This makes it possible to unify offensive discovery to some degree-or in some situations-and then break off into the separate learning phases after issues are found. With Green, you first find issues and you then go to the various organizations and work to address them at the most fundamental (build and configure) levels within the organization. In the case of Red, you first find issues by running your campaigns, and then you share that information with the Blue Team.
#DEFCON DEFINITION MANUAL#
Both use the attacker mindset and highly manual techniques to do things that automated scanners miss when looking for vulnerabilities.ĭiscovery can potentially be unified across teams.Īdditionally, both could potentially be broken into two phases of 1) discovery, and 2) follow-up. It’s about moving as left as possible for fixes.Įxamples of this would include things like working with the people who build new Linux images, or with cloud admins, or with app developers to make sure all these groups are doing things like using secure defaults, disabling older protocols, enabling logging, and doing anything else that reduces attack surface and removes footholds for attackers. Where the Red Team helps Blue to detect and respond, the Green Team uses those same skills to remove footholds for attackers across the company. So they’re thinking about where the mistakes are being made at an organizational level, and they’re going to the source to work to change behavior. The Green Team, on the other hand, is focused on removing as many of the vulnerabilities and misconfigurations used by the Red Team as possible, and doing so as efficiently as possible across the entire organization. Using this definition, the primary difference between Green and Red is that Red is focused on improving the Blue Team, meaning the company’s ability to detect and respond to the Red Team and real adversaries. The key difference is what’s done with the results.
![defcon definition defcon definition](http://2.bp.blogspot.com/_gRM9hocdYsw/TLsul7g3OtI/AAAAAAAAAFk/ablwgf_wquk/s400/defcon.jpg)
Their mission is fixing things as efficiently as possible, across as much of the organization as possible.The team has an adversarial/offensive security focus, meaning their discovery techniques come from Red Team and/or Pentesting mindsets.
![defcon definition defcon definition](https://d1qfwzw6aggd4h.cloudfront.net/posts/Nomura_FinancialRisk_062818.jpg)
But taking that as a starting point, here’s how I break down the most important components: Note that this is not a baked definition, as the term is very new and has still yet to receive wide adoption. My best definition of a Green Team based on numerous conversations and a good amount of research is the following: Green Team, infosecĪn offensively-trained and defensively-focused security team dedicated to working with development and infrastructure groups to address issues discovered using offensive security techniques systemically and at scale across an organization. Here we’ll talk a bit about the concept of a Green Team, which according to my experience has a bit of a different meaning than the definition above.