Red and blue teams: the new face of security training
October 14, 2020
Sam Humphries, Security Strategist at Exabeam, explores how technology is helping red/blue/purple team security exercises evolve in the face of an increasingly challenging cyber-security landscape.
In recent years, red team vs blue team exercises have become a popular way for organisations to put their cyber security defences to the test. The typical format involves an offensive (red) team, consisting of either internal or external security professionals, taking on a defensive (blue) team, consisting of the organisation's internal security personnel, with the aim of breaching the organisation’s cyber defences undetected. Naturally, the goal of the blue team is to prevent this from happening.
But, how effective are such training activities? Can they really help security teams prepare for a genuine cyber-attack?
In 2019, Exabeam conducted its first red and blue team study to answer questions like these. Following the completion of a similar 2020 survey, a number of positive trends are starting to emerge. This article will examine the main trends identified, discuss some of the key drivers behind them, and explain the growing role of technology in effective red and blue team exercises.
Red and blue testing becomes ubiquitous
Red/blue team testing is becoming ubiquitous among security-conscious organisations.
The biggest takeaway from comparing study results year-on-year is that the popularity of red team testing has grown significantly in the last year. 92 percent of those questioned in 2020 have performed red team exercises, compared to just 72 percent in 2019, with over half conducting them at least once every six months. Furthermore, 96 percent have conducted blue team exercises over the past 12 months, a big jump over the 2019 figure of just 60 percent.
What’s more, security investments as a whole are also up by six percent, while a massive 98 percent of companies in the 2020 study have increased their security investment as a direct result of their red and blue team exercises.
What are the main drivers behind these findings?
On the surface, the findings above appear to paint an overwhelmingly positive picture of proactivity within the cyber security industry. However, when examined in closer detail, they aren’t quite what they seem. In many cases of budgetary increase, there is a direct reaction to one or more of the key factors below:
The growing number of threats faced: Put simply, the prolific rise in both the volume and diversity of cyber threats faced today means organisations simply can’t afford to rest on their laurels. Fear of becoming the next victim is driving security budgets up, which in turn gives more scope to perform regular red/blue team exercises.
An increasing shift towards the cloud: As more organisations migrate to the cloud and a higher number of employees work remotely (a trend significantly accelerated by COVID-19), the number of attack vectors also grows. This in turn increases the volume and variety of cyber security exercises that organisations must regularly perform in order to maintain high levels of security.
More stringent industry regulation: For organisations in heavily regulated sectors such as finance, testing isn’t an option. Regulators often require them a wide range of tests on a regular basis in order to ensure customer data and consumer data remain protected at all times.
Evolution of red and blue team exercises
Technology is helping red and blue team exercises to evolve. There’s no doubt that the cyber security stakes are getting higher all the time. Fortunately, red and blue teams now have a much greater variety of technology and intelligence at their disposal, helping to make exercises both more effective and more informative.
Global knowledge sharing frameworks and databases
Data about new attacks and cyber-criminal activities is growing all the time. Frameworks such as MITRE ATT&CK now provide globally-accessible knowledge bases of the latest tactics and techniques, collated from both real-world and historical information.
By aggregating and analysing this data, blue teams can be more efficient in identifying the types of tactics that they’re likely to encounter, helping them better prepare for potential attacks. Furthermore, improvements in endpoint protection tools even allow blue teams to go on the offensive when it comes to threat hunting, instead of waiting for the alarm bells to start ringing.
User and entity behaviour analytics
Users and entity behaviour analytics (UEBA) is another increasingly popular solution among blue teams wanting to get on the front foot. UEBA solutions use analytics technology, including machine learning and deep learning, to discover abnormal and risky network behaviour by users, machines and other entities, helping to identify potential breaches much faster than would otherwise be possible.
Security orchestration, automation and response
Security orchestration, automation and response (SOAR) is also growing in popularity as a way to help blue teams proactively manage threats and use resources effectively. SOAR, is a collection of compatible software programs that enable organisations to collect information about security threats and respond to low-level events without human intervention. Blue teams can use SOAR playbooks to automate low-level security defences.
With the cyber-security landscape becoming more hostile by the day, an effective security program is more essential than ever before. Regular red and blue team exercises are a great way to up-skill or prepare your personnel and it’s great to see them becoming a near ubiquitous part of organisational activity.
However, when combined with the latest technology, their potency becomes much greater, helping personnel to spot attacks earlier, manage resources more efficiently and keep sensitive data safe in the event of a real attack.
Samantha Humphries is Security Strategist at Exabeam. Samantha has 20 years of experience in cyber security, and during this time has held a plethora of roles, one of her favorite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for multiple security products and technologies, helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyber-attacks, and trained anyone who’ll listen on security concepts and solutions. In her current regeneration, she’s thoroughly enjoying being a part of the global product marketing team at Exabeam, where she has responsibility for EMEA, plus anything that has “cloud” in the name.
Sam’s a go-to person for data compliance related questions and has to regularly remind people that she isn’t a lawyer, although if she had a time machine she probably would be. She authors articles for various security publications and is a regular speaker and volunteer at industry events, including BSides, IPExpo, CyberSecurityX, Insider Risk Summit, The Diana Initiative, and Blue Team Village (DEFCON).