What Is a Red Team v. Blue Team Exercise?
A red team v. blue team is a training exercise conducted by an organisation to test their own cybersecurity defenses. The exercise is made up of attackers (the red team) and defenders (the blue team), and cybersecurity protocols, defenses, and responses are tested through a variety of pre-determined scenarios.
These exercises are conducted in a non-production environment and simulate aspects of a real cyber attack. Within this exercise, there will be milestones as well as moments of pause for evaluation where, often, the blue team will have to explain to the white cell (the moderator) what the red team was able to do, why, and how they were stopped.
A red team v. blue team exercise is conducted to:
- Identify vulnerabilities and points of weakness
- Determine where improvements need to be made or prioritised
- Train the cybersecurity team and give them first-hand experience
- Develop new response and remediation processes
- Test new processes, solutions, or employees
What Is a Red Team?
The red team consists of the attackers who are given tasks to move through the security environment and try to defeat various defenses (and the blue team). These teams are highly experienced, and though they can be internal, they are often external and contracted for the exercise.
While the red team often has no information about the environment prior to the exercise, they must be somewhat successful in the exercise to continue to completion. If the red team is stopped during the first part, it can provide good information and insights, but they will need to move on to the second milestone (or third) for the exercise to continue.
What Is a Blue Team?
The blue team are the defenders. This team is comprised of incident responders, consultants, and anyone else who is a point person who has “hands on keyboard” when it comes to an organisation’s cybersecurity.
Incident response often involves multiple departments, so there are many individuals that may be on the blue team, depending on the exercise’s parameters. The departments involved in the Blue Team may include but are not limited to the security and IT staff, the legal team, data owners and decision makers.
What Is a White Cell?
A white cell is a critical part of the exercise and can be thought of as a referee or moderator. They are all knowing in the exercise — meaning they know everything about the environment and both teams’ actions. In addition, they are the ones that set the parameters for the exercise, direct teams toward specific actions, and help move the exercise along through scenario injections.
The white cell will also set the rules of engagements for both sides, meaning set what the red team is attacking and how the blue team can respond in order to test specific skills and procedures.
What Is a Purple Team?
A purple team is a version of the red team v. blue team exercise where the two teams are communicating with each other to help each other learn and gain insights into both skills and the security environment. In this kind of exercise, the red team may explain how they penetrated a certain part of the environment, and the blue team may try a certain defense maneuver and then ask the red team questions about how that move was received.
While it is up to the organisation whether they want to run this kind of communication-focused exercise or not, having a full de-brief with both teams after the exercise is critical to improving the security environment.
Common Injections During a Red Team v. Blue Team Exercise
As mentioned above, in this kind of exercise, the read team needs to make progress and the blue team needs to be tested in multiple ways. For this reason, the white cell will often add injections, or twists, into the scenario to make it more challenging or test specific aspects of their cybersecurity team.
Common injections include:
- Create a single point-of-failure like turning off email to test the chain of command
- Making members of the blue team leave for a portion of the exercise
- Creating time for the red team to work without blue team interference
- Giving the red team access they need to create more lateral movement
How is Red Team v. Blue Team Different from Other Incident Response Testing?
A Red team v. blue team exercise simulates a full cyber attack. There are other kinds of training exercises such as tabletops, penetration tests, social engineering simulations, and more. But none are the same in terms of scale or analysis as a red team v. blue team.
The Benefits of Conducting a Red Team v. Blue Team Exercise
The biggest benefit of this exercise is to identify gaps or weaknesses within the security architecture before a breach happens.
- Identifying misconfigurations
- Identifying coverage gaps within security solutions
- Strengthening network security and detection time
- Improve chain-of-command and communication within the security teams
- Building the skills of the security team
- Improving security maturity
- Identify single points of failure
- Evaluate new procedures, solutions, or skills
When Should an Organisation Conduct a Red Team v. Blue Team Exercise?
The exercise is a heavy lift, so Arctic Wolf recommends doing one every other year. However, having an incident response plan isn’t helpful if it’s not tested, so we recommend supplementing the exercise with others that are less time and resource intensive.
In the same way an organisation doesn’t know how their users respond to phishing unless they conduct phishing simulations, incident response plans need to be tested, evaluated, and fine-tuned as security and business goals change.
An organisation could do a tabletop one year, where everyone involved in security runs through a scenario and the responses while sitting at a table, and then do a red team v. blue team exercise the next year.
Exercises That Use Just a Red Team or a Blue Team
There are also instances where an organisation won’t run a full exercise where a blue team and red team face off, but instead just employ one team to either run offensive or defensive exercises.
Red team exercises include:
- Penetration testing
- Social engineering simulations
- Credential theft
- Other methods following the MITRE ATT&CK framework
Blue team exercises include:
- DNS research
- Reviewing configurations
- Threat hunting
- Checking security perimeters (and their methods)
- Reviewing chain-of-command and proper documentation