Traditionally, red and blue teams have often worked in silos. But the two sides can bring major benefits to the organization when they work together. There’s no longer time to wait; this coordination and collaboration should happen at a larger scale. 2021 can and should be the year that red and blue teams collaboration becomes mainstream – when these teams work together to change the trajectory of cyber-adversaries, making them shift approaches and disrupting their plans. It’s a more proactive approach that enables teams to be better prepared.
Red/Blue Team Exercises and Coordination Must Increase
It’s no longer feasible for red and blue teams to remain siloed. It’s an imperative - they must learn to work together. Defenders can’t defeat malicious actors on their own. In fact, a survey by Exabeam found that 62% of blue teams have difficulty stopping red teams during adversary simulation exercises. These teams have actually always been on the same side, despite whatever level of rivalry they may have had.
Coordination and collaborating across these two teams yields a number of benefits. Bringing attackers and defenders together can help organizations get ahead of attacks. This far more proactive approach of finding and fixing potential vulnerabilities before a cyber-criminal finds them and exploits them goes a long way toward keeping your organization safe. While many organizations have already started reaping the benefits of this coordination, there’s still a lot more opportunity to be had.
Why is this approach needed now? Ongoing attacks, the unprecedented cyber-criminal landscape of 2020, and the sheer number of ransomware attacks that occurred last year have underscored the need for a more active approach to security. Organizations cannot afford to wait and see what happens; they need to be gaining more insight and information before an attack actually occurs.
Blue/Red Collaboration Tactics are Changing
Capture the Flag exercises have been one way organizations practiced in terms of red/blue coordination. But now we’re seeing a move toward running actual drills in shadow lab environments using real-world attacks in which red teams are trying to take down services. This is much more effective for training and building skillsets. To do this, you need collaboration and feedback between the teams. It’s more about how teams can provide that feedback and in a constructive way build off each other. This has more often been done in government settings, but the private sector can learn from their efforts. It’s time for the private sector to come up to the level of the public sector in this respect.
Threat actor "fingerprints," or TTPs (Tactics, Techniques and Procedures), provided by threat intelligence sources – especially threat actor playbooks – can be fed to AI systems to enable the detection of attack patterns. This sort of training gives security team members the ability to improve their skills while locking down the network. Similarly, as organizations light up heatmaps of currently active threats, intelligent systems can proactively obfuscate network targets and place attractive decoys along predicted attack paths. Eventually, organizations could respond to any counter-intelligence efforts before they happen, enabling blue teams to maintain a position of superior control.
Using Red/Blue Team Coordination Efficiently
There are three key things that businesses need to know around this method of blue and red team collaboration and how they can use it effectively. First, visibility is the most important thing. In order to prepare to defend against the enemy, you need visibility into their game plan and their latest tools.
Second is to understand your own blueprint. What assets do you have? Which of those are most important? What happens if these assets go offline? These are the assets that will be the biggest targets for cyber-criminals.
Third is to plan a proactive security model based on answers to the two elements above and create an incident response plan. These days, more than ever, you can’t wait until you’re alerted to respond.
Collaborate and Conquer
The only constant is change, and the cybersecurity environment continues to bear this aphorism out. Red and blue teams are both necessary, and the changing nature of cyber-attacks demands that these teams change how they interact. Organizations now must move beyond merely capturing a flag and run actual drills to strengthen the proactive defense skills blue teams need. Red teams must collaborate and provide feedback in new and greater ways. Incorporating AI, automation and deception technologies will assist in the ongoing endeavor to defend against increasingly sophisticated attacks.