This document provides an overview of blue teaming tactics and strategies. It discusses how blue teams can identify weaknesses, document risks and consequences, and participate in remediation efforts. Some key responsibilities of blue teams include patching systems, monitoring networks, and responding to security incidents. The document also outlines several tactics for blue teams, such as establishing essential monitoring and response procedures, hardening systems according to checklists, and conducting security tests and exercises. The goal of blue teams is to stay ahead of attackers and continuously improve the security posture of their organization.
Imogen Casebourne and Kath Fleet from Epic offer top tips on how to design effective learning for senior leaders. Forward Thinking for Management and Leadership was held on the 4th July at the Millbank Tower, London.
Imogen Casebourne and Kath Fleet from Epic offer top tips on how to design effective learning for senior leaders. Forward Thinking for Management and Leadership was held on the 4th July at the Millbank Tower, London.
BSidesSF talk: Overcoming obstacles in operationalizing securityRafae Bhatti
Based on actual first few months of a startup CISO on the job, this talk chronicles the experiences related to operationalizing the security strategy and contrasting the textbook strategies with the real world challenges when the rubber meets the road. Using illustrative scenarios, it will guide security professionals on what obstacles to anticipate while battling limited budgets, vendor fatigue, and talent shortage, and provide practical pointers on how and when to make sensible trade-offs.
Explaination of More Personal Safety program designed and delivered by Safety Culture Initiative for public use and filling gap of human resources risk management at nation state and company level.
First phase of MPS program is action "From Zero To Hero" delivered during Cybersecurity October to Poland and other countries in Polish and English language.
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
Basically, Enterprise Security 101. Covering frameworks, and how to try and wrap your arms around running the whole Information Security program from the beginning.
2022 Subsistence Agile - Sustainability and Self-Sufficiency for Thriving Tea...Cheryl M Hammond
Does ‘subsistence’ carry a negative connotation for you—scarcity, poverty, barely scraping by? In this era of enterprise scaling and big digital transformations, our trusty old agile often feels the same. It’s easy to get stuck when it seems like every retrospective action item worth doing requires an executive sponsor who isn’t coming.
Our planetary challenges require us to think of ‘subsistence’ differently. The ability to produce what we need, sustainably, using the resources available in our communities, is powerful! Are you getting the best from the ecosystem you already have?
This session explores practical tips for nurturing and growing your agile practice hyper-locally, using techniques accessible at the team level.
Learning outcomes:
- Build and strengthen the supportive agile community already around you
- Reduce your dependence on expensive faraway ‘imports’
- Expand your influence and capabilities by developing ‘trade’ networks nearby
- Focus on what’s most important for you and your team to thrive!
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
Светлана Старикова "Building a self-managing team: why you should not have e...Fwdays
На что ответит мой доклад:
-Ещё раз докажем себе, что процессы служат людям, а не наоборот.
-Один грамотный руководитель как-то сказал, что кадры решают всё. Как помочь кадрам решать хоть что-то?
-Почему SCRUM редко работает в реальном мире? Является ли следование SCRUM самоцелью?
-Как адаптировать процесс под бизнес-цели и создать микроклимат в команде.
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed PinsentJISC KeepIt project
Shows how to use the AIDA toolkit for assessing institutional capabilities to support digital asset management. It was given as part of module 1 of a 5-module course on digital preservation tools for repository managers, presented by the JISC KeepIt project. For more on this and other presentations in this course look for the tag 'KeepIt course' in the project blog http://blogs.ecs.soton.ac.uk/keepit/
BSidesSF talk: Overcoming obstacles in operationalizing securityRafae Bhatti
Based on actual first few months of a startup CISO on the job, this talk chronicles the experiences related to operationalizing the security strategy and contrasting the textbook strategies with the real world challenges when the rubber meets the road. Using illustrative scenarios, it will guide security professionals on what obstacles to anticipate while battling limited budgets, vendor fatigue, and talent shortage, and provide practical pointers on how and when to make sensible trade-offs.
Explaination of More Personal Safety program designed and delivered by Safety Culture Initiative for public use and filling gap of human resources risk management at nation state and company level.
First phase of MPS program is action "From Zero To Hero" delivered during Cybersecurity October to Poland and other countries in Polish and English language.
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
Basically, Enterprise Security 101. Covering frameworks, and how to try and wrap your arms around running the whole Information Security program from the beginning.
2022 Subsistence Agile - Sustainability and Self-Sufficiency for Thriving Tea...Cheryl M Hammond
Does ‘subsistence’ carry a negative connotation for you—scarcity, poverty, barely scraping by? In this era of enterprise scaling and big digital transformations, our trusty old agile often feels the same. It’s easy to get stuck when it seems like every retrospective action item worth doing requires an executive sponsor who isn’t coming.
Our planetary challenges require us to think of ‘subsistence’ differently. The ability to produce what we need, sustainably, using the resources available in our communities, is powerful! Are you getting the best from the ecosystem you already have?
This session explores practical tips for nurturing and growing your agile practice hyper-locally, using techniques accessible at the team level.
Learning outcomes:
- Build and strengthen the supportive agile community already around you
- Reduce your dependence on expensive faraway ‘imports’
- Expand your influence and capabilities by developing ‘trade’ networks nearby
- Focus on what’s most important for you and your team to thrive!
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
Светлана Старикова "Building a self-managing team: why you should not have e...Fwdays
На что ответит мой доклад:
-Ещё раз докажем себе, что процессы служат людям, а не наоборот.
-Один грамотный руководитель как-то сказал, что кадры решают всё. Как помочь кадрам решать хоть что-то?
-Почему SCRUM редко работает в реальном мире? Является ли следование SCRUM самоцелью?
-Как адаптировать процесс под бизнес-цели и создать микроклимат в команде.
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed PinsentJISC KeepIt project
Shows how to use the AIDA toolkit for assessing institutional capabilities to support digital asset management. It was given as part of module 1 of a 5-module course on digital preservation tools for repository managers, presented by the JISC KeepIt project. For more on this and other presentations in this course look for the tag 'KeepIt course' in the project blog http://blogs.ecs.soton.ac.uk/keepit/
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
Overview of key best practices, antipatterns, and more for security operations (SecOps/SOC)
These slides were used during Mark Simos' Tampa BSides talk on "The no BS SOC" on April 6, 2024
Test Automation in Agile: A Successful ImplementationTechWell
Many teams feel that they are forced to make an either/or decision when it comes to investing time to automate tests versus executing them manually. Sometimes a “silver bullet” tool is purchased, and testers are forced to use it when there may be a better option; other times unskilled team members are designated the automation engineers; and often there is a lack of good guidance on what to automate. These pitfalls cause product owners to de-prioritize those tasks when there’s a better way. Melissa Tondi shares how test teams should evaluate automated tools, both open source and commercial; areas to be aware of when traditional manual testers transition to automation engineers; and recommended priorities for automating tests. By streamlining automation tasks in your project and incorporating these recommendations, you’ll find that your automation intersection becomes a clearly marked thruway to a successfully released product.
Red Team Operations: Attack and Think Like a CriminalInfosec
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our on-demand webinar series.
Senior security researcher and InfoSec Instructor Jeremy Martin digs into the mindset of an attacker during this on-demand webinar, Red Team Operations: Attack and Think Like a Criminal. The webinar will cover:
- The job duties of a Red Team professional
- Frameworks and strategies for conducting Red Team assessments
- How to get started and progress your offensive security career
- And answer any live questions you have!
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Don’t miss the second part of the series, Cyber Threat Hunting: Identify and Hunt Down Intruders: https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
This is a simple document that covers Unified Threat Management Systems (UTM) technology from scratch and tries to compare multiple products in the same.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
7. Being an incident response team member/ Blue teamer is a less
glamorous job
Some times it’s lack of tools
Some times it’s incomplete tactics
Some times it’s fractured teams
Some times it’s lack of morale
Some times it’s lack of budgets
Some times it’s the management
Some times it’s the broken coffee machine in the corner
And you still take the brunt of not saving the day
(almost all the time)
: [
8. Be the coolest blue team on the map
Identify areas of weakness and ways of exploitation
Document and demonstrate consequences
Participate in remediating risk associated with
exploitation
Patch, Monitor, Respond
Stay cool as heck
Squad Goals!
9. Every one knows about Red Teaming. Every one else is
selling it as well.
Aeons back when I started my career, a simple Pentest
would have sufficed.
What changed?
Attack simulation capability is useless without a
tailored defense strategy.
Blue Teaming? Blue what?
The Story So Far
10. Red Teams would be simulated aggressors with tools and
abilities
Blue team leveraged established tactics, tools,
policies, and procedures
Capture pre-defined positions on the map
(flags – single, multiple with different objectives)
The Ways of Military
11. • Create an Internal Red Team which is typically a glorified
internal security team.
Reasons?
Undefined metrics
Not enough metrics
Undefined objectives
Increased Tech debt
Lack of appropriate documentation
Undefined protocols and procedures
Simulation of advanced attacks while failing at basics
Is typically a glorified VA/ PT exercise
May not align to the objectives and success of the
organization
Blue Team? Nah, let our IT team take care of everything.
Organizations Get Inspired
12. NiceTry had a security team as well, failed to patch lolz
issue
Most organizations fail at security basics
Slow adoption rate with respect to security issues
Try telling an organization that they need to address
some basic issues : ]
No introspection unless regulators are involved
Or incidents occur
Or both
Heard this story before?
Organizations Get tangled
redacted redacted
13. Unfortunately, Blue team is overhead
They don’t make the company money and are an
expense to maintain
Also, no one listens to them unless the auditor
comes in
What they recommend is typically expensive to
implement
Partially because security is hard to quantify
Blue Team Reality Check
14. Establish a charter
Market your team like insurance
Identify best tactics for your environment
So, what to do?
15. Get something like this :
Proposed Unified Framework
Red Team Blue Team
Threat Intelligence Management
Research
Monitoring
Infrastructure
Establish Charter Collaborate Define Requirements
Define Metrics &
Timelines
Identify Resources Get Approvals Simulate Report
Update
Compliance
Ofcourse compliance sucks but it saves you from a lot of lawsuits!
16. The Big Stick Principle
Occam’s Razor
Hanlon’s Razor
Shannon’s Maxim
Pareto’s Principle
Follow the Money
Hitchen’s Razor
Bonus : Newton’s Flaming Sword
Your Principles are Your Keystone
17. Essentials
Hardening
Tuning & Evaluation
Monitoring
Testing
Response
Ofcourse this is not exhaustive
Tactics
18. Get a network diagram first & establish a knowledge base
of known attack surfaces
Threat Modelling
Identify a framework that works for you
OSINT
Implement a capable monitoring system
Create an agreed format of response
Align with established policies
Get management on board
Make them a stakeholder
Identify folks who are SMEs, can communicate issues
to leadership
Champions of security culture, compliance and
real change
Tactics : Essentials
Ofcourse this is not exhaustive
19. No brainer, right?
Checklists (CIS/ DOD/ et al)
Golden images (harden them)
LoJack? (sketchy!)
Time stuff (see how long it takes to image/ re-image
a system)
Optimize (LAN? NAS? SAN?)
Focus on something that is Quick, Repeatable and
Explainable
Tactics : Hardening
Ofcourse this is not exhaustive
20. See what is inside your network
Systems – metadata leakage, traffic snapshots
Services & Processes – ports they are talking to,
files being created
Visualize your AD (Bloodhound in reverse)
Create relevant alerts (powershell exec, event
logging, sysmon) and use cases on SIEM
Lock down everything (admin creds, implement LAPS,
EMET, remove sysvol, disable unauth Dcsync et al)
Create alerts for atleast MITRE ATT&CK framework
Create playbooks
Procedures
Defensive tactics
Response plan
Tactics : Tuning & Evaluation
Ofcourse this is not exhaustive
21. Reusing the most overused line here
“The quieter you become, the more you are able to
hear”
Identify, observe and document your
Network baseline traffic
DC traffic
Privileged Logins
Normal logins
Application behavior
Et al
Tactics : Monitoring
Ofcourse this is not exhaustive
22. Go nuts!
VA/ PT
Red Teaming
Adversarial Simulation
Whiteboard/ Tabletop exercise
CTF
Fail, fail first, fail early
Scope
Hardware & Software
Cloud & Mobile
Containers & Processes
Everything!
Tactics : Testing
Always convey exercise results to :
Leadership
Detection team
Response team
Infrastructure/network team
HR for training opportunities
Ofcourse this is not exhaustive
23. Simulate established procedures and compare
results, prepare
Vulnerability Announcements
Media excerpts
Breach Announcements/ PR Speeches
Simulate with stakeholders
Chain of command
Write Reports (The most important skill
you will learn, ever)
Methods of communication
Crisis response
Have retainer contracts in place
Cyber Response
Cyber Insurance
Tactics : Response
Ofcourse this is not exhaustive
24. Stay one step ahead
Identify, Establish, Grok, Simulate, practice, practice practice
Read
Fail, fail early, fail first
• Be a Cool Blue Team!
Summary
26. T3h internets
Required Reading
BTFM
MITRE ATT&CK Framework
References & Acknowledgements
Standard Disclaimer : All images used are creative commons licensed (wherever
possible). Information Compiled from multiple sources as part of my own study on the
subject. We stand on the shoulders of giants.
27. Thank You!
Now go on Tiger, I will be rooting
for you!
Put a static route towards admin@theprohack.com in case of
additional queries