How To

Red Team Versus Blue Team: How to Run an Effective Simulation

Playing the role of an attacker can make your team better at defense. Our step by step guide to war gaming your security infrastructure--from involving the right people to weighing a hypothetical vs. live event.

By Robin Mejia

Page 2

This is one of the easiest ways to identify security vulnerabilities, and it also helps with an issue key to any successful red team-blue team exercise: buy in. Yes, it's one of the most overused phrases in a consultant's vocabulary, but the approval of management and employees is essential when testing information security systems.

The goal of a red team-blue team exercise is not just to identify holes in security, but to train security personnel and management. If not everyone agrees on the value of the exercise, it can quickly devolve into defensive posturing and wasted time. After all, you may be asking higher-ups for the time and budget required to fix flaws the exercise discovers.

An initial assessment may identify changes that need to be made. Then, it's time to get started.

Attack the Whiteboard

The simplest version of a red team-blue team exercise requires little more than a conference table. Divide your security staff into teams, and spend an afternoon talking through possible attack-defend scenarios. The key element for success is a red team that can get into the mind-set of an attacker.

"Red-teaming is a thought process," explains Tom Anderson of INL. "The problem with having the people who built [the security system] do it is they have an interest in protecting it." To combat self-interest and homogeneity, Anderson and Assante create diversified teams where experts from INL work alongside staff from the company they're assisting.

That's not to say you can't do it on your own, but it's important to at least try to think like an outsider. "A lot of times when we develop security systems, it's to keep the honest person honest," explains Assante. An attacker will disregard more than rules; he or she will disregard the company's norms. Consider who your attackers may be. Power plants may be targeted by terrorists. Banks by criminals. Anyone by a disgruntled ex-employee. It can take time and effort to step back and view the system like an outsider, or even an insider who intends to harm.

One of the values of a tabletop exercise is that it lets players consider the system as a whole. Most companies that don't house nuclear materials are unlikely to engage in full-scale physical exercises with armed forces storming their building, but it's important to consider physical security when developing whiteboard attacks.

"Physical systems have to protect the cybersystems, and the cybersystems have to protect the physical systems," says Ray Parks, leader of the Sandia Red Team. "The first thing the guys designing physical security systems say to me is usually, The backbone of our security is a gigabit Ethernet." Knock that out (by cyber or physical attack) and suddenly the physical access control system is out of commission.