August 3, 2017 By Maria Hyland
Jason Flood
4 min read

More and more companies are looking to cyber exercises and capture the flag events to improve their incident response effectiveness, upskill staff and tackle the cybersecurity talent gap.

A red on blue experience provides a safe sandbox environment for participating companies to stress test their business processes and challenge their capabilities in responding to real-world cyber incidents through a realistic simulation.

How Does Red on Blue Training Work?

A red on blue incident response training session typically takes place in a cyber range, an environment designed for cybersecurity upskilling and simulation exercises. The cyber range houses production or production-like systems for use in both the blue (defensive) and red (attack) settings.

To facilitate the blue scenario, the cyber range sets up a system that simulates a company’s network being monitored by the security operations center (SOC) team. This blue setup typically incorporates the organization’s network monitoring and incident response solutions of choice.

Meanwhile, on the red side, a series of real-world attacks mimic cybercriminals seeking to infiltrate or disrupt the organization’s network and computer systems. The red scenario is performed via a combination of the latest automated attack tools and manual penetration testing techniques.

Cyber ranges offer organizations a variety of flexible, customizable experiences, enabling companies to focus on attack, defense or a balance of both. While training in both red and blue is ideal, the cyber range may also provide additional in-house staff to operate one side or the other should a company wish to focus its resources solely on one aspect. Offerings include everything from half-day lightning sessions to week-long comprehensive training programs to help organizations understand what happens before, during and after a cybersecurity incident.

Know Your Enemy

When engaging in a red on blue exercise, ensure that your organization’s SOC team assumes both its usual defense role and the attacking role. This can help the security staff understand how attackers think and operate, thereby better equipping them to deal with incidents. This experience can also be critical in helping SOC teams identify potential attacks earlier and make better decisions within their defensive systems.

In addition to educating staff on both sides on the fence, the valuable insight and learning outcomes from participating in such cybersecurity training programs can influence an organization’s overall investments, resources and policies in cybersecurity.

Learn More about the role of gamification in incident response planning

All Hands on Deck for Incident Response Training

Security is not just an IT responsibility — everyone across the organization has a duty to protect its data, network and systems. Taking this into consideration, a good incident response training exercise incorporates the media reaction to a cyber incident, as well as the impact on share price, sales, company reputation and more.

For example, the exercise might demonstrate to the company’s communication and PR teams how to disclose news of a breach to staff, customers, journalists and the general public. Meanwhile, on the business side, specialized coaching might teach the organization’s executives and financial department how to assure stakeholders, minimize monetary losses and ensure any legal implications are dealt with appropriately.

Through this focused practical education, participants from across the organization will become aware of all the important factors surrounding a cybersecurity incident and gain essential insights into the intrinsic value of end-to-end communication, management and decision-making during a crisis.


Embracing a New Collar Approach

In the context of a talent shortage and high competition for skilled cybersecurity candidates, there is a growing emphasis in organizations looking beyond traditional classroom channels to recruit their security staff.

Companies have turned to a number of approaches to address these staffing deficits, such as:

  • Creating new educational programs and apprenticeships;
  • Promoting upskilling by participating in capture the flag, red on blue and other cybersecurity training exercises; and
  • Recruiting new collar workers to fill vacant positions.

IBM’s recent executive report, “It’s Not Where You Start — It’s How You Finish: Addressing the Cybersecurity Skills Gap With a New Collar Approach,” describes how companies can bridge the skills gap by prioritizing cybersecurity skills over degrees.

Aside from educating existing staff, new top talent can also be sourced by monitoring the performance of potential candidates during a red on blue exercise. In this simulated environment, an organization can view potential candidates in action firsthand.

These exercises also help hiring managers evaluate a potential employee’s technical and soft skill sets, indicating how well they might perform in a range of roles on the organization’s cybersecurity staff. A candidate who performs well in the red attack exercises might be well-suited for the secure engineering or penetration testing teams, for example. Meanwhile, a candidate who excels in the blue tasks would likely fare well in the company’s incident response and security operations departments.

Client Feedback on Red on Blue Exercises

Clients who have visited the IBM X-Force Command Center in Cambridge, Massachusetts, have reported that red on blue exercises revealed gaps in their current expertise, processes, technologies, systems and networks. After these initial engagements, companies tend to return for follow-up technical training and regular upskilling, engaging a wider pool of business functions and staff across the organization — including C-level executives.

The X-Force Command Center provides countless benefits to help organizations hone their cybersecurity skills, including:

  • Stress testing of bu­­­siness processes and incident response capabilities;
  • An opportunity for employees to practice and improve their skills;
  • Insights to help security leaders identify cyber skills gaps;
  • Metrics to gauge skill levels and strengths across the company; and
  • Regular red on blue exercises to measure performance and improvement over time.

Listen to the accompanying podcast to learn more about Red On Blue Cyber Training

More from Incident Response

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today