Red vs. Blue
I just returned from a collaborative incident response exercise hosted by one of my sister sites. The threat landscape for cyber has not evolved, it has become a completely different animal. Host, or disk-based, forensics are no longer adequate and if you lack the ability to bit shift through a live memory image you are never going to see the newer more sophisticated attacks. This past week, I watched secure gmail get read on the wire, machines that appeared perfectly normal "phone home" to a remote location, and things which can't be mentioned here. Windows, Mac, and Linux pwned with ease by quite an elite group of nerds that were writing their exploits on the fly and plugging them into Metasploit for ease of execution. What did I do? I was the "blue cell" or defending team and acted as incident coordinator as the "red cell" was given 8 hours to attack us. During the initial 8 hours blue was only allowed to defend at layer 2 and our firewalls were set at "IP Any Any", and we scrambled to secure Windows, Linux, SCADA, Mac, and I think maybe a raccoon was even in there. The best part, when the "firing" began the blue cells didn't even know what was on their network or how it was architected.
If you would like to try this sometime, I would suggest you get a hold of Whitewolf Security. They set up the "range" and acted as exercise control(EC). As the blue cells noticed that we were set up to get pwned, some complaints began to get voiced. Fortunately, my hand didn't go up first and our EC leader made one comment about fairness "STFU." You may wonder why the blue cells were not actually allowed to defend from a traditional perspective, The short answer is that we have decided to "train like we fight." The computer you respond to is normally already jacked so you have to be in incident response mode when you get there. This exercise a gave a very real perspective on what that feels like.