Red team versus blue team: How to run an effective simulation

Playing the role of an attacker can make your team better at defense. Learn how in our step-by-step guide to war gaming your security infrastructure — from involving the right people to weighing a hypothetical vs. live event.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The military does it. The Government Accountability Office does it. So does the National Security Agency. The concept has made its way into the corporate world, too: war-gaming the security infrastructure.

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.

Companies in any industry can benefit from a red team-blue team exercise by following this advice.

The basics

Red teams are external entities brought in to test the effectiveness of a security program. They are hired to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.

For example, this team may try and get into a business building by pretending to be a delivery driver in order to plant a device for easy outside access (think port 80, 443, 53 for HTTP, HTTPS or DNS respectively). They may try also try social engineering, phishing, vishing or simply posing as a company employee.

On the other side lies the blue team, the internal security team that is charged with stopping these simulated attacks. A growing number of companies, however, are not using formal blue teams in their exercises. The idea is that they get a more realistic idea of their true defensive capabilities by seeing how their security teams react to the simulation without prepping.

The ultimate aim of such test is to test an organization's’ security maturity as well as its ability to detect and respond to an attack. Such an exercise could take up to three or four weeks depending on the simulation, the people involved and the attacks being tested.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.