everyday business decisions, roadmaps, business intelligence, etc.
Should we retire Red vs Blue?
While I personally still find value in the notion of “red team” and “blue team” at a high level, I think the broader industry has shown that it may be taking these notions too literally and treating them as actual teams in the org chart.
Having full time staff engaged in adversarial work is good, but maybe they don’t need to be called “red team” in the org chart. Perhaps more descriptively they could be called “Adversary Emulation.” Or maybe they do fulfill a broader red team role, engaging in alternative analysis, some sort of attack modeling, and tabletop exercises. In which case maybe they should stay labeled red team.
But I think definitely there isn’t really a good reason to have a “blue team” in the org chart. There are much more descriptive names for each function, and teams naturally tend to fall into those function boundaries anyways.
What about every other color?
With the notion that “red team” means “those actively playing the role of the adversary” and “blue team” meaning “everyone in the organization that is not currently on the red team,” I think there leaves no room for any other color. I think adding more colors is generally counterproductive, as it results in less-descriptive names for job functions.
I thought the Red vs Blue distinction was obvious, but the proliferation of other colors seems to suggest otherwise, and ultimately I think clear and descriptive naming is more effective for everyone. As someone who has had to explain “what does a red team do” hundreds of times, I can assure you all I ever wanted was a more descriptive name – not a less descriptive name.
If I have to give up the “red team” name in order to reduce the industry tendency to start ascribing other colors to other functions that are already well-named, that is a trade I would happily make.