How do organizations benefit from implementing the blue teaming approach?

Before we start, it is important to understand the benefits an organization can expect to achieve from setting up a blue team. This chapter will focus on what an organization can expect to gain from setting up a blue team, and how to take step-by-step action to set one up for success.

Risk assessment

First, businesses are recommended to assess the risks and threats that affect their organizational assets located across the globe. Blue teamers perform a risk assessment to learn how and what is to be defended from cyberattacks. They typically recommend implementing stringent security controls and establishing standard procedures to improve the security posture of the organization. Often, they design the structure of the End User Security Awareness training as well. This helps organizations identify their critical assets and the threat profile for each asset and the organization as a whole.

Monitoring and surveillance

Monitoring and surveillance are the core tasks of blue teamers; they perform them diligently for their respective businesses. Organizations receive recommendations for procuring, deploying, and launching various security monitoring tools from blue teamers. These tools allow organizations to log information about the various kinds of access privileges that the users and employees have on the network infrastructure. All the user activities are recorded, and suspicious activities trigger alerts as per the rules configured in the various security tools. Daily checks such as auditing DNS and firewall configuration, performing daily compliance checks across the dashboards of different tools deployed, and others are some of the Key Responsibility Areas (KRAs) of blue teamers. They also perform various kinds of internal and/or external vulnerability assessments on the network. Once in a while, blue teamers help prioritize and provide guidance to patch the vulnerabilities discovered in the penetration test reports. Blue teamers are experts in scanning the business network for vulnerabilities as well as analyzing the captured network packets for suspicious ingress and/or egress traffic.

Security controls

Blue teamers are also tasked with establishing various kinds of technical security controls over critical assets. Hence, they have to identify and classify the most critical network components in the organization. Organizations can utilize a Configuration Management Database (CMDB) to document the change in any configuration they make to those assets. Also, CMDBs are used to centralize a record of all the network components in any network infrastructure. Assets that are likely to shut down the business altogether if they are hit by cyberattacks are categorized as critical assets. Most of these assets are hardened with additional security controls. Along with risk assessment, blue teamers perform impact assessment studies as well. This involves calculating the impact that various cyberattacks could have if they hit certain critical assets and if those assets go down for a specific time. This could seriously affect business operations on a large scale. Hence, the risks and threats that affect every asset that falls under the critical category are documented. Regular vulnerability assessment scans are scheduled for all the disclosed vulnerabilities that affect those assets – namely Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumeration (CWE). Blue teamers are proficient at assessing risks and suggesting remediation steps for them as well. Most of the critical and high-level vulnerabilities are patched as soon as possible. A plan is put into action by the blue teamers so that they can implement the security controls that eventually aim to decrease the impact of those vulnerabilities for which patches haven’t been released yet.

Reporting and recommendation to management

The executive team must decide whether the security controls that are in place are adequate. Blue teamers prepare a document of the known risks that the business is running. Blue teamers may also perform cost-benefit analysis for management to recommend only those security controls deemed crucial to be implemented on a bare-minimum basis.

As an example, blue teamers may discover that the company’s network is vulnerable to Distributed Denial-of-Service (DDoS) attacks. DDoS attacks deny the network’s availability to genuine users by flooding traffic requests to the company servers. Here, the unavailability of services might result in revenue losses for the business. The more time it takes the network team to block a certain subnet of IP addresses, the more losses the business encounters. These kinds of attacks severely cripple the organizational network. Here, the blue team not just analyzes and tries to help in blocking the C2 IP addresses of the attackers but also performs impact assessments. To prevent DDoS or any type of Denial-of-Service (DoS) attack, blue teamers recommend deploying perimeter security solutions. These software solutions drastically lower the likelihood of the organization being affected by DDoS attacks. They do not and cannot stop one from originating, but they can certainly stop one from affecting your business network. Security solutions such as perimeter firewalls, load balancers, and WAF help in detecting DoS attacks and preventing them from affecting your organizational network.

There are many other advantages of setting up a blue team; this section only provided an overview of what the typical advantages are. Next, we will focus on what skills and talent to hire in such a team.