More and more companies are looking to cyber exercises and capture the flag events to improve their incident response effectiveness, upskill staff and tackle the cybersecurity talent gap.

A red on blue experience provides a safe sandbox environment for participating companies to stress test their business processes and challenge their capabilities in responding to real-world cyber incidents through a realistic simulation.

How Does Red on Blue Training Work?

A red on blue incident response training session typically takes place in a cyber range, an environment designed for cybersecurity upskilling and simulation exercises. The cyber range houses production or production-like systems for use in both the blue (defensive) and red (attack) settings.

To facilitate the blue scenario, the cyber range sets up a system that simulates a company’s network being monitored by the security operations center (SOC) team. This blue setup typically incorporates the organization’s network monitoring and incident response solutions of choice.

Meanwhile, on the red side, a series of real-world attacks mimic cybercriminals seeking to infiltrate or disrupt the organization’s network and computer systems. The red scenario is performed via a combination of the latest automated attack tools and manual penetration testing techniques.

Cyber ranges offer organizations a variety of flexible, customizable experiences, enabling companies to focus on attack, defense or a balance of both. While training in both red and blue is ideal, the cyber range may also provide additional in-house staff to operate one side or the other should a company wish to focus its resources solely on one aspect. Offerings include everything from half-day lightning sessions to week-long comprehensive training programs to help organizations understand what happens before, during and after a cybersecurity incident.

Know Your Enemy

When engaging in a red on blue exercise, ensure that your organization’s SOC team assumes both its usual defense role and the attacking role. This can help the security staff understand how attackers think and operate, thereby better equipping them to deal with incidents. This experience can also be critical in helping SOC teams identify potential attacks earlier and make better decisions within their defensive systems.

In addition to educating staff on both sides on the fence, the valuable insight and learning outcomes from participating in such cybersecurity training programs can influence an organization’s overall investments, resources and policies in cybersecurity.

Learn More about the role of gamification in incident response planning

All Hands on Deck for Incident Response Training

Security is not just an IT responsibility — everyone across the organization has a duty to protect its data, network and systems. Taking this into consideration, a good incident response training exercise incorporates the media reaction to a cyber incident, as well as the impact on share price, sales, company reputation and more.

For example, the exercise might demonstrate to the company’s communication and PR teams how to disclose news of a breach to staff, customers, journalists and the general public. Meanwhile, on the business side, specialized coaching might teach the organization’s executives and financial department how to assure stakeholders, minimize monetary losses and ensure any legal implications are dealt with appropriately.

Through this focused practical education, participants from across the organization will become aware of all the important factors surrounding a cybersecurity incident and gain essential insights into the intrinsic value of end-to-end communication, management and decision-making during a crisis.


Embracing a New Collar Approach

In the context of a talent shortage and high competition for skilled cybersecurity candidates, there is a growing emphasis in organizations looking beyond traditional classroom channels to recruit their security staff.

Companies have turned to a number of approaches to address these staffing deficits, such as:

  • Creating new educational programs and apprenticeships;
  • Promoting upskilling by participating in capture the flag, red on blue and other cybersecurity training exercises; and
  • Recruiting new collar workers to fill vacant positions.

IBM’s recent executive report, “It’s Not Where You Start — It’s How You Finish: Addressing the Cybersecurity Skills Gap With a New Collar Approach,” describes how companies can bridge the skills gap by prioritizing cybersecurity skills over degrees.

Aside from educating existing staff, new top talent can also be sourced by monitoring the performance of potential candidates during a red on blue exercise. In this simulated environment, an organization can view potential candidates in action firsthand.

These exercises also help hiring managers evaluate a potential employee’s technical and soft skill sets, indicating how well they might perform in a range of roles on the organization’s cybersecurity staff. A candidate who performs well in the red attack exercises might be well-suited for the secure engineering or penetration testing teams, for example. Meanwhile, a candidate who excels in the blue tasks would likely fare well in the company’s incident response and security operations departments.

Client Feedback on Red on Blue Exercises

Clients who have visited the IBM X-Force Command Center in Cambridge, Massachusetts, have reported that red on blue exercises revealed gaps in their current expertise, processes, technologies, systems and networks. After these initial engagements, companies tend to return for follow-up technical training and regular upskilling, engaging a wider pool of business functions and staff across the organization — including C-level executives.

The X-Force Command Center provides countless benefits to help organizations hone their cybersecurity skills, including:

  • Stress testing of bu­­­siness processes and incident response capabilities;
  • An opportunity for employees to practice and improve their skills;
  • Insights to help security leaders identify cyber skills gaps;
  • Metrics to gauge skill levels and strengths across the company; and
  • Regular red on blue exercises to measure performance and improvement over time.

Listen to the accompanying podcast to learn more about Red On Blue Cyber Training

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…