Skip to content ↓ | Skip to navigation ↓

In June this year, Fifth Domain ran a ten-day cyberwar course for 21 participants. The course provided participants with both red-team (offensive) and blue-team (defensive) cyber operations exercises.

During the first eight days, participants learned a number of principles, frameworks and technical skills that were then put into practice during the final two-day cyberwar exercise. To enhance the learning, we incorporated an automated attack and defence engine that simulated an adversary force.

Below are the top four lessons teams learn by participating in any cyberwar exercise. These lessons were common across this and previous cyberwar exercises and derived from exercise-staff observations and participant feedback.

1. Team leaders don’t touch the keyboard

It seems logical that the most technically skilled person should be made team leader. The most technically able person will provide the team with the best advice and direction, right? In practice, the most technically capable person often becomes bogged down trying to troubleshoot a technical problem.

As the team leader, the remainder of the team is left without guidance or awareness of the adversary’s (or even their own team’s) activity. The team leader’s job is always to maintain communication between team members and keep everyone working. Make the most capable leader the team leader, not the most technically capable.

2. Document and rehearse time-sensitive tactical tasks

The red-team situation is often a race-condition against the blue-team, that is, completing tasks faster than the blue team can detect and respond. Often the red-team fails in their attack if the campaign is initiated without prior rehearsal.

Alternatively, they might decide on the best course of action but fail because they execute their attack too slowly or with errors. Preparing a cheat-sheet or rehearsing the procedure prior to the actual event can help prevent this from happening.

3. Draw a map

The digital terrain cannot be sensed by the eyes and ears. Plus, each team member has a unique perspective. Successful teams spend time documenting their collective understanding of the digital terrain. Some use a whiteboard (the bigger the better) to draw the network and annotate it with relevant information that is discovered as the exercise progresses. This applies to both red-teams and blue-teams.

Teams should make it one person’s responsibility to maintain the network map. This is a simple but powerful tool. Finding the right level of detail comes with experience.

4. Slow down the individual to speed-up the team

Any individual who moves ahead without coordinating with the team will cause issues. For instance, red team changes to relay boxes disrupts connectivity to the target, while blue team over-hardening results in denying end-users essential services.

Periodically stopping the team and synching-up to share problems and brainstorm solutions is the key to avoiding these errors. This process can be disruptive to individual work, but it ensures that the efforts of others are not undermined. Additionally, information sharing and discussing problems ensures that decisions are made with the most accurate and complete information available.

Cyber-exercising is a smart investment for businesses with a defensive cyber-operations capability. Red-team training can help defenders ‘know thy enemy’ – appreciating the procedures, tempo, obstacles and relative ease of compromising IT systems. This knowledge can then improve defensive strategies, technology, and procedures.

Similarly, blue-team exercising can identify gaps in not only technology and skills but also in communication, coordination, and collaboration activities, all of which are essential to an effective cyber-defence capability.

Ultimately, cyber-exercising can provide businesses with valuable ‘lessons learned’ without first incurring the costs associated with an actual cyber-attack.


About the Author: Matt Wilcox is the Founder of Fifth DomainMatt Wilcox a Cybersecurity training start up. He has almost a decade of experience in cybersecurity, working in Federal Government, top-tier consulting firms and academia.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.