More and more companies are looking to cyber exercises and capture the flag events to improve their incident response effectiveness, upskill staff and tackle the cybersecurity talent gap.

A red on blue experience provides a safe sandbox environment for participating companies to stress test their business processes and challenge their capabilities in responding to real-world cyber incidents through a realistic simulation.

How Does Red on Blue Training Work?

A red on blue incident response training session typically takes place in a cyber range, an environment designed for cybersecurity upskilling and simulation exercises. The cyber range houses production or production-like systems for use in both the blue (defensive) and red (attack) settings.

To facilitate the blue scenario, the cyber range sets up a system that simulates a company’s network being monitored by the security operations center (SOC) team. This blue setup typically incorporates the organization’s network monitoring and incident response solutions of choice.

Meanwhile, on the red side, a series of real-world attacks mimic cybercriminals seeking to infiltrate or disrupt the organization’s network and computer systems. The red scenario is performed via a combination of the latest automated attack tools and manual penetration testing techniques.

Cyber ranges offer organizations a variety of flexible, customizable experiences, enabling companies to focus on attack, defense or a balance of both. While training in both red and blue is ideal, the cyber range may also provide additional in-house staff to operate one side or the other should a company wish to focus its resources solely on one aspect. Offerings include everything from half-day lightning sessions to week-long comprehensive training programs to help organizations understand what happens before, during and after a cybersecurity incident.

Know Your Enemy

When engaging in a red on blue exercise, ensure that your organization’s SOC team assumes both its usual defense role and the attacking role. This can help the security staff understand how attackers think and operate, thereby better equipping them to deal with incidents. This experience can also be critical in helping SOC teams identify potential attacks earlier and make better decisions within their defensive systems.

In addition to educating staff on both sides on the fence, the valuable insight and learning outcomes from participating in such cybersecurity training programs can influence an organization’s overall investments, resources and policies in cybersecurity.

Learn More about the role of gamification in incident response planning

All Hands on Deck for Incident Response Training

Security is not just an IT responsibility — everyone across the organization has a duty to protect its data, network and systems. Taking this into consideration, a good incident response training exercise incorporates the media reaction to a cyber incident, as well as the impact on share price, sales, company reputation and more.

For example, the exercise might demonstrate to the company’s communication and PR teams how to disclose news of a breach to staff, customers, journalists and the general public. Meanwhile, on the business side, specialized coaching might teach the organization’s executives and financial department how to assure stakeholders, minimize monetary losses and ensure any legal implications are dealt with appropriately.

Through this focused practical education, participants from across the organization will become aware of all the important factors surrounding a cybersecurity incident and gain essential insights into the intrinsic value of end-to-end communication, management and decision-making during a crisis.


Embracing a New Collar Approach

In the context of a talent shortage and high competition for skilled cybersecurity candidates, there is a growing emphasis in organizations looking beyond traditional classroom channels to recruit their security staff.

Companies have turned to a number of approaches to address these staffing deficits, such as:

  • Creating new educational programs and apprenticeships;
  • Promoting upskilling by participating in capture the flag, red on blue and other cybersecurity training exercises; and
  • Recruiting new collar workers to fill vacant positions.

IBM’s recent executive report, “It’s Not Where You Start — It’s How You Finish: Addressing the Cybersecurity Skills Gap With a New Collar Approach,” describes how companies can bridge the skills gap by prioritizing cybersecurity skills over degrees.

Aside from educating existing staff, new top talent can also be sourced by monitoring the performance of potential candidates during a red on blue exercise. In this simulated environment, an organization can view potential candidates in action firsthand.

These exercises also help hiring managers evaluate a potential employee’s technical and soft skill sets, indicating how well they might perform in a range of roles on the organization’s cybersecurity staff. A candidate who performs well in the red attack exercises might be well-suited for the secure engineering or penetration testing teams, for example. Meanwhile, a candidate who excels in the blue tasks would likely fare well in the company’s incident response and security operations departments.

Client Feedback on Red on Blue Exercises

Clients who have visited the IBM X-Force Command Center in Cambridge, Massachusetts, have reported that red on blue exercises revealed gaps in their current expertise, processes, technologies, systems and networks. After these initial engagements, companies tend to return for follow-up technical training and regular upskilling, engaging a wider pool of business functions and staff across the organization — including C-level executives.

The X-Force Command Center provides countless benefits to help organizations hone their cybersecurity skills, including:

  • Stress testing of bu­­­siness processes and incident response capabilities;
  • An opportunity for employees to practice and improve their skills;
  • Insights to help security leaders identify cyber skills gaps;
  • Metrics to gauge skill levels and strengths across the company; and
  • Regular red on blue exercises to measure performance and improvement over time.

Listen to the accompanying podcast to learn more about Red On Blue Cyber Training

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…