1. Team leaders don’t touch the keyboardIt seems logical that the most technically skilled person should be made team leader. The most technically able person will provide the team with the best advice and direction, right? In practice, the most technically capable person often becomes bogged down trying to troubleshoot a technical problem. As the team leader, the remainder of the team is left without guidance or awareness of the adversary's (or even their own team’s) activity. The team leader’s job is always to maintain communication between team members and keep everyone working. Make the most capable leader the team leader, not the most technically capable.
2. Document and rehearse time-sensitive tactical tasksThe red-team situation is often a race-condition against the blue-team, that is, completing tasks faster than the blue team can detect and respond. Often the red-team fails in their attack if the campaign is initiated without prior rehearsal. Alternatively, they might decide on the best course of action but fail because they execute their attack too slowly or with errors. Preparing a cheat-sheet or rehearsing the procedure prior to the actual event can help prevent this from happening.
3. Draw a mapThe digital terrain cannot be sensed by the eyes and ears. Plus, each team member has a unique perspective. Successful teams spend time documenting their collective understanding of the digital terrain. Some use a whiteboard (the bigger the better) to draw the network and annotate it with relevant information that is discovered as the exercise progresses. This applies to both red-teams and blue-teams. Teams should make it one person’s responsibility to maintain the network map. This is a simple but powerful tool. Finding the right level of detail comes with experience.
4. Slow down the individual to speed-up the teamAny individual who moves ahead without coordinating with the team will cause issues. For instance, red team changes to relay boxes disrupts connectivity to the target, while blue team over-hardening results in denying end-users essential services. Periodically stopping the team and synching-up to share problems and brainstorm solutions is the key to avoiding these errors. This process can be disruptive to individual work, but it ensures that the efforts of others are not undermined. Additionally, information sharing and discussing problems ensures that decisions are made with the most accurate and complete information available. Cyber-exercising is a smart investment for businesses with a defensive cyber-operations capability. Red-team training can help defenders ‘know thy enemy’ – appreciating the procedures, tempo, obstacles and relative ease of compromising IT systems. This knowledge can then improve defensive strategies, technology, and procedures. Similarly, blue-team exercising can identify gaps in not only technology and skills but also in communication, coordination, and collaboration activities, all of which are essential to an effective cyber-defence capability. Ultimately, cyber-exercising can provide businesses with valuable ‘lessons learned’ without first incurring the costs associated with an actual cyber-attack. About the Author: Matt Wilcox is the Founder of Fifth Domain