Oct 27 2021

Red Teams vs. Blue Teams: What’s the Difference, and How do Health IT Leaders Run These Exercises

Cybersecurity threats are becoming more sophisticated, and healthcare organizations must prepare for attacks in order to mitigate damage.

One third of healthcare organizations surveyed were hit by a ransomware attack in the past year, according to “The State of Ransomware in Healthcare 2021” survey report published by Sophos in early 2021. Data is often leaked during these events, with at least 72 percent of ransomware incidents in the U.S. healthcare sector so far this year resulting in victims’ data being leaked.

Not only do these incidents impact patient trust and an organization’s bottom line, they can lead to longer stays for patients, delays in procedures and tests resulting in poor outcomes, and an increase in patients transferred or diverted to other facilities, according to a new Ponemon Institute report. In rarer circumstances, ransomware attacks can increase complications from medical procedures as well as mortality rates.

Cybersecurity threats are growing in frequency and sophistication, and healthcare organizations are often targets. It’s often not a matter of if but when an organization will be attacked, with patients affected. Incident response planning allows healthcare organizations to prepare themselves for a cybersecurity event and to mitigate the damage of successful attacks.

Red team and blue team exercises are useful security assessments that healthcare organizations can use to validate the efficacy of their incident response programs and find vulnerabilities. While these exercises allow security teams to test their defenses in a low-risk environment, several considerations must be kept in mind to ensure success.

Click the banner below to dig deeper into incident response with planning guidance from CDW.

What Are Red Teams and Blue Teams?

Red team and blue team exercises identify areas of improvement through a low-impact, low-risk approach. Red teams work to overcome an organization’s cybersecurity defenses in a simulated attack to gauge the strength of the organization’s existing security capabilities. Blue teams work to protect the organization’s critical assets against these simulated cybersecurity threats, as well as real threats that may arise.

“Red teaming is similar but not identical to penetration testing. It involves the pursuit of one or more objectives, usually executed as a campaign. The main differences between red teaming and penetration testing are depth and scope,” says Stew Wolfe, technology and transformation cybersecurity leader for Cisco. “Penetration testing is designed to identify and exploit as many vulnerabilities as possible over a short period of time, while red teaming is a deeper assessment conducted over a period of weeks. It is designed to test an organization’s detection and response capabilities and achieve set objectives, such as data exfiltration.”

EXPLORE: Learn how to create an effective incident response plan for healthcare.

Blue teams, on the other hand, refer to an internal security team that defends against both real attackers and red teams, which are often independent of a healthcare organization’s IT team. However, there can be a dedicated internal team responsible for red teaming exercises.

Red team members need to have experience in cybersecurity tactics, techniques, protocols and procedures, as well as an understanding of how to get into networks without setting off alarms, explains Drex DeFord, executive healthcare strategist at CrowdStrike. The need for these skills often leads healthcare organizations to turn to security partners with threat expertise.

In a red team assessment, the blue team is not made aware of when the exercise will take place. Although collaboration is typically recommended in healthcare IT, the red team and blue team must function in isolation for the exercise to work.

“Security experts across the globe often emphasize that absolute security is a myth. Organizations can’t have the mindset that since they have implemented all possible security measures, they cannot be attacked. The threat landscape changes constantly, and this kind of mindset can do more harm than good,” says Wolfe. “Maintaining the security of IT infrastructure is a continuous process. While implementing an incident response plan or testing it in controlled settings may give perfect results, the loopholes are only identified when a real attack is detected. While the red team is carrying out an attack that is defended by the blue team in real time, the question of whether the organization’s incident response is working or not is answered over the course of an attack.”

How Do Health IT Leaders Conduct Red Team vs. Blue Team Exercises?

Red team activities commonly follow the MITRE ATT&CK Framework, which is a globally accessible knowledge base of adversary tactics, techniques and methods based on real-world experience and events. The MITRE ATT&CK framework serves as a foundation for the development of prevention, detection and response capabilities that can be customized based on each healthcare organization’s unique needs as well as new developments within the threat landscape.

“The primary objective is to perform a real-life attack scenario to identify potential threats to an organization’s IT ecosystem from a broader perspective, rather than being confined to a specific set of identified assets,” says Wolfe. “When a red team is conducting its exercises, the effectiveness of its counterpart blue team in defending against an attack can be analyzed.”

When a blue team detects that an attack is being carried out, the organization’s incident response plan will come into play.

READ MORE: Find out 8 ways to create a strong security culture in healthcare.

“On one end, the red team attempts to use its tactics to launch an offense. The blue team, on the other hand, defends against the attack, while at the same time ensuring that downtime is minimum and that effects on normal healthcare operations are minimized,” says Wolfe. “If the blue team fails to defend against an attack, how quickly it responds to a security incident is another valuable result for an organization.”

DeFord explains that these exercises can evolve as a healthcare organization’s security team gains experience. They can begin with planned attacks the blue team is aware of. Eventually, after adjustments have been made over time based on the results of these exercises, red team attacks may happen at any time.

“At that point, the blue team always has to be ready, because that’s the real world, and that’s the place we live in today,” says DeFord.

Click the banner below for more security and incident response planning content from HealthTech.

    What Are the Benefits of Red vs. Blue Team Exercises in Healthcare?

    As ransomware attacks on healthcare organizations increase, healthcare CISOs are looking for effective methods to reduce risk beyond traditional means such as penetration testing, says Wolfe. Red team and blue team exercises are a critical part of any robust and effective security strategy.

    “It gives the incident response team real-world practical experience. They get to see what an attack looks like and understand how they should react to that attack,” says DeFord.

    The next step for many organizations would be a purple team exercise, which involves more collaboration between the red and blue teams to understand how security controls are working and what adjustments need to be made.

    LEARN MORE: How can purple teaming improve healthcare organizations’ security posture?

    Red Team vs. Blue Team Exercise Best Practices for Healthcare

    Red team and blue team assessments should be conducted annually as part of an effective security program to test the effectiveness of the security controls of a healthcare organization’s incident response plan, says Wolfe. This is especially important as the threat landscape continues to change.

    However, it’s also important to have an emergency stop for the exercise. DeFord explains that this is especially critical for healthcare organizations.

    “If there is interference with medical equipment because of an attack happening in the network, the blue team has the right to pick up the phone, call the red team and say, ‘Are you attacking us right now? If you are, you need to stop because we’re actually going to affect patient care.’ So, then they would put a pause on the attack and reset.”

    While healthcare organizations need to be prepared for any impact of red team vs. blue team testing on patient care and critical infrastructure, DeFord says that these exercises are almost always well controlled and managed, as the red team members must understand what they can and can’t do within a hospital’s network.

    “The mission is to provide great care to patients and families. We don’t want anything to interrupt that, but we know we have to test ourselves to make sure that we’re as good as we can possibly be to protect those same patients and families,” he adds.

    Communication between teams is the most critical element in this, explains Wolfe, but there are a few other ways to get the most out of a healthcare organization’s red team vs. blue team exercises:

    • Have a plan of action. The planning stages of simulation exercises are just as important as the exercises themselves. “There are endless scenarios and methodologies to use when attempting to exploit a system, so it’s vital to limit your scope,” says Wolfe.
    • Think outside the box. Threat actors aren’t following a set of rules when they break into a system. Red teams can stay within the scope of the exercise while still having the freedom to be creative. However, Wolfe says, it’s important for red team members to show their work, as blue teams can only prevent an attack if they can understand how it was done.
    • Understand the purpose. What does the security team want to achieve from the red team exercise? “A red team is meant for those companies who feel they have done all they can to implement security measures and need the ultimate test,” says Wolfe. A red team truly targets the organization as an adversary would do, so that both sides can control the environment and implement a more robust security posture.
    ivanastar/Getty Images

    Become an Insider

    Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT