Understanding blue teaming
Blue teamers are generally considered to be on the defensive side rather than the offensive, as previously written about red teamers. While red teamers focus on threat simulation and possible exploitation, blue teamers are the protectors of the realm.
Red and blue teamers are quite similar when considering that the main goal of each team is mainly to protect resources and understand the potential impact and risk associated with breaches and data leaks. The red team may focus on attack techniques, such as the cyber kill chain and penetration testing, whereas the blue team then focuses on ensuring that not only are mechanisms in place to protect against attacks but also that formal policies, procedures, and even frameworks are implemented to assure effective DFIR.
The work of a blue teamer covers far more than that of a red teamer, as blue teamers must analyze threats, understand their risk and impact, implement security and protective measures, understand forensics and incident response, and ensure that effective monitoring, response services, and measures are implemented. It also certainly helps if a blue teamer has the knowledge or experience of a red teamer, as this provides an additional depth of understanding of attack surfaces and threat landscapes.
Blue teamers must also be knowledgeable about a wide scope of technology and analytics. While it is not impossible for people new to IT to get into blue teaming and DFIR, it does require prior knowledge along the lines of a network and systems administrator and also of a security analyst and threat hunter. For example, understanding that systems must be updated and patched accordingly is more of a best practice. The blue teamer will understand why there is a need for patching and also understand that there is much more to be done when hardening devices to reduce attack surfaces while also taking into consideration the possibilities of zero-day exploits and even human weaknesses, which may easily facilitate a breach by a threat actor and then circumvent all technical measures implemented.
It is also not uncommon to see job posts asking that blue teamers be proficient in Security Information and Event Management (SIEM) tools, which provide real-time analysis, monitoring, and alerts that greatly aid in DFIR management and allow for a greater understanding of the level of protection required in maintaining a high-security posture rating when safeguarding data, systems, and assets.
Blue teamers must also accept that their responsibilities do not only apply to internal and external resources but will be extended when considering the threat landscape of the assets to be protected. The threat landscape can be devices, persons, data, and any information that may be useful to an attacker when planning an attack. This is where an in-depth understanding of OSINT comes in. Although previously mentioned as a red teaming skill set, this proves equally important to the blue teamer in being able to scout the internet, social media, and the dark web for any information that could either pose a threat or aid the threat actor in some way.
A good example would be to search the dark web for breach databases where the blue teamer (after taking all necessary precautions to protect themselves) browses the dark web in search of compromised emails or Virtual Private Network (VPN) credentials of the company they work for. The blue teamer may also use a site such as Shodan.io, which we will cover later on in this book, to find accessible devices from an external perspective, such as external access to firewalls, servers, and CCTV cameras. All of the preceding scenarios aid the blue teamer in developing what is known as a threat profile, which, while not directly focusing on internal and external assets, will still compile potential threats and even Indicators of Compromise (IoC) found externally.
A great free resource for learning OSINT is TCM Academy’s free 4-hour course on YouTube, which can be found here https://www.youtube.com/watch?v=qwA6MmbeGNo.
Although many of the previously mentioned skills are learned via research and countless hours digging, looking at YouTube videos, and attending specialized courses. I’ve listed just a few certifications that may assist in furthering your studies and career in blue teaming and DFIR.
Some blue teaming certifications include (but are not limited to):
- Computer Hacking Forensic Investigator (CHFI) from EC-Council
- Certified Cloud Security Engineer (CCSE) from EC-Council
- Certified Forensic Computer Examiner (CFEC) from IACIS
- GIAC Certified Forensics Examiner (GFCE) from SANS
We will look at the tools required to be a DFIR investigator and analyst in more detail throughout this book. Although we won’t be going into detail about commercial tools used, I will mention some that you may wish to look into at some point if heading into a career in DFIR or as a blue teamer, although the open source tools covered in this book are more than enough to get you started and conduct entire DFIR investigations as long as the best practices and procedures are followed.
It is also of paramount importance that DFIR investigators and analysts understand the importance of following best practices and procedures in evidence collection, acquisition, analysis, and documentation, as the integrity of the evidence and case could be easily compromised. Analysis of evidence and results in reports should also be repeatable, meaning that other DFIR investigators and analysts should be able to repeat the tests performed and produce the same results as you.
In this regard, blue teamers should have a detailed and well-documented plan of action along with knowledge of purpose-specific tools. There are many freely available and well-documented best practices and frameworks for blue teams, some of which we’ll look at in the next chapter.
Let’s briefly look at an overview of the tools you may be required to use in a DFIR investigation, which are all covered in this book. The following list gives a one-liner for a specific task and the tools used to achieve the task. Think of this as a blue team cheat sheet where open source tools are concerned. Feel free to also make a copy of this page to use as a reference sheet for your forensics and incident response fieldwork:
- Forensic operating systems for DFIR – our customized version of Kali Linux, CSI Linux, and CAINE
- Creating a live bootable USB with Kali Linux – Rufus and Etcher
- Creating a portable version of Kali Linux for Raspberry Pi – Imager (Pi Imager)
- Installing Windows tools in Kali – Wine
- Memory acquisition – FTK Imager and Belkasoft RAM Capturer
- Evidence and drive acquisition – DD, DC3DD, Guymager, and FTK Imager
- File recovery and data carving – Foremost, Magic Rescue, DD-Rescue, Scalpel, and Bulk_extractor
- PDF forensics – pdfparser
- NTFS drive recovery – scrounge-ntfs
- Memory/RAM analysis – Volatility 3
- Operating system identification – p0f
- Live Linux forensics – Linux Explorer
- Artifact discovery – swap_digger, mimipenguin, and pdgmail
- Browser-based forensic analysis tool – Autopsy Forensic Browser
- Complete forensic analysis tool – Autopsy 4
- Network discovery tools – netdiscover and nmap
- IoT search engine – Shodan.io
- Browser-based network packet capture analysis – Xplico
- Automated network packet capture analysis – Network Miner and PcapXray
- Online Pcap Analysis tools – packettotal.com, apackets.com
Next, let’s have a look at purple teaming.
