2020 Red and Blue Team Survey Reveals Positive Trends 

In 2019, Exabeam conducted its first study of red/blue team testing. Testing by red teams and defended by blue teams is a popular method for companies to find and address their most significant vulnerabilities and security gaps. For clarification on what we mean by red team and blue team, because there are many different descriptions and even capitalizations which can change the meanings, we are talking offensive (red) versus defensive (blue) cybersecurity teams. A red team could be a group of internal or external security experts that emulate tactics used by cybercriminals against a company’s current security defenses. Blue teams comprise the organization’s internal security personnel whose goal is to stop these simulated attacks. 

Exabeam recently conducted a similar survey of red and blue teams in 2020. In comparing the results from both studies, we were excited to see several positive trends. 

• More companies are conducting red team exercises. Our 2020 survey revealed 92% of companies are performing red team exercises, compared to 72% in 2019.
• Thirty-six percent more firms are conducting blue team exercises, and blue teams are more effective. In our 2020 survey, 96% of respondents indicated they’re performing blue team tests. Eleven percent of these companies always catch their red teams. In comparison, in 2019, 60% of companies conducted blue team exercises, and only 2% of respondents indicated they always caught their red teams.  

• Security investments are up by 6%. This year’s survey reveals 80% of companies have increased their security investment as a result of red and blue team exercises. In 2019, 74% of security professionals reported increasing security infrastructure investments as a result of red and blue team testing.

What’s behind the positive trends?

More than likely, the growing number of cyberattacks is a key driver for the increase in red and blue team exercises. There are potentially other factors at play. As more companies move to the cloud and a higher number of employees work remotely, the number of attack vectors also grows, which in turn increases the type and amount of exercises. Regulatory compliance may be another driver. Companies are facing increasing regulations, some of which require them to perform regular tests to protect customer data and protect consumer privacy. 

Red and blue teams have more technology and intelligence at their disposal now to address these growing cyber risk challenges. Machine learning (ML) and artificial intelligence (AI) systems can be used by blue teams to learn the characteristics of attacks. AI and ML can also automate their work. Furthermore, data about vulnerabilities, attacks, and cybercriminal activities is growing. Take the MITRE ATT&CK framework for example that provides a globally-accessible knowledge base of adversary tactics and techniques garnered from real-world and historical information. By aggregating and analyzing this data, blue teams can be more efficient in identifying the types of attacks that they’re more likely to experience. The improvement in endpoint protection tools also allows blue teams to go on the offensive with threat hunting.

Users and entity behavior analytics (UEBA) is another solution blue teams are using to respond to threats proactively. UEBA solutions use analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines, and other entities on your corporate network.

SOAR (security orchestration, automation and response) is another tool that is becoming more popular to help teams proactively manage threats. SOAR, a collection of compatible software programs, allows an organization to collect information about security threats and respond to low-level security events without human intervention. Blue teams can use SOAR playbooks to automate low-level security defenses. 

2020 red team and blue team survey results

Take a closer look at our 2020 findings to see how your company compares:

Red team exercises are conducted regularly by most companies

Our survey found 92% conduct red team exercises regularly. Of those, 26% conduct exercises once a month or more, 25% once every 2-6 months, and 32% once every 7-11 months, 8% once a year.

Ninety-two percent of respondents conduct red team exercises regularly.

Blue teams conduct defensive exercises regularly

In terms of security teams and their defensive capabilities, 96% perform tests regularly. Of those, 4% conduct tests once a month or more, 46% once every 2-6 months, 38% once every 11 months, and 8% once a year.  

Figure 2: Ninety-six percent of respondents conduct blue team exercises on a regular basis to test their defensive capabilities.

Purple teaming exercises shift from passive to active.

Purple teams are composed of members from red and blue Teams. The goal of purple teaming is to encourage information sharing between red and blue team members to improve a company’s overall security program. Red and blue teams test controls in real-time, more closely simulating, and responding to an actual attack. Purple teaming allows organizations to conduct more complex what-if scenarios to test controls and processes.

Our survey found 96% of respondents conduct purple team exercises. Of those, 34% perform tests once every 2-6 months, 50% once every 7-11 months, and 12% once a year.

Figure 3: Ninety-six percent of respondents conduct purple team exercises on a regular basis highlighting the importance of information sharing.

Most companies use external firms to conduct red team tests

Our 2020 survey found 92% of respondents use external firms to perform red team exercises on a regular basis. Of those, 1% conducts tests once a month or more, 25% once every 2-6 months, 39% once every 7-11 months, and 27% once a year. 

Figure 4: Ninety-two percent of respondents rely on external firms to perform red team exercises.

The majority believe internal and external red teams are equally effective

According to our survey, the majority of respondents 54% believe internal and external red teams are equally effective in testing blue units. Twenty-four percent claimed internal teams are more productive, whereas 19% stated external teams are better.

Figure 5: The majority of respondents, 54%, believe internal and external red teams are equally effective testing blue teams.

Room for improvement

While 92% of respondents noted that their blue teams catch their red teams, only 11% always catch their red teams. The majority, 55%, sometimes catch their red teams, and 7% rarely or never catch their red teams. Security teams falling in this category can use findings and implement recommendations from these exercises to improve their security posture and readiness. 

Figure 6: Only 11% of respondents state their blue teams catch their red teams.

Red and blue team exercises influence security investments

Similar to 2019, the majority (98%) of respondents have increased investments in their security infrastructure as a result of red and blue team testing.

Figure 7: Most companies (98%) have increased their security investment due to red/blue team exercises.

Threat detection and incident response are major blue team skills gap

According to the survey, the top defensive skills blue teams need to work on include threat detection (49%), incident response (47%), and flexibility/openness to change in a WFH environment (44%). In a recent study, The Exabeam 2020 State of the SOC Report, 82% of SOC professionals say they are confident in their ability to detect threats, despite stating that threat hunting and the ability to remediate threats effectively was a critical skill they feel they lack.

Last year our survey results revealed communication/teamwork and knowledge of threats/tactics were the most significant skill gaps.

Figure 8: Threat detection and incident response were the most prominent gaps in blue team skills.

Improving threat detection and incident response

We noted earlier, the growing adoption of tools including UEBA and SOAR help security teams, proactively hunt for threats. In addition to helping red and blue teams to share metrics and information to get the most out of a simulated attack, running these exercises helps test the readiness of your organization to unexpected threats. The ability to coordinate response across the organization is equally important.  

To find out more about how UEBA solutions can help blue teams read our post, How Exabeam Helps Blue Teams Counter Red Team Attacks.