More and more companies are looking to cyber exercises and capture the flag events to improve their incident response effectiveness, upskill staff and tackle the cybersecurity talent gap.

A red on blue experience provides a safe sandbox environment for participating companies to stress test their business processes and challenge their capabilities in responding to real-world cyber incidents through a realistic simulation.

How Does Red on Blue Training Work?

A red on blue incident response training session typically takes place in a cyber range, an environment designed for cybersecurity upskilling and simulation exercises. The cyber range houses production or production-like systems for use in both the blue (defensive) and red (attack) settings.

To facilitate the blue scenario, the cyber range sets up a system that simulates a company’s network being monitored by the security operations center (SOC) team. This blue setup typically incorporates the organization’s network monitoring and incident response solutions of choice.

Meanwhile, on the red side, a series of real-world attacks mimic cybercriminals seeking to infiltrate or disrupt the organization’s network and computer systems. The red scenario is performed via a combination of the latest automated attack tools and manual penetration testing techniques.

Cyber ranges offer organizations a variety of flexible, customizable experiences, enabling companies to focus on attack, defense or a balance of both. While training in both red and blue is ideal, the cyber range may also provide additional in-house staff to operate one side or the other should a company wish to focus its resources solely on one aspect. Offerings include everything from half-day lightning sessions to week-long comprehensive training programs to help organizations understand what happens before, during and after a cybersecurity incident.

Know Your Enemy

When engaging in a red on blue exercise, ensure that your organization’s SOC team assumes both its usual defense role and the attacking role. This can help the security staff understand how attackers think and operate, thereby better equipping them to deal with incidents. This experience can also be critical in helping SOC teams identify potential attacks earlier and make better decisions within their defensive systems.

In addition to educating staff on both sides on the fence, the valuable insight and learning outcomes from participating in such cybersecurity training programs can influence an organization’s overall investments, resources and policies in cybersecurity.

Learn More about the role of gamification in incident response planning

All Hands on Deck for Incident Response Training

Security is not just an IT responsibility — everyone across the organization has a duty to protect its data, network and systems. Taking this into consideration, a good incident response training exercise incorporates the media reaction to a cyber incident, as well as the impact on share price, sales, company reputation and more.

For example, the exercise might demonstrate to the company’s communication and PR teams how to disclose news of a breach to staff, customers, journalists and the general public. Meanwhile, on the business side, specialized coaching might teach the organization’s executives and financial department how to assure stakeholders, minimize monetary losses and ensure any legal implications are dealt with appropriately.

Through this focused practical education, participants from across the organization will become aware of all the important factors surrounding a cybersecurity incident and gain essential insights into the intrinsic value of end-to-end communication, management and decision-making during a crisis.


Embracing a New Collar Approach

In the context of a talent shortage and high competition for skilled cybersecurity candidates, there is a growing emphasis in organizations looking beyond traditional classroom channels to recruit their security staff.

Companies have turned to a number of approaches to address these staffing deficits, such as:

  • Creating new educational programs and apprenticeships;
  • Promoting upskilling by participating in capture the flag, red on blue and other cybersecurity training exercises; and
  • Recruiting new collar workers to fill vacant positions.

IBM’s recent executive report, “It’s Not Where You Start — It’s How You Finish: Addressing the Cybersecurity Skills Gap With a New Collar Approach,” describes how companies can bridge the skills gap by prioritizing cybersecurity skills over degrees.

Aside from educating existing staff, new top talent can also be sourced by monitoring the performance of potential candidates during a red on blue exercise. In this simulated environment, an organization can view potential candidates in action firsthand.

These exercises also help hiring managers evaluate a potential employee’s technical and soft skill sets, indicating how well they might perform in a range of roles on the organization’s cybersecurity staff. A candidate who performs well in the red attack exercises might be well-suited for the secure engineering or penetration testing teams, for example. Meanwhile, a candidate who excels in the blue tasks would likely fare well in the company’s incident response and security operations departments.

Client Feedback on Red on Blue Exercises

Clients who have visited the IBM X-Force Command Center in Cambridge, Massachusetts, have reported that red on blue exercises revealed gaps in their current expertise, processes, technologies, systems and networks. After these initial engagements, companies tend to return for follow-up technical training and regular upskilling, engaging a wider pool of business functions and staff across the organization — including C-level executives.

The X-Force Command Center provides countless benefits to help organizations hone their cybersecurity skills, including:

  • Stress testing of bu­­­siness processes and incident response capabilities;
  • An opportunity for employees to practice and improve their skills;
  • Insights to help security leaders identify cyber skills gaps;
  • Metrics to gauge skill levels and strengths across the company; and
  • Regular red on blue exercises to measure performance and improvement over time.

Listen to the accompanying podcast to learn more about Red On Blue Cyber Training

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…