As RED and BLUE teaming is such a vast subject, we will be splitting this topic into a six-part series.
- InfoSec Colour Team – Red VS Blue – The Red Team
- InfoSec Colour Team – Red VS Blue – The Blue Team
- InfoSec Colour Team – Red VS Blue – The Top 5 Red and Blue Team skills
- InfoSec Colour Team – Red VS Blue – Which is more important Red or Blue?
- InfoSec Colour Team – Red VS Blue – Test, Test, Test again
- InfoSec Colour Team – Red VS Blue – The Conclusion
What is The Blue Team?
A Blue team is similar to a Red team, as they need to understand network security, have the right skills and identify vulnerable systems. What makes a Blue team different is that once the Red team launches an attack, the Blue team is there to find ways to defend, change and carry out the effective incident response.
An effective Blue team needs to be aware of the same malicious tactics and techniques in order to build response strategies. However, they need to continuously strengthen digital systems, using various applications, tools, and techniques that provide them with an ongoing analysis of unusual and suspicious activity.
A Blue team will have many different roles and responsibilities; the main points being:
- Monitoring and alerting; centrally collect and manage logs from host-based systems and network device.
- Intelligence Analyses; the ability to understand incidents and build a picture of an attacker (Diamond Model)
- Incident Response; to effectively manage a post cyber or data breach, in order to limit damage to the system(s) and understand what has happened.
- Threat Hunting; finding malicious activity across the network and better understand the advisory.
- Digital Forensics; consists of three main stages, acquisition (imaging), analysis and reporting.
- Operational Security; keeping systems secure and compliant to company security policies, while maintaining business systems uptime, adhering to change control and direction for business senior leadership.
Like a Red Team, the Blue Team must have the ability to practice and enhance defence procedures and systems. It can not be set up and forget, cybersecurity is a continuously changing beast and the defenders must adapt as quickly.
To read our other InfoSec articles please follow the link below.
Contact us at SQA Consulting to find out how we can assist you in the development and build of your team’s skills, and in the testing of your cybersecurity capability.