By Doug Drinkwater and Kacy Zurkus
July 27, 2017
The military does it. The Government Accountability Office does it. So does the National Security Agency. The concept has made its way into the corporate world, too: war-gaming the security infrastructure.
Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.
Companies in any industry can benefit from a red team-blue team exercise by following this advice.
Red teams are external entities brought in to test the effectiveness of a security program. They are hired to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.
For example, this team may try and get into a business building by pretending to be a delivery driver in order to plant a device for easy outside access (think port 80, 443, 53 for HTTP, HTTPS or DNS respectively). They may try also try social engineering, phishing, vishing or simply posing as a company employee.
On the other side lies the blue team, the internal security team that is charged with stopping these simulated attacks. A growing number of companies, however, are not using formal blue teams in their exercises. The idea is that they get a more realistic idea of their true defensive capabilities by seeing how their security teams react to the simulation without prepping.
The ultimate aim of such test is to test an organization's’ security maturity as well as its ability to detect and respond to an attack. Such an exercise could take up to three or four weeks depending on the simulation, the people involved and the attacks being tested.
On the surface such exercises carried out by the likes of Fortune 500 companies, governments and even NATO (with its Crossed Swords exercise) have clear benefits. Yet red teaming continues to often be confused with pen testing.
“Red teaming is in vogue this year. Every company and their dog all of a sudden are red team experts,” says Daniel Cuthbert, COO of SensePost. “Sadly, our industry thrives on firsts, often snake-oil but sounding sexy and professing to do X when in reality they have no idea what they are doing. Red teaming, as marketed by many a company, is often just penetration testing with a slightly extended scope.”