As RED and BLUE teaming is such a vast subject, we will be splitting this topic into a six-part series.
Now we understand the reason and skills of the ‘Red’ and ‘Blue’ teams, the next step would be to train them in a similar fashion to how the military would train for an event. We do this by simulating your corporate or similar network and testing the skills of the team members.
Preferably the Blue teams should be tested at least twice a year, if not every quarter. The idea is that the defending teams can practice and tune their trade skill or craft, so it is almost second nature.
Ideally, you will want the event to be run over a time period such as a couple of days. The training exercise should be carefully choreographed so The Blue Team members get the most out of the training with controlled objectives and story. This should also include some external pressure, such as simulating senior management and regulators, and internal team resource issues.
The exercise aim should be a calm and collected Blue team when the incident flag goes up. The most important part of any cyber exercise is de-brief. It doesn’t matter who won the exercise, it should be about learning how the teams detect attacks, exploits and what they could learn from next time.
The de-brief should be treated almost like a show and tell for both Blue and Red. Blue should explain what was detected and collect any TTP’s (tactics, techniques, and procedures) and Red should explain how they infiltrated the systems. The de-brief can be used to identify additional training or further workshops.
To read our other InfoSec articles please follow the link below.
Contact us at SQA Consulting to find out how we can assist you in the development and build of your team’s skills, and in the testing of your cybersecurity capability.
