Recently, I participated in a training exercise where a team of hackers (the red team) simulated an attack on an organization’s infrastructure, and a team of Cyber experts (the blue team) was tasked with responding to the incident and restoring normal operations. As the red team inflicted its initial attack, the blue team jumped on their monitoring tools and detection technology, scrambling to quickly quell the threat and fend off the attackers. Their natural response was to put up one obstacle after another, rapidly trying to shield their infrastructure from harm: for example, shutting down ports that were being targeted by attackers or disabling admin accounts that the red team was trying to compromise. Unfortunately, in this process, the blue team would also block legitimate and essential traffic on ports, or shut down systems driven by admin accounts, effectively disrupting their organization’s ability to operate – even before the attackers had accomplished this with their tactics. 

Recently, I participated in a training exercise where a team of hackers (the red team) simulated an attack on an organization’s infrastructure, and a team of Cyber experts (the blue team) was tasked with responding to the incident and restoring normal operations. As the red team inflicted its initial attack, the blue team jumped on their monitoring tools and detection technology, scrambling to quickly quell the threat and fend off the attackers. Their natural response was to put up one obstacle after another, rapidly trying to shield their infrastructure from harm: for example, shutting down ports that were being targeted by attackers or disabling admin accounts that the red team was trying to compromise. Unfortunately, in this process, the blue team would also block legitimate and essential traffic on ports, or shut down systems driven by admin accounts, effectively disrupting their organization’s ability to operate – even before the attackers had accomplished this with their tactics.