The life of a blue-teamer is daunting. There are logs to sift through, tasks to automate, incidents to triage, vulnerabilities to manage, meetings to attend, coffee to drink, etc. Scenarios have moving parts, procedures might not be documented, and solutions can vary. At times, the responsibilities can be compared to an ever growing fire, and all there is a pail of water. How do you put out the flames if you're not a seasoned professional? This talk lays out existing challenges for those trying to break into the fast-moving world of defensive security and ways to tackle them.
Talk presented at the Blue Team Village @ Defcon27.
8. Plan
➔ “Success does not happen
overnight”
➔ Plan for failure
➔ It’s more important to deliver
than to bite off more than you can
chew and miss deadlines
Protip
It is not a waste of
time to put in the extra
effort to make an
existing solution
better, nor is it with
learning something
new.
9. Develop Baseline
Knowledge
➔ Figure out what is being expected
◆ Each shop and role has
different requirements
➔ Determine weaknesses
◆ Understand core security
principles
◆ Get familiar with needed
toolset and tools’ associated
lingo
Protip
Do not run away
from something
just because you
are “not good” at it.
10. Build Upon Baseline
Knowledge
➔ Consider making the current
solution
◆ Cleaner
◆ Faster
◆ More robust
➔ Automate when possible
◆ Speed up manual tasks
◆ Ensure repeatable steps
➔ Expand comfort zone
Protip
It is not a waste of
time to put in the extra
effort to make an
existing solution
better, nor is it with
learning something
new.
11. Technology Trends
➔ What are the shiny new toys?
➔ Why is there appeal?
➔ What are the limitations / concerns?
12. Execute
➔ Run with it
➔ It’s better to deliver late than to
never deliver at all
13. Keep a Positive Mindset
Remain
calm & be
humble
“It’s never
no. It’s let’s
find a way.”
Have the
appetite to
learn
14. Keep a Positive Mindset
“It’s never
no. It’s let’s
find a way.”
➔ Can be interpreted differently based on
the context
➔ Business needs to flow, compromise is
needed
➔ You need to grow, don’t give in
15. Keep a Positive Mindset
Have the
appetite to
learn
➔ Be an independent learner but also reach
out to those more senior than you
➔ Don’t get comfortable
➔ Stay the “dumbest” person in the room for
as long as possible
16. ➔ Things may seem on fire
➔ It will be okay
➔ Don’t forget who helped you
Keep a Positive Mindset
Remain
calm & be
humble
I started out as an intern, automating detection processes, deploying infrastructure for the team’s tools, and learning how to write playbooks. For the most part, I was sheltered by the intern bubble. Then about a year ago, I transitioned to my current role, and my responsibilities grew. I now do even more of what I did as an intern, and I get to review and improve upon the organization’s security in the cloud. I’ve learned A LOT this year, but there were challenges everywhere along the way.
So this talk covers the big challenges that I noticed would be common to those new to the defensive world, lessons learned, and protips to help navigate the way to success!
There are always early career challenges, and they’re pretty similar across the board. When I first started, the “real world” security knowledge stemmed from a security 101 college course and attending Defcon and BSides. I had very little exposure to working in industry overall. And although I was willing to bang on the pipes, I didn’t know which pipes to bang on.
There are a lot of moving parts. It gets stressful. You’re going to play catch up.
There are stipulations to this statement.
Getting familiar means doing your homework. Do not just read the description of what a tool or API call does, but actually read the documentation page. DO NOT MAKE ASSUMPTIONS.
I don’t know how many times I learned this the hard way:
Goes to deploy add-on to Splunk heavy forwarder. Learns that it’s controlled by the deployment master.
“go get” where does the package come from? How is it validated? DID I GET IT FROM RUSSIA OR CHINA?
Changes configuration on S3 bucket. Breaks entire team’s production service.
I’m someone who doesn’t like to settle for “good enough.” And I wouldn’t recommend to anyone looking to really pursue a career that requires constant learning. After establishing the foundational knowledge, keep doing and you’ll get better. Sure, experience is key in growth, but what if you can expedite that growth?
This is basically “extra credit.”
Figuring out what needs to be worked upon and addressing those areas are big steps towards advancing your career. But how do you stay current to make sure you’re continuing to move in the right direction? By paying attention to technology trends. There are new frameworks, models, services, and tools released all the time. Staying up-to-date will help you make decisions as to which tools to bring into your security environment and how to advise non-security teams within the organization.
Building on to the importance of staying up-to-date with trends, attackers follow technology trends to exploit them. You do not want to be caught off guard. For example, how many of you use docker and kubernetes? Containerizing things and controlling entire fleets has taken engineering developments to a different level. However, according to Mitre’s CVE listings, there are about 20 CVEs related to docker and almost another 20 related to kubernetes in the past year. Your security team might not use docker and kubernetes, but understanding how the mechanics of how they work and how they’re being used within your organization will help with either patching or remediation when the time comes.
Stay the dumbest person in the room for as long as possible.
Things will be on fire.
Don’t get comfortable.
Don’t forget who helped you-- whether it be your mentor, the person who called you out on your bullshit, or the IT staff who unlocked your account because you can’t seem to type your password correctly.
If there’s a will, there’s a way
Security assessments
Defining a meaningful solution
Whether it be your mentor, the person who called you out on your bullshit, or the IT staff who unlocked your account because you can’t seem to type your password correctly.