What Are Red Teams and Blue Teams?
Red team and blue team exercises identify areas of improvement through a low-impact, low-risk approach. Red teams work to overcome an organization’s cybersecurity defenses in a simulated attack to gauge the strength of the organization’s existing security capabilities. Blue teams work to protect the organization’s critical assets against these simulated cybersecurity threats, as well as real threats that may arise.
“Red teaming is similar but not identical to penetration testing. It involves the pursuit of one or more objectives, usually executed as a campaign. The main differences between red teaming and penetration testing are depth and scope,” says Stew Wolfe, technology and transformation cybersecurity leader for Cisco. “Penetration testing is designed to identify and exploit as many vulnerabilities as possible over a short period of time, while red teaming is a deeper assessment conducted over a period of weeks. It is designed to test an organization’s detection and response capabilities and achieve set objectives, such as data exfiltration.”
Blue teams, on the other hand, refer to an internal security team that defends against both real attackers and red teams, which are often independent of a healthcare organization’s IT team. However, there can be a dedicated internal team responsible for red teaming exercises.
Red team members need to have experience in cybersecurity tactics, techniques, protocols and procedures, as well as an understanding of how to get into networks without setting off alarms, explains Drex DeFord, executive healthcare strategist at CrowdStrike. The need for these skills often leads healthcare organizations to turn to security partners with threat expertise.
In a red team assessment, the blue team is not made aware of when the exercise will take place. Although collaboration is typically recommended in healthcare IT, the red team and blue team must function in isolation for the exercise to work.
“Security experts across the globe often emphasize that absolute security is a myth. Organizations can’t have the mindset that since they have implemented all possible security measures, they cannot be attacked. The threat landscape changes constantly, and this kind of mindset can do more harm than good,” says Wolfe. “Maintaining the security of IT infrastructure is a continuous process. While implementing an incident response plan or testing it in controlled settings may give perfect results, the loopholes are only identified when a real attack is detected. While the red team is carrying out an attack that is defended by the blue team in real time, the question of whether the organization’s incident response is working or not is answered over the course of an attack.”
How Do Health IT Leaders Conduct Red Team vs. Blue Team Exercises?
Red team activities commonly follow the MITRE ATT&CK Framework, which is a globally accessible knowledge base of adversary tactics, techniques and methods based on real-world experience and events. The MITRE ATT&CK framework serves as a foundation for the development of prevention, detection and response capabilities that can be customized based on each healthcare organization’s unique needs as well as new developments within the threat landscape.
“The primary objective is to perform a real-life attack scenario to identify potential threats to an organization’s IT ecosystem from a broader perspective, rather than being confined to a specific set of identified assets,” says Wolfe. “When a red team is conducting its exercises, the effectiveness of its counterpart blue team in defending against an attack can be analyzed.”
When a blue team detects that an attack is being carried out, the organization’s incident response plan will come into play.
“On one end, the red team attempts to use its tactics to launch an offense. The blue team, on the other hand, defends against the attack, while at the same time ensuring that downtime is minimum and that effects on normal healthcare operations are minimized,” says Wolfe. “If the blue team fails to defend against an attack, how quickly it responds to a security incident is another valuable result for an organization.”
DeFord explains that these exercises can evolve as a healthcare organization’s security team gains experience. They can begin with planned attacks the blue team is aware of. Eventually, after adjustments have been made over time based on the results of these exercises, red team attacks may happen at any time.
“At that point, the blue team always has to be ready, because that’s the real world, and that’s the place we live in today,” says DeFord.
Click the banner below for more security and incident response planning content from HealthTech.