Blue Team 101
So you’ve setup your SIEM, you got that “next-gen” AV finally deployed and you even convinced management to procure a DLP solution- props to you. You feel confident about your defense-in-depth and you’ve hit most of the CIS 20 security controls right on the head. So now what? Sit back, relax and watch those Splunk alerts kick off every time your sysadmin uses psexec on their workstation. No hacker is gonna get past you now right? At least that’s what you thought until you found yourself explaining to the CEO why the state-of-the-art, block-chain, AI-based, machine learning security solution didn’t stop the ransomware outbreak that bricked half the company’s computers.
I started this series because the cybersecurity industry has erupted with countless different tools, vendors, solutions and services. It’s hard to keep up with. Nowadays everybody is chasing after that set-and-forget, silver-bullet solution. Over-marketing has captured our attention with things like MDR, SOAR, security instrumentation, AI this, block-chain that and it can be a little overwhelming to decide not only whats the best fit for you, but whether the stuff actually brings value. Because of this I believe people tend to miss the fundamental steps of how to protect your business. Remember that infosec is a process, not a product- and that the human element is still every-bit important as well.
Throughout this series I want to take a simple approach and present some of the core technologies and processes you can put in place to protect your organization. More importantly, I want to emphasize how a blue team should really be a purple team at the end of the day- hence the name of this blog series. Purple teaming has become a popular buzzword in the industry lately and I want to show that this is kind of unnecessary if your blue team is constantly testing their prevention, detection and response anyway. There is an abundance of free and public knowledge in this industry and I have come across such great resources over the years. Throughout the series I hope to show you some of the best I’ve found. So with that said, let’s get down to the basics and start from scratch.
Where do we begin? First things first- what is your job? For us defenders out there I like to think of it as fundamentally two things: 1) protect the organization and 2) find evil. This obviously varies depending on your industry, environment, budget, etc. but we’re going to keep it simple. I know a lot of us (me included) like to think that when there is an actual security incident, we look like this:
But as we know, unless you are the boots-on-the-ground IR team, your day-to-day is filled with less-exciting yet equally important tasks. With that said, if you envision yourself descending to Earth in an orbital drop shock pod next time there’s a cryptolocker outbreak- all the power to you.
The textbook dogma for infosec, which I’m sure many have heard of, consists of preserving the CIA triad (Confidentiality, Integrity, Availability). This is a great model to assist in setting goals, however I believe the much more pragmatic approach is to build your blue team off of three things: Prevention, Detection, and Response (https://www.giac.org/paper/gsec/501/information-security-process-prevention-detection-response/101197)
I’m a really big fan of visuals and I found the best way to illustrate this is with Matt Swann’s incident response hierarchy of needs. I came across it from the HolisticInfoSec blog post here https://holisticinfosec.blogspot.com/2016/12/the-dfir-hierarchy-of-needs-critical.html
When I first got into infosec, I was easily thrilled at the idea of things like threat-hunting and incident response (the tops of the pyramid). There’s nothing wrong with that, and lets be honest- adversary simulation and threat-hunting sound a whole lot cooler than asset inventory and management (bottom of the pyramid). With that said, the most important part of this model is that you start from the bottom-up and remind yourself to not jump the gun. You will absolutely not find the same value if the bottom of your pyramid is not complete first. What use is spending all your time hunting for APTs when you are missing telemetry from even just one of your endpoints? Or how many times one or two computers surface from your IT supply closet back onto the network without AV? It’s easy to get excited about getting that new user-behavior analytics tool or threat-intelligence feed, but remember that the fundamental part of setting up your blue team is establishing those first processes and asking yourself questions like: what assets am I defending? what data am I protecting? where is that data? And this brings back the idea that infosec is a process, not a product. The people and processes on your blue team are as equally important as the technologies you put in place.
In the following posts I will try to get more specific and focus on each of the Prevention, Detection and Response categories you can use to shape the security posture of your business. I hope that this first post can help anybody out there who is starting from scratch or just looking to revisit how they approach defense. In addition, I can’t give enough credit to the individuals I referenced in this post (many more to come) and encourage you to please check out their stuff as well. Nearly all of what I have learned in this industry outside training and in the field, is from the fantastic public resources available online that these people have taken the time to create. Thanks for reading and feel free to shoot me an email if you have any ideas for this series.
