In the arsenal of cybersecurity defenses is the exercise that goes by the name of red team\/blue team simulated attack. These simulations are designed to closely mimic real-world conditions. For example, one red team member might take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.Let\u2019s talk about the red and blue designations. Red team members usually play the role of attackers and try to overcome security protocols. They use the same tools and techniques that attackers use, similar to how penetration testers operate but on a much broader scale.\u201cRed teams don\u2019t just test for vulnerabilities, but do so using the tools, tips and techniques of their likely threat actors, and in campaigns that run continuously for an extended period of time,\u201d wrote Daniel Miessler, a security consultant who has witnessed numerous red\/blue exercises, in a blog post. \u201cA great red team can be an early warning system to find common origins of attacks and to track an adversary\u2019s techniques.\u201dJohn, a retired IBM architect who has worked in large IT shops, tells CSO that \u201cthreats are going to emerge that red teams will never test for. There are threats that can overwhelm blue teams and possibly put companies out of business.\u201dAccording to Cris Thomas, global lead of strategy for IBM X-Force Red consulting organization, \u201cSome companies just think about red teams in terms of a physical security break-in.\u201dThe blue team is composed of the defenders, modeled after internal security teams that are now found in numerous IT shops. \u201cWhat makes for a great blue team is their mental state, having a proactive mindset, endless curiosity and continuous improvement in terms of detection and response,\u201d wrote Miessler.The red\/blue dichotomy is somewhat misleading. To really conduct one of these simulations, two more teams should be involved:A white team is composed of the network owners, the IT administrators who run the equipment and create the scripts for performing the simulations. Some exercises come with pre-built scripts while others build their own.A gold team has the subject matter experts who are consultants to the exercises and could involve security vendor representatives, legal advisors and perform specialized tasks such as digital forensics.\u00a0A note about purple teamsLet\u2019s also talk about the color purple. This carries several different meanings, depending on how this team is constructed. The color gives you the idea that this is a combination of both red and blue teams, so that both can collaborate and improve their skills. This combination could mean that there are representatives from both sides working together on the exercise, or even as part of their jobs.That may not be as effective as having the same people having both mindsets. Miessler likened this to waiters who don\u2019t deliver food at restaurants because it isn\u2019t their job. He has seen organizations where the red team thinks itself too elite to share information with the blue team, or they aren\u2019t designed to interact with each other, or that IT doesn\u2019t see both teams as part of the same effort.Last summer, I attended the annual National Guard CyberShield event in Utah, where over the course of two weeks it conducts a simulated attack that is coordinated across 40 local Guard units. The units are split into red and blue teams with more than 800 members spread around the country. The Guard purposely schedules a \u201cpurple day\u201d where both red and blue teams mingle with each other and collaborate to share tips and techniques.\u201cWe know that the threat actors are collaborating way better than we are, and this gives us a chance for us to work closely with our partners and in realistic scenarios and build trust and deeper relationships,\u201d says Lt. Col. Brad Rhodes, the officer in charge of the event. This building of trust is important because you want teams to learn from each other, rather than depend on a single analyst who may or may not be on duty or leave the Guard when an actual threat occurs. Rhodes has led six CyberShield exercises and works full time as head of IT security for Zvelo.Walmart has both full-time internal blue and red team members. \u201cWe also periodically bring in outside blue and red team information security professionals to consult and we are starting to use a purple team approach to share our experiences. The two meet several times per month to help drive constant improvement for both teams, and we have seen fantastic collaboration between the two as they recognize they can drive more value to the organization,\u201d says Jason O\u2019Dell, vice president of security operations at Walmart.Steps to design red team\/blue team exercisesHere are some things to consider when designing your own exercise:Decide what you will do in-house and what you will hire out. Do you need a specialized red team vendor? Do you already have full-time infosec staff that can act as a blue team? Can you use a pre-built cyber range that has everything set up a certain way?Part of this decision is understanding the required skill sets for all team members. \u201cA crucial skill for both teams is the desire to learn and be continuously curious,\u201d says Walmart\u2019s O\u2019Dell.Retired architect John agrees: \u201cThe ability to act quickly and effectively to any vulnerability is an absolute requirement these days.\u201d He has never seen a company with a true red team. \u201cMost of the time, this is outsourced to a consulting firm. Doing it in-house is hard, because of the difficulty in finding people with the exceptional skill levels needed for the job and then retaining them. If the red team is really effective, I can see them having a hard time growing their careers in the firm.\u201dPick your simulation tools. Another way to phrase this is to decide on how realistic you want your exercise to be. Most of the time, these exercises won\u2019t be done against production systems, so figure out what you will simulate or if you will use a cyber range (and usually not an exact replica of your running systems).For the Guard\u2019s CyberShield, they used the Persistent Cyber Training Exercise (PCTE) cloud-based simulation environment that was developed for the Defense Department. The CyberShield event is the largest operation conducted across this network, consuming more than 3,000 virtual machines and a petabyte of storage.Formulate your goals. What are you trying to accomplish? Find weak spots? Shore up your defenses? Improve IT\/end user collaboration? Identify working and failed security controls? The goal of these exercises is that more realism the better prepared everyone can be for the real attack, which gets back to the previous issue.At the 2020 CyberShield, the red team built a piece of malware that eventually was posted on VirusTotal, according to one Guard participant I interviewed. \u201cIt was real enough when it then got picked up by Russian hackers which used it in the wild. Fortunately, its creator had placed a kill switch to neutralize it.\u201dGoals are critical, as Peter Kaloroumakis of MITRE, told me. \u201cWe see cases where red teams are able to successfully achieve their technical objectives but miss opportunities to have broader impact. Red or purple teams discover new information. It is essential they also engage infrastructure and architecture teams who develop strategic plans to improve security posture. It is easy to focus on specific configuration changes, but sometimes there are architectural changes which might address root cause issues.\u201d\u00a0Decide how you will collect the data from the exercise and how you will conduct your post-mortem analysis. A big part of that is reporting on the level of communication amongst your teams. Architect John says, \u201cThe biggest problem I've seen here is language\/communications and poor teamwork. In the era of outsourcing teams can be from different locations, speak different languages and so forth. If people cannot understand each other, that is a big problem during and after the exercise.\u201dPick your time frame. The timing of your exercise varies tremendously. IBM\u2019s Thomas says, \u201cSome companies buy a subscription service from IBM and do constant retesting of a mobile app as they are developing it, through either nightly builds or a regular milestone.\u201dThe Guard needs two weeks every year because it is also conducting training exercises, so that participants can take COMPTIA and other certification classes in addition to running the CyberShield simulations. \u201cWe conduct multiple tabletop and threat simulation exercises each year. In addition, our Red Team runs numerous full adversarial engagements every year. Sometimes these engagements will blend together,\u201d says Walmart\u2019s O\u2019Dell. The ideal situation is to continuously probe your systems, but certainly stick to a schedule and just don\u2019t react to a failed security audit.Designing the most effective red\/blue exercise means being clear on a lot of non-technical points, as you can see. Make sure you pay equal attention to both the technical and non-technical issues.