The Blue Team Exercise is a new incident response exercise focused on your technical team, using real-world attack methodologies against your Incident Response Teams and IT assets. A Blue Team is defined by NIST as “the group responsible for defending an enterprise’s use of information systems by maintaining its security posture…” Blue teaming is then the process of exercising your Blue Team and incident response processes against our Red Team (the attackers, authorized emulated advisories) in scenarios that simulate real-world attacks. Our team’s objective is to improve your cybersecurity posture by demonstrating the impacts of attacks, demonstrating what works for the defenders, and identifying additional controls or process improvements that could enhance your defensive posture. This exercise not only tests your team’s incident response capabilities, but also validates the controls in place protecting your institution.

Test Planning

The Blue Team Exercise is accomplished through five phases: test planning, the demonstration, an Incident Response Team test, a post-mortem review, and the board exercise. In the planning phase, we meet to design the process, help define test scenarios and parameters used for exercise, and schedule the various steps. We schedule the presentation of the test plan and its approval by your team, as well as the functional test period of the exercise. Also a grey box interview with a member of your technical team to gain limited knowledge of the internal workings of your network is scheduled. We use this information to tailor the exercise to your infrastructure, technology, and team to simulate attacks that could be used by malicious actors in the real-world against your institution.

Blue Team Demonstration

In the demonstration phase we gain authorized access to your systems and begin by leaving artifacts (indicators of compromise and malicious activity) on your systems for the Blue Team to find and document. Your Blue Team is then informed of the “discovery” of one of these artifacts and the team walks through the detection and containment of the simulated attack. This is done in a tabletop setting with the Blue Team to practice escalation and team communications skills. The demonstration will first be exercised without bypassing controls to confirm controls are working as expected. Controls will then be bypassed to ensure actual incident response processes are exercised, and any controls that were bypassed will be documented.

Incident Response Team Test

The next phase, the Incident Response Team test, starts with the Blue Team bringing the Incident Response Team at large up to speed on the demonstration. This team test is similar to our typical incident response tabletop test, but first focuses on the technical team. First, the technical team will have to exercise their communications and escalation skills to inform the whole Incident Response Team. We also ensure  the team knows to inform management and executive leadership of the situation. Then the entire Incident Response Team works through the scenario. Additional scenarios, beyond technical scenarios, will be walked through with the team as well.

Post-Mortem Review

The post-mortem review follows the demonstration and Incident Response Team test. After each scenario in the demonstration and Incident Response Team test, we discuss possible action items, areas for improvement, and what went well in the scenarios. These items are documented in the post-mortem to provide an overview of how the exercise went and what can be improved upon. The documented items will be used in the next phase to exercise and educate the board.

Board Exercise

Finally, the board exercise finishes out the Blue Team Exercise process. In the board exercise we will review the board’s role in incident response, teach the board how to determine appropriate questions, and help facilitate management’s presentation of the post-mortem review to the board. This phase concludes the exercise, having not only tested communication and escalation processes from the technical team all the way to the board, but also the controls and defensive posture of your systems and IT assets.

Much more than your typical Incident Response Test

In an ideal world, an organization never experiences an attack. Unfortunately, in the real world, we all know that is not reality. Because these exercises use attack techniques and scenarios that emulate real-world attacks, your Incident Response Team gains the necessary experience to respond to attacks as they would see them unfold. The exercise can also identify areas for improvement, enabling your team to fine-tune controls and streamline response processes. Further, the exercise tests technical controls to confirm they are working as expected. Through the Blue Team Exercise, organizations can improve their cyber readiness by testing and validating their incident response processes, personnel, and controls against real work attack techniques.