Red Team / Blue Team / Purple Team - Angriff und Verteidigung im Einklang

Red Team vs. Blue Team is more than just a simulation framework—it’s the most honest answer to the question: “How secure are we, really?” While a penetration test identifies vulnerabilities in systems, a red team engagement tests whether the entire defense—technology, processes, and people—can withstand a real-world attack.

Red Team: What It Really Is

Distinction: Red Team vs. Penetration Test

Criterion	Penetration Test	Red Team
Time	1–5 days	4–12 weeks
Scope	Defined systems	Entire organization
Goal	All vulnerabilities	Achieve objectives (steal data, gain domain admin access)
Transparency	Blue Team is aware	Blue Team is NOT aware
Depth	Broad + Documentation	Deep, realistic
Report	Technical Findings	Attack Narrative + Detection Gaps

Red Team Objectives (Examples)

Access to customer database (50,000+ records)
Domain admin credentials
Access to financial systems
Physical access to server room
Exfiltration of intellectual property

Red Team Phases

1. Reconnaissance (passive + active):

OSINT: LinkedIn, WHOIS, Shodan, job postings
Infrastructure discovery: subdomains, IP ranges, email servers
Social Media: Employee profiles, organizational structure
Dark Web: Previous leaks, sold credentials

2. Initial Access:

Phishing (spear-phishing, vishing)
Exploitation of public services (CVE)
Physical (tailgating, lockpicking)
Supply chain (compromised service provider)
Insider (social engineering)

3. Persistence + C2:

Custom C2 (Cobalt Strike, Brute Ratel, Havoc)
Persistence: Registry, WMI, Scheduled Tasks
Staging: multiple independent foothold points

4. Lateral Movement:

Pass-the-Hash, Kerberoasting, AS-REP Roasting
BloodHound: Visualize attack paths
Living-off-the-Land: PSExec, WMI, RDP

5. Objectives:

Data Exfiltration (DNS tunnel, HTTPS, steganography)
Domain Compromise (Golden Ticket)
Ransomware Simulation (without Encryption)

Blue Team: Structuring the Defense

Detection Capabilities

SIEM: Centralize and correlate logs
EDR: Endpoint Detection (Behavioral Analytics)
NDR: Network anomaly detection
UEBA: User + Entity Behavior Analytics
Honeypots/Canary Tokens: Early warning system

Response Capabilities

SOC: Security Operations Center (24/7 or business hours)
IR Playbooks: for known attack patterns
SOAR: Automated Response (block IP, lock account)
Forensic Capabilities: post-incident

Purple Team Activities (continuous)

Atomic Red Team: test detection with small, isolated attacks
Caldera (MITRE): automated ATT&CK simulation;
VECTR: Tracking of Purple Team activities

# Atomic Red Team Example:
# Test: Kerberoasting (T1558.003)
Invoke-AtomicTest T1558.003
# → Does SIEM trigger an alert? → YES: Detection works!
# → NO: Adjust SIEM rule + add Sigma rule

Blue Team Metrics

MTTD: Mean Time to Detect

Good: < 24h for Red Team actions
Poor: > 1 week (enables lateral movement)

MTTR: Mean Time to Respond (Time to Containment)

Good: < 4h after detection
Poor: > 24h

False Positive Rate:

Too many alerts = alert fatigue → SOC no longer responds
Target: < 10% false positives among all alerts

TIBER-EU Framework

What TIBER-EU Is

European Framework for Threat Intelligence-Based Ethical Red Teaming
ECB + National Central Banks (BaFin, DNB, etc.)
Mandatory for: systemically important financial institutions in the EU

TIBER-EU Phases

1. Generic Threat Landscape (GTL):

Industry-specific threats (via threat intelligence providers)
Who is attacking the financial sector? With which TTPs?

2. Targeted Threat Intelligence (TTI):

Specific to the institution
Threat intelligence providers: Which groups are attacking this institution?
What public information is available?

3. Red Teaming:

Red team provider (accredited!)
12–16-week engagement
Objectives: based on TTI (realistic attackers!)
White team: small management team is aware of this (not the Blue Team!)

4. Closure + Remediation:

Report → Blue Team: what did we miss?
Remediation: technical + procedural
Replay (optional): Red Team tests fixes

German TIBER variant: DTIBER (Deutsche Bundesbank)

Coordinated by BaFin
Accredited providers (Threat Intel + Red Team separate!)
Results: confidential (no public report)

TIBER-EU vs. Standard Penetration Test (Financial Sector)

TIBER: realistic attack scenario, weeks-long, in-depth
Penetration test: meet compliance requirements (PCI DSS, ISO 27001)
Both: useful, but different goals

Purple Team: The Best of Both Worlds

Concept

Red Team carries out the attack
Blue Team attempts to detect it
Joint analysis: what worked, what didn’t?
Create detection rules directly from the attack

Purple Team Session (typically 2–3 days)

Day 1:

Red Team: executes T1059.001 (PowerShell Execution)
Blue Team: Check SIEM alerts → detected? Timing?
If not detected: why? → Detection gap identified!
Write and deploy detection rule

Day 2:

Red Team: attempts same technique with obfuscation
Blue Team: Does the new rule work?
Iterate until robust!

MITRE ATT&CK as a common language

ATT&CK Navigator: which techniques are covered? Heatmap: detected (green), not detected (red), unclear (yellow). Prioritization: which critical techniques are missing?

Common Detection Gaps (Purple Team Findings):

Living-off-the-Land: WMI/LOLBins → too many false positives → disabled
NTLM Relay: no monitoring of NTLM authentication events
DNS Exfiltration: no DNS log monitoring
Scheduled Tasks via schtasks.exe: no alert

Tools for Purple Team

Tool	Vendor	Purpose
Atomic Red Team	Red Canary	Smallest atomic ATT&CK tests;
MITRE Caldera	MITRE	Automated adversary simulation
VECTR	-	Purple team tracking + metrics
Prelude Operator	-	Modern purple team platform
Infection Monkey	Guardicore	Autonomous lateral movement simulation