Red Team, Blue Team: A Better Approach to Cyber Security Training

June 29, 2011 by Ixia Blog Team

UPDATE: Part II of the "Red Team, Blue Team" series has been published.

Every organization, whether part of the government or the private sector, needs “battle-tested” IT personnel in order to defend its networks against attack. The most effective way to provide this experience is to recreate the exact scenarios, no matter how nefarious, they will see in the real world. Often called cyber war-gaming, these exercises bring IT personnel from different specialties (network, security, virtualization, software, etc.) into color-coded red, white, and blue teams that perform specific roles in attacking and defending IT infrastructures.

Typically, setting up such an exercise has required an elaborate infrastructure of servers, network equipment, and security devices, plus countless man-hours to configure both the infrastructure and the attack and defense scenarios. Here we elaborate on the role of each team (red, white, and blue) and show you how to automate and streamline cyber security training exercises.

The Basics: Cyber Defense Exercises and Cyber Warrior Training

To provide an optimal environment for successful cyber warrior training, a cyber defense exercise should be held in an isolated environment. Based on the chosen scenario, this environment is specially constructed with appropriate network equipment and endpoints, including a variety of servers (virtualized or physical), and possibly even PCs, smartphones, and similar devices.

In these exercises, the attacking team is called the red team and the defending team is called the blue team. Typically, a white team is also assigned, which has responsibility for managing and monitoring the various activities of the teams as the scenario plays out. The white team also helps maintain order and fairness during the exercise and produces the final reporting afterward.

Red Teams: Going on the Attack in Cyber Simulations

The red team’s job is straightforward: seek and destroy. A red teamer will use every tool available to compromise a target network and tear down a blue team’s defenses, with the ultimate goal of taking control of one or more critical systems in order to spy, sabotage, or destroy.

A red team can use the BreakingPoint solution to easily construct a wide variety of attacks. Denial of service (DoS) and distributed denial of service (DDoS) attacks are simple to configure, as are TCP SYN floods, half-open attacks, ICMP attacks, and others. (Scott Register explored several DoS variations in a series of posts here last fall.)

Attacks can also be made significantly more complex — and harder to detect — by using real-world application traffic interspersed with fuzzed traffic and targeted security exploits. These attacks can be set up in minutes on any BreakingPoint device. The following screenshot shows one example of such a scenario being created using our Application Simulator, Stack Scrambler (fuzzing), and Security components. (A red team could also use other equipment in its toolbox — such as rootkits or other targeted exploit tools — alongside the BreakingPoint device.)

Again, the attacker can also vary the background application traffic and fuzzed traffic to further throw the blue team off the scent. If a time comes when the blue team discovers the intrusion, the attacker probably will have exploited the vulnerability long enough to seed target systems with a variety of malware. At that point, the red team has likely won the battle — and taught the organization important lessons about its real-world defenses.

Are you prepared to carry out simulated attacks like this within your organization? How would you defend against them? In my next post, we’ll wrap up by discussing how blue teams and white teams can use the BreakingPoint solution in cyber exercises.