August 3, 2017 By Maria Hyland
Jason Flood
4 min read

More and more companies are looking to cyber exercises and capture the flag events to improve their incident response effectiveness, upskill staff and tackle the cybersecurity talent gap.

A red on blue experience provides a safe sandbox environment for participating companies to stress test their business processes and challenge their capabilities in responding to real-world cyber incidents through a realistic simulation.

How Does Red on Blue Training Work?

A red on blue incident response training session typically takes place in a cyber range, an environment designed for cybersecurity upskilling and simulation exercises. The cyber range houses production or production-like systems for use in both the blue (defensive) and red (attack) settings.

To facilitate the blue scenario, the cyber range sets up a system that simulates a company’s network being monitored by the security operations center (SOC) team. This blue setup typically incorporates the organization’s network monitoring and incident response solutions of choice.

Meanwhile, on the red side, a series of real-world attacks mimic cybercriminals seeking to infiltrate or disrupt the organization’s network and computer systems. The red scenario is performed via a combination of the latest automated attack tools and manual penetration testing techniques.

Cyber ranges offer organizations a variety of flexible, customizable experiences, enabling companies to focus on attack, defense or a balance of both. While training in both red and blue is ideal, the cyber range may also provide additional in-house staff to operate one side or the other should a company wish to focus its resources solely on one aspect. Offerings include everything from half-day lightning sessions to week-long comprehensive training programs to help organizations understand what happens before, during and after a cybersecurity incident.

Know Your Enemy

When engaging in a red on blue exercise, ensure that your organization’s SOC team assumes both its usual defense role and the attacking role. This can help the security staff understand how attackers think and operate, thereby better equipping them to deal with incidents. This experience can also be critical in helping SOC teams identify potential attacks earlier and make better decisions within their defensive systems.

In addition to educating staff on both sides on the fence, the valuable insight and learning outcomes from participating in such cybersecurity training programs can influence an organization’s overall investments, resources and policies in cybersecurity.

Learn More about the role of gamification in incident response planning

All Hands on Deck for Incident Response Training

Security is not just an IT responsibility — everyone across the organization has a duty to protect its data, network and systems. Taking this into consideration, a good incident response training exercise incorporates the media reaction to a cyber incident, as well as the impact on share price, sales, company reputation and more.

For example, the exercise might demonstrate to the company’s communication and PR teams how to disclose news of a breach to staff, customers, journalists and the general public. Meanwhile, on the business side, specialized coaching might teach the organization’s executives and financial department how to assure stakeholders, minimize monetary losses and ensure any legal implications are dealt with appropriately.

Through this focused practical education, participants from across the organization will become aware of all the important factors surrounding a cybersecurity incident and gain essential insights into the intrinsic value of end-to-end communication, management and decision-making during a crisis.

[onespot-mobile-content]

Embracing a New Collar Approach

In the context of a talent shortage and high competition for skilled cybersecurity candidates, there is a growing emphasis in organizations looking beyond traditional classroom channels to recruit their security staff.

Companies have turned to a number of approaches to address these staffing deficits, such as:

  • Creating new educational programs and apprenticeships;
  • Promoting upskilling by participating in capture the flag, red on blue and other cybersecurity training exercises; and
  • Recruiting new collar workers to fill vacant positions.

IBM’s recent executive report, “It’s Not Where You Start — It’s How You Finish: Addressing the Cybersecurity Skills Gap With a New Collar Approach,” describes how companies can bridge the skills gap by prioritizing cybersecurity skills over degrees.

Aside from educating existing staff, new top talent can also be sourced by monitoring the performance of potential candidates during a red on blue exercise. In this simulated environment, an organization can view potential candidates in action firsthand.

These exercises also help hiring managers evaluate a potential employee’s technical and soft skill sets, indicating how well they might perform in a range of roles on the organization’s cybersecurity staff. A candidate who performs well in the red attack exercises might be well-suited for the secure engineering or penetration testing teams, for example. Meanwhile, a candidate who excels in the blue tasks would likely fare well in the company’s incident response and security operations departments.

Client Feedback on Red on Blue Exercises

Clients who have visited the IBM X-Force Command Center in Cambridge, Massachusetts, have reported that red on blue exercises revealed gaps in their current expertise, processes, technologies, systems and networks. After these initial engagements, companies tend to return for follow-up technical training and regular upskilling, engaging a wider pool of business functions and staff across the organization — including C-level executives.

The X-Force Command Center provides countless benefits to help organizations hone their cybersecurity skills, including:

  • Stress testing of bu­­­siness processes and incident response capabilities;
  • An opportunity for employees to practice and improve their skills;
  • Insights to help security leaders identify cyber skills gaps;
  • Metrics to gauge skill levels and strengths across the company; and
  • Regular red on blue exercises to measure performance and improvement over time.

Listen to the accompanying podcast to learn more about Red On Blue Cyber Training

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today