How To

Red Team, Blue Team: How to Run an Effective Simulation

Playing the role of an attacker can make your team better at defense. Our step by step guide to war gaming your security infrastructure--from involving the right people to weighing a hypothetical vs. live event.

By Robin Mejia

March 25, 2008 —

The military does it. The Government Accountability Office does it. So does the NSA. And the concept is making its way into the corporate world, too: war gaming the security infrastructure.

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros--a red team--attacks something, and an opposing group--the blue team--defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.

Red Team-Blue Team simulation illustration "Really, this is a capability and expertise that developed naturally here out of the Lab's mission as one of the national nuclear security agency laboratories," says John Clem, Information Design Assurance Red Team program manager at the DoE's Sandia National Laboratory. Sandia experts helped advise the President's Commission on Critical Infrastructure Protection in the 1990s, which led to the group's current focus on information security. Clem's team has "red-teamed" Sandia's infrastructure and worked with other federal agencies, and, as part of the Lab's infrastructure protection mission, the team works with private-sector companies as well. Clem notes the commonly held view that 85 percent of the U.S.'s critical infrastructure is owned by private enterprises. Such companies keep oil refineries, nuclear power plants and telecommunications providers up and running safely. Researchers at Idaho National Laboratory offer a service similar to Sandia's, sometimes building model test beds to mimic a company's network.

However, companies in any industry can benefit from a red team-blue team exercise. SANS hosted a cyberwarfare event at its 2007 Las Vegas trainings in which a red team attacked a fake company it called GIAC Enterprises, supposedly the world's largest provider of fortunes for fortune cookies. In February of this year, eBay ran a red-team exercise with various CISO and vendor invitees. For those who missed the fortune cookie attack or eBay's confab, we've collected tips on how to get the most out of your own infosecurity red team-blue team simulation.

Get the Right People to Your Kickoff Meeting

"I start by getting the admin and security people in the same room," says Michael Assante, an infrastructure protection strategist at Idaho National Laboratory (INL). "I have the security team do a thorough analysis of what we have in place."

This is one of the easiest ways to identify security vulnerabilities, and it also helps with an issue key to any successful red team-blue team exercise: buy in. Yes, it's one of the most overused phrases in a consultant's vocabulary, but the approval of management and employees is essential when testing information security systems.