Watching Red and Blue cyber teams go up against each other continues to be one of the most fascinating aspects of cyber operations. While the scope of duties, responsibilities, and capabilities these teams represent is relatively consistent across organizations, the way individual teams implement tactics and responses can vary widely. Over the last six months, I've been fortunate to observe a few large-scale cyber range exercises involving significant enterprises. Some with multiple teams engaging against each other using common external attackers (both automated and live Red teams). The key to “winning” these exercises is how successful teams prepare for the battlefield.

For most Blue teams, their only chance to “practice” is in day-to-day operations where the grind of investigating alerts, tuning tools, and executing processes can wear on people. Actual incidents that impact business operations are few and far between. Threat intelligence, tool updates, and investigations are exciting yet can still feel routine. The reality for many operations centers is that few teams face sophisticated attacks. This means teams are left wondering about their ability to identify, investigate, and react to a significant attack by a determined foe. Some people come to cyber security thinking that they will fight nation-state actors and sophisticated criminals daily — which isn’t the case.

As cyber ranges have become more sophisticated, they have become a critical tool for operational teams to practice safely outside production environments. How would our team react, in our environment, with our technology and security stack, to a realistic replication of the OilRig, Lazarus, and Chimera scenarios? Operators can’t test these scenarios in production. But, on a cyber range, the team can test against one or more of these scenarios and other new scenarios created by a Red team.

Two observations from team-on-team events over the past six months have stood out. Importantly, their lessons apply equally to day-to-day operations within any security operations center.

Typically, these team-on-team events consist of Red and Blue team members, usually 8–12 players for each team. Teams might represent a country, a government agency, or another organization. During preparation, an operating environment is established, along with a tool stack and rules of engagement. Teams are given some preparation time to familiarize themselves with the range, range operations, and tool stack. Essentially, they are given a chance to prepare for the day of the exercise. To be fair, these events often set a level playing field with the same tool stack and cyber terrain for each team. During the preparation time (usually a managed period), each team sets up its terrain for the big event.

During one event, Team Gamma spent a lot of time early on anticipating attacker behaviors and making configuration changes to prevent success and to frustrate expected attempts to gain access, live off the land, and move laterally within the range environment. This effort applied MITRE ATT&CK Tactics and Techniques to their defensive plan and the environment's configuration. This configuration activity was used at multiple levels, from the operating systems of individual machines in the range to the endpoint and network detection systems to the firewalls, to building rules and pre-planned actions in response to detection events in the log analysis tools. Team Gamma could generate a significant payoff on game day by putting the whole system to work for them. The outcome was especially interesting because, on gameday, some of Team Gamma’s participants didn’t show up. Gamma was eliminated from the competition without enough team members and had no actual players during the event. However, their part of the range was still there to be attacked by others. Team Gamma racked up defensive points for the first 90 minutes of the event and held second place then. But with no attack points and no additional defensive changes, Gamma eventually lost.

The lesson from Team Gamma, and one that cybersecurity professionals have been pointing out for some time, is that defense, fundamental blocking and tackling play a significant role in helping companies manage risk. Using tools like a cyber range, ATT&CK, and anticipating adversary tactics sets up companies for success with improved detection and response, supporting the resilience of the enterprise.

During another event, Team Cuatro took advantage of the preparation period to go one step further than Gamma. Team Cuatro used some of their prep time to have their Red team review and consider their defensive posture. Their preparation had multiple beneficial effects. This Red teaming work helped with anticipating how to detect and defend against likely (and unlikely) attacks, and it gave Cuatro’s Blue team an additional perspective on their defenses. The defenses and resulting discussion also helped Cuatro’s red team prepare their attacks against the other teams for that event. When gameday started, Cuatro’s blue team was ready for the most likely attacks, and Cuatro’s Red team skipped trying obvious attacks and went straight for more advantageous efforts. Scoring the game showed that Cuatro took an early lead and grew a significant gap between themselves and the second-place team throughout the event.

These cyber range games are essential for multiple reasons. As we’ve shown, they highlight that Blue teams have and can maintain a significant advantage against most adversaries on the prepared battlefield. These defensive advantages pay off in better-managed cyber risk for the enterprise over the days, weeks, and months of sustained business operations. Cyber ranges also engage operations personnel. In positions where processes can feel repetitive, under-appreciated, and frustrating — cyber ranges and games offer both a change of pace and the opportunity to see the value of the work people are doing. Range games also help identify how capabilities will work during real events and identify addressable gaps.

Blog byLee Rossey
Lee Rossey
Lee Rossey
Lee Rossey co-founded SimSpace in 2015 and is currently it’s CTO. Prior to joining SimSpace he served as the Group Leader for the Cyber System Assessment Group at MIT Lincoln Laboratory during which time he led the establishment and growth of the group to become a nationally-recognized center of excellence. The Cyber System Assessment Group earned a reputation for technical excellence in cyber range development, cyber test and evaluation, cyber red-teaming and cyber exploitation.