Black Hat Europe: Red teams and blue teams must evolve in the 2020s

The concepts of red teams and blue teams in cyber security should be redefined for the 2020s, and both sides need to come together and learn from each other, according to Facebook offensive security engineer Amanda Rousseau, who opened Black Hat Europe 2019 by calling for a new approach to this fundamental aspect of security culture.

In her keynote address, Rousseau said a foundational grasp of security skills has been an important thread in her genre-hopping career, which has taken her from forensic analysis within government to malware research, and most recently to a key position in Facebook’s red team of security engineers, which conducts security testing exercises across the controversial social media company’s global platform.

Rousseau said the industry needed to move towards prioritising breadth of security skills and knowledge over depth, and she saw the red-versus-blue dichotomy as somewhat arbitrary, worrying that it risked pigeonholing people into certain roles.

“In reality, everybody’s on the same side,” she said. “Fundamental skills are applicable on both sides – you’re able to pivot from one to the other as long as you have engineering and security foundations.”

According to Rousseau, key to this will be the adoption of a more adversarial mindset across the board that challenges assumptions about security in a creative way.

She argued that red teams need to get better at communicating the changes they would like their blue team counterparts to make, and to walk back from a tendency to be a little unrealistic about what a real-world attack might look like, and rather base their attacks around organisational priorities. In Facebook’s case, this includes financial and reputational impact, existing security policies and user privacy.

Blue teams, on the other hand, historically have a tendency to be guilty of tunnel vision, assuming things are working fine when this is not necessarily the case, and take quite academic solutions and immediately push them into production, assuming they will work as intended, based on very limited evidence.

Finally, said Rousseau, both sides need to get better at collaborating and following through in post-scenario remediations. She described one exercise at Facebook in which the red team conducted a cryptomining operation across thousands of internal servers with the objective of getting the blue team to detect and stop a Linux rootkit.

“When we designed this operation, we had varying levels of predicted events,” she said. “Because most of us on the team have this generalised background of security, we are able to design scenarios where we predict what the blue team is actually going to see.

“Afterwards, we didn’t just say: here’s our report, go deal with it yourself and that’s not my problem. We work with the defence to validate and remediate.”

Rousseau added: “We want to have that collaboration and follow-through. Essentially, what we’re doing is levelling each other up. It’s all about collaboration. We’re not fighting against each other, it’s more like we’re playing co-ops.”

This year’s Black Hat Europe is the 19th to be held on this side of the Atlantic. It attracted thousands of people from more than 100 countries and granted 80 student scholarships and 26 women in security scholarships.

In his welcome speech, Black Hat founder Jeff Moss said security culture needed to move away from demonstrating compliance and check-box certifications towards the demonstration of actual skills.

He urged security professionals to get closer to the problems their organisations face and get their hands dirty with the solutions to them, as well as engaging with their enemies, whether they be competitive organisations or organised cyber criminals. “If you and your team are not getting punched in the face, you’re not very effective operators,” said Moss.