Are Red Teamers bad at defense or is it just me?

TheJanitor

I’m probably going to take some punches for this, but this seems to be my experience.

I’ve hired lots of Red Teamers, even ones with PhDs and the common thing I find with them is that they suck at writing secure code and Blue Teaming.

They generally understand things like how an exploit works and what the consequences are, and they can provide examples of how they may be mitigated within their reports, however, they can’t write code for shit.

I may be biased because I am a Blue Teamer - but I find that lots of Blue Teamers call themselves “Purple”. In reality, because in order to defend against an attack you need to understand how it works so that enables you to do Red Team tasks, but it doesn’t work the other way around. You don’t need to know whether or how to increase or decrease the strength of a window in order to smash it with a rock.

I’ve seen Red Teamers writing code that they thought was amazing, that if someone else wrote in exactly same way, they’d be able to crack it in a few seconds, but I’ve never seen a Red Teamer who could defend. I’ve only seen Blue Teamers who could attack.

Am I on my own here?

phenomlab

TheJanitor I’ve hired lots of Red Teamers, even ones with PhDs and the common thing I find with them is that they suck at writing secure code and Blue Teaming.

This is a brilliant post, and one I can relate to almost instantly. I too class myself as purple, sitting on both sides of the fence - you can’t realistically survive in today’s security landscape without understanding how an exploit is executed as well as understanding how to prevent it in the first place. I almost think that Red Teamers with the “capture the flag” mandate almost have something to prove - with brute force if necessary. I’ve also seen some so called Red Teamers who passed the OSCP, yet couldn’t hack their way out of a brown paper bag.

Dave_Howe

Difficult to tell. This is asymmetric warfare; while knowledge of defense helps a little for evasion, it doesn’t help much for an aggressive Red Teamer (while a “slow and steady” Red Teamer is likely to know more about the defenses he is trying to avoid than the defender does)
The real issue is that a Red Teamer who is aggressive, has a bunch of 0days he can script for (or get his team’s script guru to script for) and is “noisy” in your environment, can often find that chink in your armour as fast (if not faster) than the patient, defense-evading “APT” who even months after the fact you would struggle to find anywhere in your logfiles. As the defenders, we can’t afford to have a single chink exposed, while as an attacker, you need find only one.