The Green Team are created to maximise the effectiveness of the Blue and Yellow teams. They do this by integrating Yellow team members (with enhanced and in-depth knowledge of architecture and coding) with members of the Blue team that have the required defensive and operational skills. Ideally The Green Team shouldn’t be a permanent team, but rather a dynamic membership between the Blue and Yellow teams.
So what should the two teams bring to the party?
The Green Team’s primary objective is to create security policies and frameworks for the Builder (Yellow) and Defenders (Blue) to apply to new and existing IT systems across the entire organisation. Think of the Green team as the SUPER defenders. They MUST have an in-depth knowledge of all the frameworks, libraries, third-party systems, network calls and functionality added by Builders (Yellow).
Each team member will bring something unique. The Defenders (Blue & Purple) will bring knowledge of defensive services, attackers techniques and threat intelligence, and the Builders bring knowledge of how the application works, applications flows, trust boundaries and dependent libraries. This combined will great the policies and frameworks for Blue and Yellow to integrate into normal working practices.
The following are some of the areas The Green Team should focus on;
- DFIR Output
- Logging improvements
- Log content / events
- Log generation standardising
- Change Management
- Integrity Monitoring
- Incident response
- Anti-Virus / End Point Protection
- Full coverage monitoring (networks, systems, and applications)
The Green team should be embedded with the Defenders (Blue) and Builders (Yellow). For example, a Green member would help Defenders through coding or helping mandate logging standards within a project, or a Green member would help the Builders with integrating security testing tools in the CI/CD pipelines.
To read our other InfoSec articles please follow the link below.
Contact us to find out how we can assist you in the development and build of your teams’ skills, and in the testing of your cybersecurity capability.