With cyber threats on the rise in the age of a distributed workforce, organizations are looking for ways to identify vulnerabilities and gaps in security. One way to effectively combat these attacks is to initiate testing by red teams and blue teams.
For this article, cybersecurity teams are split into two: red teams that cover the offensive side while blue teams are defensive.
Red teams can include a group of internal or external security experts that imitate tactics used by cybercriminals against a company’s current security defenses. Blue teams are made up of the organization’s internal security personnel whose goal is to stop these simulated attacks. In a recent report on the efforts of red and blue teams in 2020, three positive trends emerged:
- More companies are performing red team exercises. Results from 2020 show 92% of companies are performing red team exercises over 72% reported in 2019.
- Blue team exercises conducted by firms are also increasing by 36%, and blue teams are proving more effective. This year’s survey reveals 96% of respondents are performing blue tests, with 11% of companies reporting they always catch their red teams. This is compared to last year’s 60% of companies who reportedly conducted blue team exercises with only 2% of respondents indicating they always caught their red teams.
- Security investments have risen by 6%. Up from 74% in 2019, the results show companies have increased their security infrastructure investments as a result of blue team exercises.
Why positive trends?
As organizations notice the uptick in cybercrime, this likely contributes to the increase in red and blue team exercises. Additional factors might include increased employees working remotely and a greater migration to the cloud. When combined, these trends lead to a larger threat landscape, which in turn increases the type and amount of exercises.
As companies face more regulations, some of which require them to perform regular tests to protect customer data and protect consumer privacy, compliance may be another contributing factor towards the rise in red and blue team exercises.
Red and blue teams are better equipped to address these growing cyber risks with more technology and intelligence at their disposal. Machine learning (ML) and artificial intelligence (AI) systems can be used by blue teams to learn the characteristics of attacks.
For example, the MITRE ATT&CK framework provides a globally-accessible knowledge base of adversary tactics and techniques garnered from real-world and historical information. By aggregating and analyzing this data, blue teams can be more efficient in identifying the types of attacks that they’re more likely to experience. The improvement in endpoint protection tools also allows blue teams to go on the offensive with threat hunting.
Another solution for blue teams comes from user and entity behavior analytics (UEBA), which blue teams are using to respond to threats proactively.
SOAR (security orchestration, automation, and response), which allows organizations to collect information about security threats and respond to low-level security threats, is another tool that is becoming more popular to help teams proactively manage threats. Blue teams can use SOAR playbooks to automate low-level security defenses.
Analyzing the 2020 red team and blue team survey results
Below, find out how your company compares with this year’s results:
- Most companies regularly conduct red team exercises. The 2020 survey found 92% conduct red team exercises regularly. Of those, 26% conduct exercises once a month or more, 25% once every 2-6 months, and 32% once every 7-11 months, 8% once a year.
- Blue teams regularly conduct defensive exercises. In terms of security teams and their defensive capabilities, 96% perform tests regularly. Of those, 4% conduct tests once a month or more, 46% once every 2-6 months, 38% once every 11 months, and 8% once a year.
- Companies are actively engaging in purple teaming exercises. Purple teams, composed of members from red and blue teams, conduct more complex what-if scenarios to test controls and processes and encourage information sharing between red and blue team members.This improves a company’s overall security program. The survey found 96% of respondents conduct purple team exercises. Of those, 34% perform tests once every 2-6 months, 50% once every 7-11 months, and 12% once a year.
- External firms are frequently used to conduct red team tests. The 2020 survey found 92% of respondents use external firms to perform red team exercises on a regular basis. Of those, 1% conduct tests once a month or more, 25% once every 2-6 months, 39% once every 7-11 months, and 27% once a year.
- Most respondents believe internal and external red teams are equally effective. According to the survey, 54% of respondents believe internal and external red teams are equally effective in testing blue units, with 24% claiming internal teams are more productive, whereas 19% stated external teams are better.
- There is still room for improvement. Although 92% of respondents noted that their blue teams catch their red teams, only 11% always catch their red teams. The majority, 55%, sometimes catch their red teams, and 7% rarely or never catch their red teams.
- Blue team skills can improve threat detection and incident response. According to the survey, the top defensive skills blue teams need to work on include threat detection (49%), incident response (47%), and flexibility/openness to change in a work-from-home environment (44%).In a recent study, The Exabeam 2020 State of the SOC Report, 82% of SOC professionals say they are confident in their ability to detect threats, despite stating that threat hunting and the ability to remediate threats effectively was a critical skill they feel they lack.
Overall, the results demonstrate an improvement in threat detection and incident response. As organizations continue to adopt tools, such as UEBA and SOAR, they will help security teams proactively search for threats.
By running red and blue team exercises, organizations will share metrics and information to get the most out of a simulated attack, consequentially testing the readiness of the organization to face unexpected threats.