How to run an effective wargaming simulation

How to run an effective wargaming simulationThe military does it. The US Government Accountability Office does it. So does the US National Security Agency. The concept has made its way into the corporate world, too: war-gaming the security infrastructure.

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.

Companies in any industry can benefit from a red team-blue team exercise by following this advice.

The basics

Red teams are external entities brought in to test the effectiveness of a security program. They are hired to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.

For example, this team may try and get into a business building by pretending to be a delivery driver in order to plant a device for easy outside access (think port 80, 443, 53 for HTTP, HTTPS or DNS respectively). They may try also try social engineering, phishing, vishing or simply posing as a company employee.

On the other side lies the blue team, the internal security team that is charged with stopping these simulated attacks. A growing number of companies, however, are not using formal blue teams in their exercises. The idea is that they get a more realistic idea of their true defensive capabilities by seeing how their security teams react to the simulation without prepping.

The ultimate aim of such test is to test an organization's security maturity as well as its ability to detect and respond to an attack. Such an exercise could take up to three or four weeks depending on the simulation, the people involved and the attacks being tested.

Red team

On the surface such exercises carried out by the likes of Fortune 500 companies, governments and even NATO (with its Crossed Swords exercise) have clear benefits. Yet red teaming continues to often be confused with pen testing.

“Red teaming is in vogue this year. Every company and their dog all of a sudden are red team experts,” said Daniel Cuthbert, COO of SensePost. “Sadly, our industry thrives on firsts, often snake-oil but sounding sexy and professing to do X when in reality they have no idea what they are doing. Red teaming, as marketed by many a company, is often just penetration testing with a slightly extended scope.”

This view is echoed by other professionals, and there’s particular disdain for what red teamers are supposed to look like. Richard De Vere, director of social engineering consultancy Anti-Social Engineer, said he “despises” the view that red teaming entities equipped in black camouflage - “that’s not what it’s about” - and said there are misconceptions too over what team you need. “They are social engineers, not failed army guys. Red Teams need definition. They should not be stuck behind middle management with no scope.”

As such, perhaps it is little surprise that red teaming maturity varies across companies. “From a technical sense, it can vary from very good to poor,” said Quentyn Taylor, director of information security at Canon Europe, asked on how advanced businesses are with red teaming. “However, the main issue is organizations not understanding what they are trying to get from red teaming, what they are trying to simulate.”

With that in mind, here’s a six-step guide to getting red teaming right.