Overview

The blue team represents and is comprised of your organization’s existing information security and IT administration staff. While part of the purpose of red team exercises is to explore how an organization is vulnerable to digital infiltration by an external attacker and to remediate those vulnerabilities, another important part of red team exercises is to train organizational staff on how to detect, investigate, and respond to attacks against the organization’s information systems.

Red team exercises function as a practical drill for an organization’s existing information security and IT administration staff. They also function as a practical drill for an organization’s existing security response policies and procedures. Just as a disaster recovery drill tests the adequacy of an organization’s disaster recovery policies and procedures, a red team exercise tests an organization’s security incident response policies and procedures.

Blue Team Goals

When conducting a red team / blue team exercise, the blue team has several overarching goals. These include:

• Stopping the red team from successfully achieving its goals. The best blue team outcome is to block the red team from gaining a foothold in the target organization. Depending on how this scenario plays out, it could be because the organization’s existing security posture makes it extremely difficult to digitally infiltrate. However, it is important to note with this outcome that just because the organization wasn’t infiltrated this time doesn’t mean that vulnerabilities don’t exist in the organization’s security configuration or incident response policies, it just means that the red team wasn’t able to successfully exploit them this time. One response when this goal is achieved is for the organization to engage with a new and separate organization to provide red team penetration testing services for the next red team exercise. The new organization may have a red team approach that exposes vulnerabilities that weren’t uncovered by the previous red team.
• Early detection and effective response to red team activities. When this outcome occurs, the blue team quickly detects and responds to red team activities. While the red team makes some progress towards its goals, the blue team has enough information to detect and respond to their activities and to evict the red team from the target organization’s information systems.
• Post-exercise report. This report should detail blue team successes and failures. Independent of the outcome, this report will assist in improving the processes that the internal teams follow when a real, rather than simulated, attack occurs. It also gives members of the blue team a formal chance to reflect on what they did well and what they could do better. For example, if a bottleneck occurred because event logs from a system were not accessible to the investigators during the exercise or the investigators missed critical evidence in the event logs, the report would highlight this problem.
• Revise the incident response strategy. The outcome of red team exercises shouldn’t only involve remediating hardware, software, and configuration vulnerabilities in an organization’s security configuration, but procedural vulnerabilities in the way that personnel respond to the attack simulation. The incident response strategy provides organizations with a formal process for responding to incidents. This goes beyond the phases of the blue team’s kill chain and will include what responses at an organizational level, for example when it is necessary to notify external stakeholders about a potential breach, are required. Based on the results of the red team exercise, it may be necessary to adjust the incident response strategy so that the organization is more effectively able to respond to future incidents.

Red team gains complete dominance of the network. The worst outcome from the perspective of the blue team and indicative that the current information systems configuration and incident response policies need revision and remediation.

Join the discussion

Can you think of any other goals for the blue team?

Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.