The Five Essential Elements of Impactful Red vs. Blue Exercises
Experience is vital when preparing to battle cybersecurity threats, but is it possible to gain experience and avoid the pain that usually comes with it? In a word, yes. Red vs. Blue events (RvBs) enable cybersecurity individuals and teams to practice responding to actual attacks in a safe and isolated simulated network. These events provide highly impactful learning experiences where SOC leads and team members can apply their cybersecurity skills, enhance trust and collaboration between teams, while testing and refining incident response processes. With RvB training, organizations can improve their defenses without the pain of actual data loss or downtime.
To host a RvB that has major impact to your security organization, it require five elements:
Cyber ranges provide an isolated, realistic simulation of your environment so you can conduct live-fire training without the risk of interrupting business or impacting production systems and networks. These ranges can vary in size and fidelity from a couple dozen machines to thousands, depending on your organization’s needs. Modern vendors provide pre-built industry-specific networks, along with a vast library of endpoints, servers, network elements, applications and security tools so users can accurately replicate their production setups.
For example, a financial institution might want a range that represents internal teller terminals, ATMs, payment processing or SWIFT transactions, as well as internal working groups like a loan department, trading desks, HR and more. By creating a range that maintains a topology that is best representative of their industry, red and blue teamers are able to see the broad impacts and use the real tools to defend against attackers.
Unlike traditional BAS platforms that attack production systems, a cyber range provides a risk-free environment that provides the level of realism and accuracy needed to accomplish the goals of the RvB event.
In most cases, that is you! Bring some or all of your team and you’re all set on the blue team front. For an effective RvB event, you’ll want to include members of your organization who are likely to work together in a real incident and ensure that they understand the tools for logging, threat hunting, ticket triage and remediation processes.
To maximize learning and gain insights into team readiness, we recommend choosing a platform that gives defenders the tools they use in production and records their activity during the event. If teams aren’t going to be practicing on what they would otherwise have “back at the office,” the experience won’t have the same impact.
RvB events include attacker activity from one or more common sources: Live attackers and simulated attack scenarios. Some organizations have their own internal red team eager to give their blue team a challenge. Additionally, the vendor providing the cyber range or from third-party organizations may also have their own red teams available as a service.
More sophisticated cyber ranges are able to deliver a selection of automated attack scenarios that recreate methods used by real threat actors. These automated scenarios are built upon real threat intelligence and include the known techniques, tactics and procedures (TTP) of advanced persistent threat (APT) actors or emerging threats. Simulated attacks allow you to conveniently test your team’s defenses and the efficacy of your security stack without scheduling a live red team.
Of course, the best RvB events would use a combination of attacks, so blue teams can have greater opportunities to adjust their responses and defend against the intrusions.
The value of an RvB event is not only the immediate practice of the simulation but an organization’s ability to see how well they performed and learn from the experience. The assessment of defenders, attackers and the security stack itself provides valuable insights that help validate the maturity of a security operation and reveal areas that need further improvement. Attacks and defender activity are mapped to frameworks like MITRE ATT&CK®, as well as to event objectives and scoring criteria. RvB events can be assessed automatically by a platform or by a live team provided by the vendor or participating organization.
Lastly, it’s critical to simulate user behavior within the range. This provides a level of background activity for attackers to hide behind, which increases the realism of the event. The most sophisticated RvB setups will support the use of user activity to interact with the attacks, representing the common human element often found in various stages of the attack life cycle, including insider threat activity.
Some range event providers offer this by hiring temporary staffers to man terminals and provide realistic activity, raising the cost of a realistic event. High-fidelity ranges are able to provide built-in emulated activity that acts as if someone was checking their mail, surfing the web or a variety of other activities that could either obfuscate attacker activity or be a vector for penetration.
Since our inception, SimSpace has been working with organizations by preparing their Red and Blue teams through advanced attack scenarios and live-fire events. SimSpace works with organizations to practice responding to the latest threats as a team–from SOC analysts to the CISO.
Our platform offers on-demand high-fidelity ranges with extensive customization options, sophisticated automated attacks, automated event analytics and realistic emulated user activity. With SimSpace, you can easily run a RvB event on your own or work with our expert professional services team to maximize program improvements.
Ready to learn more about how SimSpace can help your security team defend against advanced cyber threats? Click here to schedule a demo.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform