Having regular (probably monthly for most) red team engagements where the red teamers and incident response/monitoring teams sit in a room while the engagement occurs is a must. Everytime the red teamer executes a command that advances them, blue should be asked:
- If they detected it
- If not, could they have detected it?
- If unsure, have red team help figure out ways they could have been detected.
- How they could have prevented it from happening?
- If unsure, have red team help figure out how they could have been stopped
This not only helps blue, but it helps red with ideas on things to try out based on the learnings and feedback from blue.
