As cyberattacks ramp up across all countries and industries, it is an absolute necessity for every organization to have a defense capability. However, the journey of setting up such expertise and attaining the right level of maturity requires the right combination of technology, processes, and people. This roadmap may appear daunting and overwhelming to many who are just getting started. This book aims to help guide and aid organizations and professionals on that journey. It aims to ensure all aspects of a blue team defense program are understood and that there are no blind spots.

Cybersecurity professionals who are grouped under the banner of blue team identify various security holes, also known as vulnerabilities, in the organization’s infrastructure and applications. These efforts help in patching and implementing various security procedures and controls. Cyber professionals working as blue teamers usually have a knack for creatively thinking and rapidly responding to various kinds of security events and incidents. They are in charge of protecting business entities against cyber risks and threats.

In this chapter, we will cover the following topics:

• How do organizations benefit from implementing the blue teaming approach?
• A blue team’s composition
• Red team
• Purple team
• Cyber threat intelligence
• Skills required to be in a blue team
• Talent development and retention

Before we start, it is important to understand the benefits an organization can expect to achieve from setting up a blue team. This chapter will focus on what an organization can expect to gain from setting up a blue team, and how to take step-by-step action to set one up for success.

Risk assessment

First, businesses are recommended to assess the risks and threats that affect their organizational assets located across the globe. Blue teamers perform a risk assessment to learn how and what is to be defended from cyberattacks. They typically recommend implementing stringent security controls and establishing standard procedures to improve the security posture of the organization. Often, they design the structure of the End User Security Awareness training as well. This helps organizations identify their critical assets and the threat profile for each asset and the organization as a whole.

Monitoring and surveillance

Monitoring and surveillance are the core tasks of blue teamers; they perform them diligently for their respective businesses. Organizations receive recommendations for procuring, deploying, and launching various security monitoring tools from blue teamers. These tools allow organizations to log information about the various kinds of access privileges that the users and employees have on the network infrastructure. All the user activities are recorded, and suspicious activities trigger alerts as per the rules configured in the various security tools. Daily checks such as auditing DNS and firewall configuration, performing daily compliance checks across the dashboards of different tools deployed, and others are some of the Key Responsibility Areas (KRAs) of blue teamers. They also perform various kinds of internal and/or external vulnerability assessments on the network. Once in a while, blue teamers help prioritize and provide guidance to patch the vulnerabilities discovered in the penetration test reports. Blue teamers are experts in scanning the business network for vulnerabilities as well as analyzing the captured network packets for suspicious ingress and/or egress traffic.

Security controls

Blue teamers are also tasked with establishing various kinds of technical security controls over critical assets. Hence, they have to identify and classify the most critical network components in the organization. Organizations can utilize a Configuration Management Database (CMDB) to document the change in any configuration they make to those assets. Also, CMDBs are used to centralize a record of all the network components in any network infrastructure. Assets that are likely to shut down the business altogether if they are hit by cyberattacks are categorized as critical assets. Most of these assets are hardened with additional security controls. Along with risk assessment, blue teamers perform impact assessment studies as well. This involves calculating the impact that various cyberattacks could have if they hit certain critical assets and if those assets go down for a specific time. This could seriously affect business operations on a large scale. Hence, the risks and threats that affect every asset that falls under the critical category are documented. Regular vulnerability assessment scans are scheduled for all the disclosed vulnerabilities that affect those assets – namely Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumeration (CWE). Blue teamers are proficient at assessing risks and suggesting remediation steps for them as well. Most of the critical and high-level vulnerabilities are patched as soon as possible. A plan is put into action by the blue teamers so that they can implement the security controls that eventually aim to decrease the impact of those vulnerabilities for which patches haven’t been released yet.

Reporting and recommendation to management

The executive team must decide whether the security controls that are in place are adequate. Blue teamers prepare a document of the known risks that the business is running. Blue teamers may also perform cost-benefit analysis for management to recommend only those security controls deemed crucial to be implemented on a bare-minimum basis.

As an example, blue teamers may discover that the company’s network is vulnerable to Distributed Denial-of-Service (DDoS) attacks. DDoS attacks deny the network’s availability to genuine users by flooding traffic requests to the company servers. Here, the unavailability of services might result in revenue losses for the business. The more time it takes the network team to block a certain subnet of IP addresses, the more losses the business encounters. These kinds of attacks severely cripple the organizational network. Here, the blue team not just analyzes and tries to help in blocking the C2 IP addresses of the attackers but also performs impact assessments. To prevent DDoS or any type of Denial-of-Service (DoS) attack, blue teamers recommend deploying perimeter security solutions. These software solutions drastically lower the likelihood of the organization being affected by DDoS attacks. They do not and cannot stop one from originating, but they can certainly stop one from affecting your business network. Security solutions such as perimeter firewalls, load balancers, and WAF help in detecting DoS attacks and preventing them from affecting your organizational network.

There are many other advantages of setting up a blue team; this section only provided an overview of what the typical advantages are. Next, we will focus on what skills and talent to hire in such a team.

A blue team comprises many individuals with diverse skill sets. The composition of a team differs per the needs of an organization. In this section, we’ll look at a few typical roles that usually sit within this team.

Analysts

An entry-level cybersecurity role known as SOC analyst exists in the company’s Security Operations Center (SOC). A cybersecurity analyst is also known as a triaging analyst. The SOC analyst responds to specific severity incident alerts and investigates the evidence. This role is reactive. Organizations usually have Level 1 (L1), Level 2 (L2), and Level 3 (L3) roles in SOC. L1 is the most junior analyst role, whereas L3 is the senior-most analyst role in a SOC. In most cases, the rising numbered levels are utilized to denote increasing levels of responsibility and experience requirements.

SOC monitors IT network traffic for unusual or suspicious behavior. Certain suspicious activities might indicate the existence of malicious entities or malicious programs such as Trojans and ransomware in the network. Senior analysts examine the alerts generated by the Security Incident and Event Management (SIEM) solution (such as Splunk, IBM QRadar, Logrhythm, and others). Analysts work on triaging and identifying suspicious events and determine whether the alerts are false positives or true positives. In the case of true positive alerts, the predefined Standard Operating Procedure (SOP) according to the playbooks or runbooks is followed. The analysis and investigation that are performed by the junior analysts help establish a context for the security incidents that have occurred. They also determine the severity of a security issue and apply the appropriate risk rating to it. Security incidents with critical and high severity are immediately escalated to the Incident Responder (IR) in the SOC team.

Incident responder

An IR is also known as an incident response analyst. This position assesses if a reported alarm is an organizational attack or a persistent danger to a company’s network. They ensure that it is contained as quickly as possible and that the organization can respond and recover from it as per the defined plans. IRs usually investigate the scope of a cyberattack.

Based on the extent of the cybersecurity problem, IRs devise a remediation strategy. This entails investigating the incident’s characteristics. This includes the business assets targeted by malware as well as the types of harmful activities performed by the malware. Then, the IRs recommend the appropriate course of action. They implement remediation with the necessary teams, such as initiating IT tickets to re-image compromised systems. Often, IRs face the heat of pushing the essentiality of mandating end user security awareness training by the CISO. They also notify the chief executives of the scope of a data breach in a timely way.

Threat hunter

Often, this work role is known as threat analyst or threat researcher. The threat hunter’s work is proactive. They regularly research threats and risks to keep themselves updated on the newest threats. They also study the evolution and anatomy of threats. Threat hunters often design coding rules that trigger alerts in the company’s SIEM solution for specific cyber threats.

Threat hunters are proficient in configuring as well as monitoring multiple threat intelligence platforms (for example, IBM X-Force, Alienvalult OTX, VirusTotal, and others) to conduct proactive research into the threats’ life cycle. They assess whether new and emerging threats provide the most danger to their company based on various parameters, such as the industries targeted, vulnerabilities exploited, and attack TTPs. Threat hunters often implement system configuration adjustments to respond to the cyber risks that have been discovered. Analyzing cyber threats and risks in real time becomes overwhelming when the threat intelligence that’s received is more than what the human resources provided can process. Hence, threat hunters use automation in security technologies to detect behavior that is typical of certain threats automatically. They sensitize and strengthen the organizational network infrastructure to withstand potential cyberattacks.

Let’s presume that a novel ransomware cyber threat has surfaced recently (such as Lockbit 2.0 or BlackMatter). A threat hunter will investigate this danger and use automation to prevent it from infiltrating the company and identify it if it does intrude.

A candidate is required to be experienced in the SOC analyst and IR work roles as well as proficient in computer and systems networking and administration to get hired for a threat hunter role. Also, it is good to be familiar with the various sources of threat intelligence on the surface of the web, as well as the dark web. Having a deep understanding of the business sector-specific cyber threats often provides the candidate with a competitive edge in the threat intelligence and threat hunting job market. A good threat hunter or Threat Intelligence Analyst (TIA) is proficient in obtaining proactive and actionable Threat Intelligence (TI) via any number of sources from the surface of the web, as well as the dark web, including the various Internet Relay Chat (IRC) servers and forums. A good threat hunter must be able to choose the appropriate technical and non-technical methodologies, as well as have the know-how to use various TI frameworks at their disposal.

Security consultant

Security consultants are often hired on a contractual basis and perform tasks throughout the project’s life cycle as and when required. They may also be hired from outside the organization to bring in a reliable source of knowledge or expertise in a specific tool or area of security. They are often regarded as experts in their domain of knowledge. Another term often used to designate security consultants is Subject Matter Experts (SMEs). Security strategy consultant and security operations consultant are a few examples of specialized roles.

Security administrator

A security administrator is not the same as a SOC analyst. However, often, it has been seen that organizations consider security administrators as Level 4 (L4) SOC analysts, whose job is to download, install, configure, deploy, and launch various security tools in the SOC. They also take care of updating those tools when the vendor updates arrive. This job is similar to that of a systems administrator’s, but it deals with all the security tools in SOC such as SIEM, SOAR, AV-NGAV, EDR-XDR, DLP, honeypots, cloud governance, WAF, firewall, load balancers, IAM and AD, brand abuse and defamation monitoring solutions, and more. The job also entails applying patches or fixes released by the respective tools’ vendors and configuring security tools to ensure optimum performance. They often collaborate with threat hunters and IRs to create security scripts and programs that automate some of the redundant security tasks. However, they are not tasked with investigating security events and incidents flagged by the security tools.

Identity and Access Management (IAM) administrator

This role provides Identity and Access Management (IAM) support to several departments within a firm. Managing application/system authority and privileges, Single Sign-On (SSO), application reporting, and working with developers to integrate identity and access management policies for new applications and software are some of the key responsibilities of an IAM admin. These professionals have niche expertise in the use of various IAM tools, as well as networking administration.

Compliance analyst

A compliance analyst is often tasked with the internal audits of a corporation or a business. They check and verify whether the business is following its security rules, privacy policies, national data privacy laws, or any other applicable laws/regulations. They have experience in all the aforementioned work roles since a compliance analyst is required to handle frequent discussions with all the other work roles as part of compliance checks. They derive regular reports of non-compliance found or detected in the network infrastructure and submit them to senior management. Additionally, they assist firms in preparing for external audits, which may be necessary, depending on the business sector (for example, healthcare, BFSI, energy and utilities, and others).

This section covered what organizations need to understand to compose a blue team. There will be more roles to consider, depending on the type or complexity of an organization. However, in this section, we covered some of the skills that are typical in any organization. Next, we will briefly touch upon the red team and the purple team. These two teams may not be part of a blue team, but it is important to understand what these teams do as well. Moreover, we will also understand the role of a cyber threat intelligence team. This skill set typically sits within the blue team, but it is also common to have this team segregated from the blue team.

The red team behaves like hackers who attempt to find and exploit any potential loopholes inside a business network. Red teamers are known to use a wide range of conventional as well as unconventional techniques to uncover flaws in technology, people, and processes. Hence, usually, such a skill set would exist outside the scope of that of a blue team. However, for the sake of understanding, let’s briefly touch upon this role.

A red team’s mission consists of searching for known vulnerabilities that have already been disclosed and have a Common Vulnerabilities and Exposures (CVE) ID. They perform penetration tests on the business network infrastructure to discover unknown security loopholes. These teams may also test the wireless and IoT networks, along with the endpoint devices, such as laptops, PCs, mobiles, tablets, and more. Hardware penetration testing is performed on IoT wearables and devices that utilize Bluetooth. The hackers in red teams may try to social engineer the employees of their organization. These kinds of hackers are often assigned aliases to operate on the company’s premises. They are very crucial in detecting as well as suggesting the security controls required to patch the security breaches that occur through a lack of physical measures in place. Endpoints and mobile devices are also covered in their scope of penetration or intrusion tests.

The detailed responsibilities of a red team are beyond the scope of this chapter. However, it is important to note that typically, the red team and the blue team work in tandem. Some of the areas where they work together are as follows:

• Creating a network topology/hierarchy map of the business’s network infrastructure so that they can analyze the number of hosts running, as well as their statuses
• Assessing the services running and the open ports on those systems
• Identifying the vendor, firmware, and OS details among other relevant equipment parameters
• Identifying and exploiting the CVEs in servers, hubs, firewalls, routers, L2/L3 switches, Wi-Fi access points, and other network equipment
• Hacking various kinds of physical security controls, such as glass doors, digital locks, CCTV networks, and sometimes the security personnel as well

In some organizations, it may also be wise to set up a bug bounty program. A bug bounty is either a sum of money or goodies paid or provided to ethical hackers. Hackers throughout the world are on the lookout for defects and, in some circumstances, make a living doing so. Many websites, organizations, and software companies provide bug bounty programs in which users can be recognized and compensated for reporting bugs, particularly those related to business logic vulnerabilities and network security exploits. Bug bounties are created by companies to reward independent bug bounty hunters who find security flaws and weaknesses in systems. Companies pay bounty hunters to find security flaws and report them ethically and responsibly before they can be exploited or monetized by cyber threat actors. Bounty programs are frequently used in conjunction with regular penetration testing to allow enterprises to assess the security of their apps throughout their development life cycle. Bug bounty schemes enable businesses to use the hacker community to continually enhance the security posture of their systems. Bounty schemes attract a diverse group of hackers with various skill sets and expertise, offering firms an advantage over vulnerability assessments, which rely on inexperienced security personnel. Hence, instead of one individual or one team working on attacking the defenses of an organization, the collective power of the crowd benefits the organization.

The fundamental goal of the red and blue team exercises is to improve the organization’s overall security posture. This is where the purple team notion comes into play. A purple team isn’t always a standalone group, though it may be. A purple team’s purpose is to bring together the red and blue teams while encouraging them to collaborate and exchange ideas to build a strong feedback loop. The purpose of a purple team is to develop blue team capabilities while maximizing the results of red team engagements. A company functions best when the red and blue teams collaborate to strengthen the organization’s security posture.

First and foremost, communication is crucial in this collaboration. To conduct exercises, there should always be communication between the various teams. Remember that the blue team’s goal is to keep up with the latest technology and share that knowledge with the red team. This data will help enhance the organization’s security. The red team must be informed of the most recent dangers and hacking tactics used by hackers and must advise the blue team about them. The purpose of an organization’s test will decide whether the red team will notify the blue team about the upcoming test. If the purpose is to imitate a real-world scenario assault, they may not inform the blue team ahead of time, just to test their cyber defense mechanisms.

Management should encourage the teams to collaborate and communicate with one another. For the security program to continue to progress, improved coordination between both teams is required through effective resource sharing, reporting, and information exchange.

Threat intelligence is a term that’s often used by many professionals that encompass tactical, operational, and strategic intelligence. The sources, audiences, and forms of intelligence are all different. At the core, any threat intelligence that’s received by the SOC, in any business, must be proactively actionable. The blue team should be able to absorb this intelligence and use it to proactively defend their organization.

In terms of the basics, threat data consists of indicators of various cyber threats such as IP addresses, URLs, or file hashes. These are referred to as Indicators of Threats (IoTs) or Indicators of Compromise (IoCs). On the other hand, threat intelligence is a type of factual, processed, and provable record based on analysis that connects data and information from many sources to identify patterns and provide insights that would be relevant to the organization. It lets people and systems make educated decisions and take effective action to avoid breaches, fix vulnerabilities, improve the security posture of the enterprise, and decrease risk. Strategic intelligence usually focuses on the TTPs of the threat actors.

Often, such teams sit within the blue team. Alternatively, large organizations may prefer to have them separately and act as a standalone unit to collaborate across the blue team, red team, purple team, business lines, and more. We will discuss this in more depth later in this book.

Now that we have covered teams that work closely together with the blue team, let’s understand the skills that organizations should look out for while recruiting. This will help ensure the right candidates are hired and placed in the right roles.

Blue teamers work with a pre-defined aim to secure the business network infrastructure and strengthen its cybersecurity posture. The methodologies and strategies they use to defend the network and systems from cyberattacks intertwine with each other. Management must have a better understanding of the goals and functions of the blue teamers.

Eager to learn and detail-oriented

To avoid leaving security vulnerabilities in a company’s infrastructure, a very detail-oriented approach is required. Knowing how to create custom tools has several advantages. Writing software takes a great deal of practice and ongoing learning, thus the skill set gained aids any red team in executing the greatest offense strategies imaginable.

In-depth knowledge of networks and systems

A thorough understanding of computer systems, protocols, libraries, and well-known TTPs paves the way for the security personnel’s success. A red team’s ability to grasp all systems and keep up with technological advancements is critical. Knowing how to work with servers and databases will provide additional alternatives when it comes to discovering their flaws. Knowing how to use software packages that allow SOC analysts to monitor the network infrastructure for any unexpected or potentially hostile activities is very crucial. SIEM is a solution that analyzes security incidents in real time. It receives data from multiple sources and analyzes it according to a given set of criteria. Blue teams, similar to red and purple teams, utilize a variety of security technologies, including honeypots, sandboxes, XDRs and NGAVs, threat detection frameworks, and SIEM solutions. The following is a list of some of the most popular cybersecurity tools that are often used by these teams for their operational work:

• Splunk
• Haktrails
• Cuckoo Sandbox
• SecurityTrails API

Outside-the-box and innovative thinking

The cybersecurity team’s major trait is their ability to think outside the box, always developing new tools and approaches to improve organizational security. To keep up with attackers, cybersecurity professionals must constantly think outside the box and uncover new tools and approaches. Cyber security teams deploy a variety of tools throughout their operations, including those for reconnaissance, privilege escalation, lateral movement, and exfiltration.

Ability to cross conventional barriers to perform tasks

SOC analysts always detect a good number of False Positives (FPs). To decrease the number of FPs they encounter on their SOC tools, sometimes, the senior SOC analysts have to cross several conventional barriers. They have to configure rules involving multiple filter criteria, which sometimes becomes overwhelming. Mind-mapping all the use cases helps these professionals as they would have to connect various use cases configured in the SOC tools. They would have to check whether certain rules that have been configured to serve a use case do not override other rules. Conflict resolution in the shortest time possible without the SLAs getting affected is very important. In many cases, this is like looking for a needle in a haystack.

Academics, qualifications, and certifications

Blue teaming roles do not require any kind of expensive certification or academic degree. Hands-on skills and talents are the most important for any blue teamer as this helps the professionals work better in any organization. However, having the right academic qualification and/or certifications may be considered good to have in various job descriptions. Many blue teamers are usually self taught and not spoon fed. However, some organizations may look for certain specific skills on the blue teamer’s resume before shortlisting the candidate’s profile for an interview. Hence, such academic accomplishments may end up becoming a shortlisting tactic, rather than a recruitment requirement by an organization. Some popular certifications in blue teaming are issued by bodies such as CompTIA, SANS, EC-Council, ISC2, ISACA, and others. There are multiple other technology/vendor-specific training programs and certifications that help blue teamers improve their hands-on skills on a given security product.

This section explained the skills needed and what talent to hire. However, this alone does not suffice. In the next section, we will cover talent development and retention.

One of the most challenging tasks of any security manager’s life is finding a devoted, enthusiastic, and intellectual team member. It is a known fact that globally, there is a shortage of relevant skills. Hence, attracting the right talent to your organization is even more crucial. There is no single answer to this challenge. Let’s look at a few ideas that management can implement.

Cyber labs

First, you can encourage employees to set up a home lab or use one provided by the company. Labs may be used to put real-world circumstances to the test, as well as to practice and master new abilities. For the vast majority of individuals, hands-on learning is the greatest way to learn, and in a lab, there is no chance of introducing risk into a production setting.

Capture-the-Flag and hackathons

Capture-the-Flag (CTF) competitions can be hosted at the company workplace. Such challenges help with cross-training, team building, and communication. CTFs and hackathons are the best staples for most of the young and vibrant cybersecurity conferences out there. They also offer any company one of the best places to locate fresh talent if they are trying to hire or expand the security team. Participants demonstrate not only their knowledge, but also their communication skills, teamwork abilities, and desire to assist and educate others.

Research and development projects

Developing an in-house project or finding some relevant projects from the open source communities is another possibility. Most open source projects require documentation or other help in various security areas. Security staff may find that this motivates them to showcase their skills in the public arena. So, for an organization to allow their staff to spend their time on such community projects could be seen as a magnet that attracts talent.

Community outreach

Allowing and encouraging staff to attend industry conventions or even local meetups is a great way to inculcate continuous learning habits. Attending a conference alone has its advantages, but the security staff may go further by preparing talks and presentations or even volunteering to help with the events. Moreover, this provides opportunities for the staff to network and build connections. This is a vital skill, especially for the Cyber Threat Intelligence (CTI) staff.

Mentoring

The company leadership team may help by mentoring young and fresh talent. Mentoring may be a great learning experience both on and off the work. This helps the security team learn more about the organization and feel more connected with the senior executives. Moreover, this motivates the staff to build a career path and network across the organization and business lines.

Continuous unhindered learning

The skills that are required to safeguard the business network are continually evolving as the cybersecurity industry adapts to manage emerging threats with new TTPs. Some studies showcase that in as little as 3 months, cyber professionals who do not continue to study fall behind and become much less successful. Tactics adopted by unethical hackers are evolving all the time; shouldn’t the blue team staff evolve as well?

Helping staff continuously learn is critical for keeping the organization safe and secure in today’s fast-paced cyberspace. Stakeholders are advised to adopt ongoing cyber training and reap the benefits of a high Return on Investment (ROI) in terms of security and productivity. Continuous and unhindered cybersecurity training allows the blue teamers to grow and refresh their knowledge while on the job, allowing them to keep current with industry trends. Even better, cyber professionals who have received on-the-job training perform the best to defend against attacks on time. Frequent training and certifications empower the blue team to swiftly detect and efficiently deal with incident response instances. Many firms invest in new, advanced security solutions to keep ahead of cyber threats. However, due to a lack of time or resources to understand how to utilize them, cyber professionals are sometimes unable to completely appreciate or apply the technology, resulting in them not having the edge over cyber criminals. To use new technologies, cyber experts must constantly learn new approaches and stay current.

It’s not trivial to put an information security program together. Many programs are dysfunctional or non-existent, which contributes to the current state of business security. This chapter should have helped you understand the blue, red, purple, and CTI teams. An effective cybersecurity program requires organizational skills, knowledgeable, hardworking staff, strong leadership, and a very strong grasp of the cybersecurity niche.

In this chapter, we discussed the skills needed and what type of talent to recruit, and more importantly how to develop and retain that talent. In the next chapter, we will discuss how to manage such a team, as well as what indicators and metrics to set up to ensure the team is performing well and providing the organization with the most value.