Red Team–Blue Team Testing—the Big Picture

Red Team–Blue Team Testing—the Big Picture

Ever since offensive security testing began, we have expected that the test or simulation will find something. Even if a pen tester doesn’t uncover an issue, the best ones can always achieve success through phishing or social engineering of your organization’s employees. In the same way, Red Team-Blue Team exercises highlight the near impossibility of foiling a motivated attacker – the odds of success heavily favor the attacker and make it extremely difficult for the defender.

Now, with organizations realizing the value of Red Team-Blue Team testing, it’s important to understand that such testing is more about the overall impact on the cybersecurity team than it is about individual results. Sure, finding  deficiencies in your security posture or protected attack surface are important, but your team won’t discover them all: the greatest value comes from improving your team’s effectiveness.

That’s because cybersecurity isn’t just a technical problem: it’s not only about perimeter defense solutions, policies, rules, detection systems, patches and other issues. Cybersecurity is also an operational problem. Particularly with high-value attacks, cybersecurity ultimately comes down to people. Attacks are mostly human-driven practices that look for a path of least resistance. Similarly, cyber defense involves security experts. While some automated systems may prevent or minimize simple attacks, a carefully orchestrated one must be verified and acted upon by the security team.

Why is this an issue? Because cybersecurity teams are overworked and understaffed. Teams don’t have the time or resources to respond to all alerts, investigate all events, or review and evolve all policies; and even organizations with open headcounts for additional security practitioners find it hard to fill these slots due to an acute global shortage of cybersecurity professionals. These conditions are not likely to change any time soon. Cybersecurity teams need to become more efficient and effective in order to focus on the events that really matter. That’s where offensive testing can help.

Red Team-Blue Team testing, more than anything, should help reveal your team’s level of efficiency and effectiveness.

In conducting these exercises, cybersecurity teams can better understand which of their systems are best suited to uncovering significant active threats and how well they can be seen. Systems that deliver low fidelity and are rife with false positives are unlikely to be helpful in this effort. In fact, some systems may even be counterproductive when it comes to efficiency and effectiveness and the ability to keep an organization safe. To be sure, assessing the ongoing operation of such security tools and systems—apart from a scheduled exercise—will indicate their usefulness. A Red Team-Blue Team test, however, will put these experiences in the context of attack activity and can be the acid test for how they perform.

Some organizations have modified Red Team-Blue Team testing to include a Purple Team component, but that doesn’t change the overall goal. Whether or not a Purple Team is a formalized function, one of the primary goals should be an understanding of “do we have what it takes to uncover an active attack and prevent or minimize damage from it?” You can get wrapped up in nomenclature and disagreements over how to best structure offensive testing and assessments, but one of the most important results should be understanding the operational side of security and how well a team, assisted by tools and systems, can find and stop an attack.

So, Red Team-Blue Team testing is valuable not only for predicting your organization’s response to an attack, but for determining your cybersecurity team’s overall ability to respond. And when conducting this testing, it’s critical to have tools like the Stellar Cyber platform, which delivers high-fidelity alerts and minimizes false alerts to help your team focus on the real problems.