Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Red team versus blue team: How to run an effective simulation

Doug Drinkwater and Kacy Zurkus | July 27, 2017
Playing the role of an attacker can make your team better at defense. Learn how in our step-by-step guide to war gaming your security infrastructure — from involving the right people to weighing a hypothetical vs. live event.

 

1. Understand the controls

What's most important for blue teams, says Matt Rodgers, head of security strategy, E8 Security, "Especially around phishing and vishing, is the ability to understand what types of controls exist in their environment. I've seen people finding controls in their network as they go through an exercise."

 

2. Make sure you can collect and analyze the data

Because blue teams base their function off their ability to collect and make use of the data they collect, log management tools, like Splunk, are important tools. Rodgers says, "Another piece of the puzzle is understanding how to collect all the data of what the team has done and record it in a high enough fidelity in postmortem exercises to determine what they did right or wrong and how to do it better."

 

3. Use the tools appropriate for the environment

The tools that blue teams need is determined by their environments. "They need to ask 'What is this program doing? Why would it try to format your hard drive?' and then add technology that blocks unanticipated actions. The tools to test whether that technology was successful come from the red team," said Michael Angelo, chief security architect, Micro Focus.

 

4. Have experienced members on the team

For the blue team, what is most valuable is the knowledge that people have in addition to tools. Angelo said, "As you get used to doing these things, you start to think, ‘I’ve seen that, I’ve seen that, they do this, they do that, but I wonder if there isn’t a hole.’ If you only prepare for the things that are known, then you won't be prepared for the unknown." 

 

5. Assume there will be failures

Asking questions is an invaluable tool that will encourage exploration into the unknown. Angelo said, "Don’t stop at preparing for the things that exist today. Assume there will be failures in your infrastructure."

That assumption, that there will be failures, that nothing is 100 percent secure, that we can no more create perfect children than we can perfect security might be the greatest tool anyone can find.

 

Previous Page  1  2  3  4  5 

Sign up for CIO Asia eNewsletters.