Cybersecurity Defence, CSIRT

Mr Red v. Mr Blue – a stress test for Swisscom

Duality contains both good and evil. And because defence presupposes attack, the telecommunications company has its IT systems targeted regularly by its own people, although within a secure framework. A look behind the scenes of the Computer Security Incident Response Team, CSIRT for short.

Text: Flavian Cajacob, pictures: Michele Limina, published in the NZZ supplement of 8 November 2018

Actually, Mr Red is Mr Blue in everyday life. But today, he’s more into cunning than sincerity. So the painfully honest Mr Blue slips into the role of the villainous Mr Red, as called for in the in-house script. In this guise, he will blanket his employer Swisscom with targeted attacks on its IT systems. What’s so unusual about this? Mr Red enjoys absolution from the top for his deeds. More precisely, there would be no Mr Red without corporate management.

Fire brigade for security

A hacker? Naturally, he wears hoodies, drinks energy drinks by the gallon and belongs to the world of loners and sociopaths. At least that’s how Hollywood blockbusters and Netflix series show him. Thomas Röthlisberger, wearing trainers and with a water bottle in his hand, nods towards an open-plan office in which a dozen men and women of different ages sit at their computers. Hoodies and energy drinks? Not at all. “As we all know, fiction and reality don’t always match up,” grins the 37-year-old.

Röthlisberger studied computer science and then spent years with a Swiss SME testing the IT security of various companies and advising them on how to eliminate weaknesses. Today, he’s Senior CSIRT Manager at Swisscom. CSIRT stands for Computer Security Incident Response Team. It sounds cryptic, but isn’t really that complicated. “We are the fire brigade, and were always on hand if Swisscom’s IT infrastructure or its customers’ is targeted,” explains Röthlisberger. If the CSIRT specialists deploy, things are really serious; with both attack and defence extremely complex.

The telco set up CSIRT in 2014. Internally, the crackers on the quick reaction force also operate under the name “Blue Team”. All those involved know their stuff, generally have a higher degree in computer science and have a spotless record. Like Claudio Pilotti (26), who joins Thomas Röthlisberger. “Training, experience and certification are all part of this job,” the experienced security analyst emphasises. In addition, she says, it’s important to be the sort of person who never lets up, is never satisfied just because something’s working, but has to know exactly how and why it works. Good or evil, hackers targeting or serving a company – “All of us here are driven by the desire to use our skills in a meaningful way, which has a lot to do with personal attitudes, loyalty and basic ethical values”, Pilotti believes.

Floor-length curtains shield the Zurich office, where the two are meeting this afternoon from curious eyes. The task is to define the roles for the next few days and weeks. Once again, employees and IT systems will be facing a stress test. While Thomas Röthlisberger and two “Red Team” colleagues slip into the role of hackers with assumed criminal intentions, Claudio Pilotti and his “Blue Team” colleagues will have to fend off the attacks of Mr Red and his crew. All this is in the context of normal daily operations; because naturally only the “Red Team” will know the secret of how the attacks will appear, and where and when they will take place.

Real, but without customer data

This has been going on for a good three years. Swisscom was the first major company in Switzerland to voluntarily and explicitly subject itself to a stress test by “ethical hackers” from its own ranks. The primary goals are to identify and eliminate weaknesses points in systems and processes – before they are discovered and exploited by criminal groups. Naturally, the goal is to continuously improve detection and defence against such attacks. The simulated attacks take place within a secure framework and are aborted before data from customers enters the picture. “In addition, our Operation Control Centre (OCC) is notified before each action so that the situation does not escalate,” explains Röthlisberger. “Customer data is never involved in the events at any time.”

In reality, IT security professionals distinguish between five different groups of hackers. On the one hand there are the script kiddies and politically motivated activists, who tend to concentrate on low level attacks, such as cracking passwords or taking down websites. One level higher there is organised crime, specialising for example in data theft and blackmail on the Internet. “The most dangerous hackers are undoubtedly those from terrorist circles and state actors such as secret service agents,” says Röthlisberger.

Humans as the weakest link

Whether the driving force is financial, idealistic or political, cybercrime in everyday life is just as varied as the motives of the groups involved. “When we subject our own system to a stress test, we always orient ourselves to the standard attacking techniques in real life,” explains Thomas Röthlisberger a.k.a. Mr Red. He’s not willing to reveal what this means for his current planned attacks in the presence of Claudio Pilotti, otherwise known as his intended victim, alias Mr Blue. In the past, for example, phishing attacks have been launched or attempts made to smuggle in malware. “It may sound a bit hackneyed, but what’s most important to us is to raise awareness among employees of the dangers lurking on the Web and to take preventive action,” explains Pilotti. “People are still the weakest link when it comes to targeted attacks on IT systems.” 

Already in the system for months

The two IT security professionals and their team members have exciting weeks ahead of them. Röthlisberger will be facing his colleagues with various challenges. The results of the simulated attacks and the proposals recommendations based on these will be sent to the Executive Committee towards the end of the year. Pilotti takes a sporting view – he’s relying on his experience and that of his colleagues. “Don’t kid yourself,” stresses the security analyst. “The villains are usually one step ahead of the good guys. But that’s why we do these exercises, putting ourselves in the position of the attacker.”

In reality, this means that hackers have often been running riot in a company’s IT system for months by the time they’re discovered. “If we on the other side can further shorten this time span thanks to exercises like this and increase the effort and costs for cyber attacks as a result, we have already achieved a great deal”, says Thomas Röthlisberger and promises his colleague Pilotti a drink in the event of a successful defence. “Just no energy drinks, right? I’d rather have a beer,” Claudio Pilotti dryly counters, grinning as he wishes “Hacker” Röthlisberger an early discovery.

As a corporate customer, you also benefit from the years of expertise of our Computer Security Incident Response Team (CSIRT). Swisscom offers you CSIRT as a service, providing support in the analysis and management of critical security incidents. Experienced Swisscom security experts take over management of security incidents. They manage the process remotely or at your site, and assist you with preserving evidence and communicating with customers and partners.  

Security glossary


Advanced Persistent Threat is a complex, targeted and effective attack on the critical IT infrastructures and confidential data of companies who are potential victims due to their technological lead. Alternatively, attacks target companies who merely serve as a springboard to the actual victims.


Software backdoors are used to gain access to a computer by circumventing its access protection.


A network of a large number of compromised computers centrally controlled by a botmaster.


Computer Security Incident Response Team: a group of security experts who act as coordinators in the event of actual IT security incidents, or focus on computer security in general, warning of security loopholes and proposing solutions, and analyse malware.


Uploading unwanted content to a hacked website.


Denial of Service (DoS) – a system is crashed by an extremely large number of requests.


Distributed Denial of Service (DDoS): the DoS attack is launched simultaneously on a large number of distributed systems (e.g. a botnet). It is no longer possible to simply block the attacker.

Honey Net

This is an attractive system or network deliberately designed to entice attackers and study their behaviour. The knowledge gained in this way is then used to protect the real networks.


Hidden software that can disrupt or shut down the functioning of a system when given the command from afar.


Software that executes damaging and unwanted functions.

Money Mule

Criminals persuade people to take money from “clients” and pass it on via a money transfer service after taking their cut. Money mules believe they are working for a legitimate organisation.


Users are tricked into disclosing sensitive data (mostly by e-mails giving fake instructions).


A form of trojan horse that is used to encrypt certain data or the entire computer system in order to extort a ransom for release.


Deceitful behaviour in networks intended to conceal the actor’s identity.

Hand with smartphone


Would you like to regularly receive interesting articles and whitepapers on current ICT topics?

More on the topic