What is a blue team?
In the world of cybersecurity, organizations test their overall security posture and safeguard implementations in their network infrastructure by hiring cybersecurity professionals to conduct security assessments. The organization may employ penetration testers to offensively challenge the safeguards implemented on the computer infrastructure. The organization will simultaneously deploy its cybersecurity professionals, including its Cybersecurity Analysts, to actively defend their infrastructure and put their people, policies, and processes to the test. The offensive professionals are labeled as the “red team”, while the defensive professionals are labeled as the “blue team”.
Blue teams defend. They conduct operational network security assessments and evaluations, implement and manage security tools and techniques, and defend and respond to cyberattacks in an organized strategic manner.Cybersecurity Analysts are a component of the blue team.
Enterprise vs. personal defense
Defense is universal in cybersecurity. The tools and techniques blue teams may be used to defend large complex organizations, or on your personal laptop and smartphone. It’s much easier to defend a personal computer asset versus protecting a large network, but it’s important to learn how to properly secure a single asset before effectively securing an entire network.
The divide between the enterprise defense mindset compared to personal defense isn’t very different. Many of the same types of tools used to secure large networks will be used on a single personal device. The versions used on personal devices may be designed for personal use. This means the software is more “hands-off” since the average computer user does not have the advanced skills necessary to customize security tools without flaws. In fact, defending the average personal computer typically requires a default security configuration since the average personal device is used for common purposes.
Now, the term “personal device” in this article is synonymous with “client device” when discussing personal device security. Client devices require client software for defense. Client software in enterprise networks is similar to commercial client software, but enterprise software typically operates as an agent of a much larger service hosted on the enterprise network. For example, modern enterprise security tools, such as McAfee’s Endpoint Security product, are advertised as all-inclusive security products. The system architecture will contain a centralized service hosted on the network that connects to almost all agents installed on every device on the network. The centralized server is where the one or more security policies are defined, stored, and disseminated to the client agents. Agents enforce the policies pushed to them by the centralized server. This analogy is provided to better distinguish between the personal and enterprise client software, where the client software simply downloads a default/generic security policy and the enterprise client software enforces a highly customized organization-defined security policy.
Common blue team tools & software
Endpoint security, detection, and response
The overall concept of endpoint security is the protection and defense of any laptop, desktop, smartphone, IP phone, tablet, etc. on a network. These devices are all considered endpoints, and each requires strong security safeguards and policies installed on them to enforce network security. An organization may have hundreds to thousands of endpoints. Special systems have been developed to implement security across an enterprise-scale network that specifically targets securing endpoints. Endpoint security, detection, and response systems contain many different security functions, including: antivirus, data-loss prevention (DLP), file and application integrity, etc.
Common endpoint security products
McAfee Endpoint Security is a paid enterprise product designed to help large organizations secure their network computer endpoints. The product offers agents for almost every major operating system available/utilized in modern enterprise networks. Proprietary tools by McAfee include the following:
- McAfee EPO (Policy Orchestrator): The centralized server of the entire system. Acts as the “brain” of the McAfee system.
- McAfee Agent: The client application is installed on every endpoint. Pulls policy changes and signatures from EPO and enforces them on endpoints.
- Additional tools: Once the EPO and Agent are deployed to build the system framework, the organization has the option of installing many other McAfee client products such as antivirus, host-based intrusion prevention systems (HIDS), and firewalls.
Microsoft Defender for Endpoint is a paid enterprise cloud endpoint security solution developed by Microsoft. The product is cloud-powered and helps secure enterprise assets against ransomware threats, malware, file-less malware, and other attacks without the need for a client agent. The solution offers protection for Microsoft OS, as well as Linux, Android, and iOS.
A Security Information and Event Management (SIEM) system collects log and event data generated by applications, host systems (servers), and security devices to a single centralized platform. SIEMs actively look for security threats through network and host security monitoring. The SIEM collects and analyzes all logs and events generated by network and server devices, analyzes and compares them to a set of rules (usually defined by the organization), and alerts personnel.
Helix Security Platform
A paid enterprise security product, part of a much larger cybersecurity suite developed by FireEye, that focuses on the consolidation and analysis of system logs and events for threat and vulnerability detection.
AT&T’s AlienVault Open-Source Security Information and Event Management System (OSSIM) performs the centralized log and event analysis of other SIEM, but it also focuses on techniques such as behavior monitoring, event correlation, asset discovery, and added vulnerability assessment capabilities.
Also known as threat hunting, this blue team technique actively looks for any active threat in an organization’s infrastructure. It is considered very complex given the technical skill required in the activity of threat hunting, but threat hunters get ahead of red teams by applying many of their tactics mixed with blue team practices.
Example threat detection products
- The Hunting ELK (HELK): An open-source product that provides advanced threat hunting analytic capabilities. Includes integration with data science tools and offers “hunters” common use cases of threat detection.
Defending a network requires the collaborative approach of many of the techniques and tools discussed already, but some tools are designed specifically to detect and defend our networks. Tools include intrusion detection systems (IDS), firewalls, and intrusion prevention systems (IPS).
- IDS: Analyzes the traffic entering and exiting a network for behavior matching a malicious signature or anomalous deviation in normal traffic behavior. An IDS will alert and notify all appropriate security personnel of possible intrusion.
- IPS: An IDS that acts on behalf of cybersecurity personnel if an intrusion is detected. An IDS may actively block a connection, severe/isolate a device, etc. if a possible intrusion is caught.
- Firewall: Filters incoming and outgoing network traffic based on a set of organization-defined rules.
Example network defense tools
- SNOR: An open-source network IDS (NIDS) that analyzes network traffic in real-time and provides packet logging features. Commonly used and widely adopted NIDS product
- pfSense: An open-source firewall. Trusted in the security industry and offers a plethora of additional features such as VPN, state table, and server load balancing.
Sandboxes and honeypots
Sandboxes are used to contain a process, application, or environment. They are used in blue team tactics to create a separation of systems or applications from interacting with other targets of value. They are used in collaboration with the honeypot technique. A honeypot is a decoy system or network that emulates a legitimate system in an organization’s infrastructure. Honeypots are designed to lure intruders to divert and contain their intrusion actions, and it gives the analysts the opportunity to observe the intrusion behavior and possibly perform some reverse forensics on the intrusion.
Example sandbox and honeypot products
- Kippo: A lightweight, open-source honeypot tool written in Python. Kippo presents an intruder with fake filesystems resembling Debian and other Linux distributions.
- Firejail: An open-source sandbox tool that helps secure Linux systems. The sandbox action is performed on a SUID, or Set owner User ID upon execution. Firejail locks the access of an intruder from any critical areas of the Linux system by sandboxing the intruder’s session by applying for special SUID permissions.
In the event that an intrusion is apparent, then the incident response processes begin. Incident response is the practice of responding to a cyber incident within an organization. Incidents may be anything from an anomalous attempt of login to a server to a revealed data breach. The process of responding to an incident is a component of blue teams since, depending on the industry of the organization defended, laws and regulations may require appropriate documentation of the incident.
Example incident response products
- TheHive: A paid incident response platform that is designed to meet the needs of security practitioners. Promotes collaboration, elaboration, and follow-through in the incident handling and response process.
- GRR Rapid Response: An open-source tool that offers excellent incident response and lives forensic features. Scales well and offers support for Linux, OS X, and Windows OS.
Cybersecurity analysts must be familiar with the red team/blue team practice and should be studied on the tactics of both teams. Understanding the tools and techniques that a blue team may apply to defend a system is key. This is especially important for the protection against possible cyberattacks, intrusions, and other incidents that may affect an organization.