As RED and BLUE teaming is such a large topic, I have decided to split this SQA article into six-parts over the next six weeks.
- What is a Red Team
- What is a Blue Team
- Top 5 Red and Blue Team skills
- Which is more important Red or Blue?
- Test, Test, Test again
Test, Test, and Test again
Now we understand the reason and skills of the ‘Red’ and ‘Blue’ teams, the next step would be to train them in a similar fashion to how the military would train for an event. We do this by simulating your corporate or similar network and testing the skills of the team members.
Preferably the Blue teams should be tested at least twice a year, if not every quarter. The idea is that the defending teams can practice and tune their trade skill or craft, so it is almost second nature.
Ideally, you will want the event to be run over a time period such as a couple of days.
The training exercise should be carefully choreographed so the Blue team members get the most out of the training with controlled objectives and story. This should also include some external pressure, such as simulating senior management and regulators, and internal team resource issues.
The exercise aim should be a calm and collected Blue team when the incident flag goes up.
The most important part of any cyber exercise is de-brief. It doesn’t matter who won the exercise, it should be about learning how the teams detect attacks, exploits and what they could learn from next time.
The de-brief should be treated almost like a show and tell for both Blue and Red. Blue should explain what was detected and collect any TTP’s (tactics, techniques, and procedures) and Red should explain how they infiltrated the systems. The de-brief can be used to identify additional training or further workshops.
Contact SQA on how we can assist your company to develop and build your team’s skills or see how we can test your defensive capability.