How To

Red Team Versus Blue Team: How to Run an Effective Simulation

Playing the role of an attacker can make your team better at defense. Our step by step guide to war gaming your security infrastructure--from involving the right people to weighing a hypothetical vs. live event.

By Robin Mejia

Page 3

The conference room exercise is especially important for companies that have never attempted a red team-blue team exercise before. "Just by doing a tabletop exercise, you can learn a lot about your risk," says Assante.

And, strange as it sounds, keeping things hypothetical provides a learning opportunity that an actual cyberattack by high-end pros may not. In a recent paper, Greg B. White, the director of the Center for Infrastructure Assurance and Security, called red-team attacks on truly unprepared targets "roughly equivalent to army recruits attempting to defend an installation from a group of elite paramilitary forces. Ultimately, the recruits would learn they weren't ready, but the exercise wouldn't provide any training to make them ready."

A tabletop exercise provides the opportunity to reflect and assess response options as well as attacks. And then think about what possible breaches might mean.

"What is the top end consequence?" says Assante. "A $10 million loss? Regulatory risk? Is the safety of employees at risk? Or customers?

Red-Team the Network

Once you've fixed the holes your whiteboard exercises identified, however, a live attack-and-defend exercise can provide a whole new level of insight, but it's not an activity to be taken on lightly. In some cases, vulnerabilities can be safely demonstrated on a live corporate network, but it's not wise to launch a real attack against your production systems.

"Certain kinds of systems should almost never be subjected to live penetration testing," notes Clem. When he works with companies that rely on SCADA (Supervisory Control and Data Acquisition) systems to keep plants up and running--common in industries such as power generation and oil and gas refineries--Clem works on test networks not connected to the company's process controls.

Assante says that at Idaho National Labs, his team has built client-specific test beds that mimic the company's real network in order to offer what he calls "facilitated immersive training." Some of the network and security staff try to defend the network while others join Assante's red-team colleagues in attacking it.

"This gives the blue team, the defenders, confidence," says Assante. "It's also very useful to the red team. You see vulnerabilities in a whole new light. And they bring that training back" to their coworkers.

Giovanni Vigna is an associate professor in the computer security group at UC Santa Barbara's department of computer science. The majority of his students go to work for startups or as security consultants. At the end of the fall semester each year, for his class final, Vigna stages a Capture the Flag competition, a sophisticated red team-blue team exercise in which all teams both attack and defend. It's such a popular event that he's expanded the competition to other universities; last December, classes from 36 teams across four continents participated.