This document provides an overview of blue teaming tactics and strategies. It discusses how blue teams can identify weaknesses, document risks and consequences, and participate in remediation efforts. Some key responsibilities of blue teams include patching systems, monitoring networks, and responding to security incidents. The document also outlines several tactics for blue teams, such as establishing essential monitoring and response procedures, hardening systems according to checklists, and conducting security tests and exercises. The goal of blue teams is to stay ahead of attackers and continuously improve the security posture of their organization.

1. Cliffnotes
on
Blue Teaming
Rishabh Dangwal
admin@theprohack.com
March 2019

2. Welcome fellow defender, you are on the holy task of defeating the attacker(s).
Welcome!
This is you
btw!
This is the
attacker!

3. Yup, here they come.
Welcome!

4. Welp!
Welcome!

5. Mind the gaps please..
Welcome!

6. It’s worse in
actual scenarios!
News Flash

7. Being an incident response team member/ Blue teamer is a less
glamorous job
 Some times it’s lack of tools
 Some times it’s incomplete tactics
 Some times it’s fractured teams
 Some times it’s lack of morale
 Some times it’s lack of budgets
 Some times it’s the management
 Some times it’s the broken coffee machine in the corner
And you still take the brunt of not saving the day
(almost all the time)
: [

8. Be the coolest blue team on the map
 Identify areas of weakness and ways of exploitation
 Document and demonstrate consequences
 Participate in remediating risk associated with
exploitation
 Patch, Monitor, Respond
Stay cool as heck
Squad Goals!

9.  Every one knows about Red Teaming. Every one else is
selling it as well.
 Aeons back when I started my career, a simple Pentest
would have sufficed.
 What changed?
Attack simulation capability is useless without a
tailored defense strategy.
 Blue Teaming? Blue what?
The Story So Far

10.  Red Teams would be simulated aggressors with tools and
abilities
 Blue team leveraged established tactics, tools,
policies, and procedures
 Capture pre-defined positions on the map
(flags – single, multiple with different objectives)
The Ways of Military

11. • Create an Internal Red Team which is typically a glorified
internal security team.
 Reasons?
 Undefined metrics
 Not enough metrics
 Undefined objectives
 Increased Tech debt
 Lack of appropriate documentation
 Undefined protocols and procedures
 Simulation of advanced attacks while failing at basics
 Is typically a glorified VA/ PT exercise
 May not align to the objectives and success of the
organization
Blue Team? Nah, let our IT team take care of everything.
Organizations Get Inspired

12. NiceTry had a security team as well, failed to patch lolz
issue
 Most organizations fail at security basics
 Slow adoption rate with respect to security issues
 Try telling an organization that they need to address
some basic issues : ]
 No introspection unless regulators are involved
 Or incidents occur
 Or both
Heard this story before?
Organizations Get tangled
redacted redacted

13. Unfortunately, Blue team is overhead
 They don’t make the company money and are an
expense to maintain
 Also, no one listens to them unless the auditor
comes in
 What they recommend is typically expensive to
implement
 Partially because security is hard to quantify
Blue Team Reality Check

14.  Establish a charter
 Market your team like insurance
 Identify best tactics for your environment
So, what to do?

15. Get something like this :
Proposed Unified Framework
Red Team Blue Team
Threat Intelligence Management
Research
Monitoring
Infrastructure
Establish Charter Collaborate Define Requirements
Define Metrics &
Timelines
Identify Resources Get Approvals Simulate Report
Update
Compliance
Ofcourse compliance sucks but it saves you from a lot of lawsuits!

16.  The Big Stick Principle
 Occam’s Razor
 Hanlon’s Razor
 Shannon’s Maxim
 Pareto’s Principle
 Follow the Money
 Hitchen’s Razor
 Bonus : Newton’s Flaming Sword
Your Principles are Your Keystone

17.  Essentials
 Hardening
 Tuning & Evaluation
 Monitoring
 Testing
 Response
Ofcourse this is not exhaustive
Tactics

18. Get a network diagram first & establish a knowledge base
of known attack surfaces
 Threat Modelling
 Identify a framework that works for you
 OSINT
 Implement a capable monitoring system
Create an agreed format of response
 Align with established policies
Get management on board
 Make them a stakeholder
 Identify folks who are SMEs, can communicate issues
to leadership
 Champions of security culture, compliance and
real change
Tactics : Essentials
Ofcourse this is not exhaustive

19. No brainer, right?
 Checklists (CIS/ DOD/ et al)
 Golden images (harden them)
 LoJack? (sketchy!)
 Time stuff (see how long it takes to image/ re-image
a system)
 Optimize (LAN? NAS? SAN?)
Focus on something that is Quick, Repeatable and
Explainable
Tactics : Hardening
Ofcourse this is not exhaustive

20. See what is inside your network
 Systems – metadata leakage, traffic snapshots
 Services & Processes – ports they are talking to,
files being created
 Visualize your AD (Bloodhound in reverse)
 Create relevant alerts (powershell exec, event
logging, sysmon) and use cases on SIEM
 Lock down everything (admin creds, implement LAPS,
EMET, remove sysvol, disable unauth Dcsync et al)
 Create alerts for atleast MITRE ATT&CK framework
 Create playbooks
 Procedures
 Defensive tactics
 Response plan
Tactics : Tuning & Evaluation
Ofcourse this is not exhaustive

21. Reusing the most overused line here
“The quieter you become, the more you are able to
hear”
Identify, observe and document your
 Network baseline traffic
 DC traffic
 Privileged Logins
 Normal logins
 Application behavior
 Et al
Tactics : Monitoring
Ofcourse this is not exhaustive

22. Go nuts!
 VA/ PT
 Red Teaming
 Adversarial Simulation
 Whiteboard/ Tabletop exercise
 CTF
 Fail, fail first, fail early
Scope
 Hardware & Software
 Cloud & Mobile
 Containers & Processes
 Everything!
Tactics : Testing
Always convey exercise results to :
 Leadership
 Detection team
 Response team
 Infrastructure/network team
 HR for training opportunities
Ofcourse this is not exhaustive

23. Simulate established procedures and compare
results, prepare
 Vulnerability Announcements
 Media excerpts
 Breach Announcements/ PR Speeches
Simulate with stakeholders
 Chain of command
 Write Reports (The most important skill
you will learn, ever)
 Methods of communication
 Crisis response
Have retainer contracts in place
 Cyber Response
 Cyber Insurance
Tactics : Response
Ofcourse this is not exhaustive

24.  Stay one step ahead
 Identify, Establish, Grok, Simulate, practice, practice practice
 Read
 Fail, fail early, fail first
• Be a Cool Blue Team!
Summary

25. Questions?

26.  T3h internets
 Required Reading
 BTFM
 MITRE ATT&CK Framework
References & Acknowledgements
Standard Disclaimer : All images used are creative commons licensed (wherever
possible). Information Compiled from multiple sources as part of my own study on the
subject. We stand on the shoulders of giants.

27. Thank You!
Now go on Tiger, I will be rooting
for you!
Put a static route towards admin@theprohack.com in case of
additional queries