Skip Links

Red team, blue team: How to run an effective simulation

By Robin Mejia, CSO
April 27, 2008 12:03 AM ET

CSO - The military does it. The Government Accountability Office does it. So does the NSA. And the concept is making its way into the corporate world, too: war gaming the security infrastructure.

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros--a red team--attacks something, and an opposing group--the blue team--defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.

"Really, this is a capability and expertise that developed naturally here out of the Lab's mission as one of the national nuclear security agency laboratories," says John Clem, Information Design Assurance Red Team program manager at the DoE's Sandia National Laboratory. Sandia experts helped advise the President's Commission on Critical Infrastructure Protection in the 1990s, which led to the group's current focus on information security. Clem's team has "red-teamed" Sandia's infrastructure and worked with other federal agencies, and, as part of the Lab's infrastructure protection mission, the team works with private-sector companies as well. Clem notes the commonly held view that 85 percent of the U.S.'s critical infrastructure is owned by private enterprises. Such companies keep oil refineries, nuclear power plants and telecommunications providers up and running safely. Researchers at Idaho National Laboratory offer a service similar to Sandia's, sometimes building model test beds to mimic a company's network.

However, companies in any industry can benefit from a red team-blue team exercise. SANS hosted a cyberwarfare event at its 2007 Las Vegas trainings in which a red team attacked a fake company it called GIAC Enterprises, supposedly the world's largest provider of fortunes for fortune cookies. In February of this year, eBay ran a red-team exercise with various CISO and vendor invitees. For those who missed the fortune cookie attack or eBay's confab, we've collected tips on how to get the most out of your own infosecurity red team-blue team simulation.

Get the Right People to Your Kickoff Meeting

"I start by getting the admin and security people in the same room," says Michael Assante, an infrastructure protection strategist at Idaho National Laboratory (INL). "I have the security team do a thorough analysis of what we have in place."

This is one of the easiest ways to identify security vulnerabilities, and it also helps with an issue key to any successful red team-blue team exercise: buy in. Yes, it's one of the most overused phrases in a consultant's vocabulary, but the approval of management and employees is essential when testing information security systems.

The goal of a red team-blue team exercise is not just to identify holes in security, but to train security personnel and management. If not everyone agrees on the value of the exercise, it can quickly devolve into defensive posturing and wasted time. After all, you may be asking higher-ups for the time and budget required to fix flaws the exercise discovers.

An initial assessment may identify changes that need to be made. Then, it's time to get started.

Attack the whiteboard

The simplest version of a red team-blue team exercise requires little more than a conference table. Divide your security staff into teams, and spend an afternoon talking through possible attack-defend scenarios. The key element for success is a red team that can get into the mind-set of an attacker.

"Red-teaming is a thought process," explains Tom Anderson of INL. "The problem with having the people who built [the security system] do it is they have an interest in protecting it." To combat self-interest and homogeneity, Anderson and Assante create diversified teams where experts from INL work alongside staff from the company they're assisting.

That's not to say you can't do it on your own, but it's important to at least try to think like an outsider. "A lot of times when we develop security systems, it's to keep the honest person honest," explains Assante. An attacker will disregard more than rules; he or she will disregard the company's norms. Consider who your attackers may be. Power plants may be targeted by terrorists. Banks by criminals. Anyone by a disgruntled ex-employee. It can take time and effort to step back and view the system like an outsider, or even an insider who intends to harm.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News