Survey Finds 35% of Security Professionals Say the Blue Team Rarely Catches the Red Team

Survey Finds 35% of Security Professionals Say the Blue Team Rarely Catches the Red Team

Published
August 15, 2019

Author
Tim Matthews

A new study from Exabeam reports that the majority of organizations see significant value in red/blue team testing — and are using lessons learned from the exercises to strengthen their cybersecurity programs. The survey also found that 74% of respondents have seen their companies increase investment in security infrastructure as a result of red and blue team testing.

As cyberattacks become more advanced and frequent, organizations are preparing their teams for sophisticated adversaries who can find gaps in existing security programs. One approach is to conduct red team/blue team exercises. Red teams can be internal teams or pen testers which are external groups brought in to emulate cybercriminals’ behaviors and tactics to gauge the effectiveness of the company’s current security technologies. Blue teams comprise the organization’s internal security personnel whose goal is to stop these simulated attacks. To give the company the most realistic picture of its defensive capabilities, the blue team is given no information on when the attack will occur and must respond without preparation.

A new study from Exabeam reports that the majority of organizations see significant value in red/blue team testing — and are using lessons learned from the exercises to strengthen their cybersecurity programs. The survey, conducted at Black Hat USA 2019, polled 276 IT security professionals and found that 74% have seen their companies increase investment in security infrastructure as a result of red and blue team testing, with 18% calling the budget changes significant.

Red team pentesting exercises are conducted regularly

When asked if their organization conducts red team exercises, 72% of respondents said their organizations did. Of those, 23% performed exercises monthly, 17% quarterly, 17% annually, and 15% bi-annually.


Drive-by Compromise Technique
Figure 1: Seventy-two percent of respondents surveyed said their organizations conducted red team exercises.

Blue team defensive capabilities

On the flip side, 60% of respondents surveyed said their organizations conduct blue team exercises, with 24% performing them monthly, 12% quarterly, 11% bi-annually and 13% annually.


Drive-by Compromise Technique
Figure 2: Sixty-percent of respondents said their companies conduct blue team exercises indicating a growing commitment to fortifying their security posture.

Do the security exercises work?

Of those surveyed, 68% of respondents believe that red team testing is more effective than blue team testing.


Drive-by Compromise Technique
Figure 3: Sixty-eight percent of security professionals find red team exercises more effective than blue team testing.

When asked if the blue team was successful at catching the red team only 2% of those surveyed said they always caught them. Thirty-five percent of respondents claimed that the blue team never or rarely catches the red team, while 62% said they caught the red team occasionally or often.


Drive-by Compromise Technique
Figure 4: Thirty-five percent of respondents claimed that the blue team never or rarely catches the red team, while 62% said they caught the red team occasionally or often.

Seventy-four percent of IT security professionals surveyed have seen their companies increase security infrastructure investment as a result of red and blue team testing, with 18% calling the budget changes significant.


Drive-by Compromise Technique
Figure 5: Seventy-four percent of security professionals surveyed have seen their companies increase security infrastructure investment as a result of red and blue team testing.

Improving defensive skills

According to the survey, top skills the blue teams needed to work on as a result of their exercises were communication and teamwork (27%), knowledge of the attacks and tactics (23%), and threat detection (20%). Incident response time (17%) and persistence (8%) were other areas the internal security teams said they needed to work on.


Drive-by Compromise Technique
Figure 6: The survey identified communication and teamwork as the top skill blue teams need to work on, followed by knowledge of the attacks and tactics, threat detection, incident response time and persistence.

Regular red team/blue team testing can help companies harden their security infrastructure and train internal teams to handle attacks. The study also demonstrates that in addition to having technical knowledge interpersonal skills are important to foster more cohesive teams and better cooperation when an urgent alert arises.

How to detect and respond to threats

Proactive threat hunting is one method organizations can use to get in front of threats. Security teams can catch the adversary early in the process when they are introducing a threat by watching for telltale attack techniques. It starts with detecting threats before they are exploited as attacks, malware on an endpoint, for example.

User and entity behavior analytics (UEBA) is an emerging category of security solutions that uses analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines and other entities on your corporate network. Using behavior to track normal and anomalous behaviors to detect threats can improve your security posture.

Because they do not conform to predefined correlation rules or attack patterns or span multiple organizational systems and data sources, UEBA solutions can detect security incidents that traditional tools do not see.

To find out more about the most prevalent UEBA security use cases read our post, Top 10 UEBA Security Use Cases: Compromised User Credentials, Executive Assets Monitoring, Data Exfiltration Detection.

Recent Security Operations Center Articles

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Threat Hunting: Methodologies, Tools and Tips for Success

Read More

Demystifying the SOC, Part 4: The Old SOC Maturity Model based on Speeds and Feeds

Read More

Demystifying the SOC, Part 3: Whether You Know It or Not, You Have a SOC

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More



Recent Information Security Articles

Calling all SOC Warriors: Announcing The 2021 Exabeam Cybersecurity Excellence Awards!

Read More

Helping Retailers Deliver a Secure Omnichannel Experience

Read More

Detecting the Exploitation of Pentesting Tools: Gaining Power Over PowerShell

Read More

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Integrating Exabeam with Google Cloud IDS

Read More