Thursday, September 25, 2014

Testing A Collaborative DDoS Defense In A Red Team/Blue Team Exercise

Red Team analysis is useful in a scenario where an offensive and a defensive force can be clearly demarcated.  Many security specialists who produce a defensive system are often the same individuals who test the systems they just produced.  This approach “results in simple and incomplete tests, because system designers are naturally biased towards proving that their system works,” (pp. 1).

The Defense Advanced Research Projects Agency funds studies in order to encourage systematic testing, especially when the testing procedures involve Red Team vs. Blue Team exercises.  In Red Team analysis, rules of engagement are established.  Sometimes, analysis is done in phases.  First, the Blue Team makes an offensive action.  Then, the Red Team responds while the Blue Team is frozen.  In other analysis or testing scenarios, the Red and Blue teams make simultaneous actions and developments.

This study used Red Team analysis to test the security of a new software from a denial of services attack.  First, rules of engagement were established.  For example, the Red Team could only attack the software through means in which the software would normally be used.  Administrators of the study considered the Red Team successful only if the Blue Team did not notice any intrusions or odd behavior.  Normally, denial of service attacks require coordinate from hundreds, or sometimes thousands, of several bot machines.  This study reduced the scope tremendously, actually making it easier for the Red Team to be successful. 

After testing at least seven different tactics hackers could use to perpetrate a denial of service attack, the analysis showed that while the software was effective in protecting against attacks it was designed to handle, it had “significant vulnerabilities,” (pp. 14).  As a result, both the Red Team and Blue Team learned a considerable amount of the security of the software and of various denial of services attacks (pp. 14).

Red Team analysis is a valuable tool for greater understanding of the issue from both a protagonist and antagonist point of view.  Judging from this study, it appears that Red Team analysis is more enlightening when members of either team can have no stake on the success or failure of the other team.

One of the biggest strengths of Red Team analysis also appears to be a weakness.  Red Team analysis provides a simplified scenario in which theories, tactics, or analysis can be tested or simulated.  However, the simplification can create blind spots once those theories, tactics, or analysis is applied in the real world.  There may be instances that occur that were forbidden by the rules of engagement in the test scenario.

Mirkovic, J., Reiher, P., Papadopoulos, C., Hussain, A., Shepard, M., Berg, M., & Jung, R. (n.d.). Testing A Collaborative DDoS Defense In A Red Team/Blue Team Exercise (pp. 1–14). California: University of Southern California. Retrieved from


  1. Kyle,

    I found the notion that Red Team analysis provides more insight when members of either team can have no stake on the success or failure of the other team fascinating. What is something someone in charge of implementing the technique can do to increase the likelihood that this practice is followed?

  2. Kyle, the study you examined appears to look at using Red Teaming as a way of discovering vulnerabilities or weaknesses in a current system. What are your thoughts on the effectiveness of this methodology as a forecasting tool?

  3. Ricardo - I think establishing clear rules of engagement of essential. The opposite teams should be physically isolated from one another. The environment should be completely conflictual, so I would discourage 'diplomacy' sessions.

    Harrison - While it is true that the method involves testing vulnerabilities, those tests generate estimates as to the most effective DoS attacks. In that sense, it appears to be an effective forecasting tool at least in the cyber security world.