A blue team’s composition

A blue team comprises many individuals with diverse skill sets. The composition of a team differs per the needs of an organization. In this section, we’ll look at a few typical roles that usually sit within this team.

Analysts

An entry-level cybersecurity role known as SOC analyst exists in the company’s Security Operations Center (SOC). A cybersecurity analyst is also known as a triaging analyst. The SOC analyst responds to specific severity incident alerts and investigates the evidence. This role is reactive. Organizations usually have Level 1 (L1), Level 2 (L2), and Level 3 (L3) roles in SOC. L1 is the most junior analyst role, whereas L3 is the senior-most analyst role in a SOC. In most cases, the rising numbered levels are utilized to denote increasing levels of responsibility and experience requirements.

SOC monitors IT network traffic for unusual or suspicious behavior. Certain suspicious activities might indicate the existence of malicious entities or malicious programs such as Trojans and ransomware in the network. Senior analysts examine the alerts generated by the Security Incident and Event Management (SIEM) solution (such as Splunk, IBM QRadar, Logrhythm, and others). Analysts work on triaging and identifying suspicious events and determine whether the alerts are false positives or true positives. In the case of true positive alerts, the predefined Standard Operating Procedure (SOP) according to the playbooks or runbooks is followed. The analysis and investigation that are performed by the junior analysts help establish a context for the security incidents that have occurred. They also determine the severity of a security issue and apply the appropriate risk rating to it. Security incidents with critical and high severity are immediately escalated to the Incident Responder (IR) in the SOC team.

Incident responder

An IR is also known as an incident response analyst. This position assesses if a reported alarm is an organizational attack or a persistent danger to a company’s network. They ensure that it is contained as quickly as possible and that the organization can respond and recover from it as per the defined plans. IRs usually investigate the scope of a cyberattack.

Based on the extent of the cybersecurity problem, IRs devise a remediation strategy. This entails investigating the incident’s characteristics. This includes the business assets targeted by malware as well as the types of harmful activities performed by the malware. Then, the IRs recommend the appropriate course of action. They implement remediation with the necessary teams, such as initiating IT tickets to re-image compromised systems. Often, IRs face the heat of pushing the essentiality of mandating end user security awareness training by the CISO. They also notify the chief executives of the scope of a data breach in a timely way.

Threat hunter

Often, this work role is known as threat analyst or threat researcher. The threat hunter’s work is proactive. They regularly research threats and risks to keep themselves updated on the newest threats. They also study the evolution and anatomy of threats. Threat hunters often design coding rules that trigger alerts in the company’s SIEM solution for specific cyber threats.

Threat hunters are proficient in configuring as well as monitoring multiple threat intelligence platforms (for example, IBM X-Force, Alienvalult OTX, VirusTotal, and others) to conduct proactive research into the threats’ life cycle. They assess whether new and emerging threats provide the most danger to their company based on various parameters, such as the industries targeted, vulnerabilities exploited, and attack TTPs. Threat hunters often implement system configuration adjustments to respond to the cyber risks that have been discovered. Analyzing cyber threats and risks in real time becomes overwhelming when the threat intelligence that’s received is more than what the human resources provided can process. Hence, threat hunters use automation in security technologies to detect behavior that is typical of certain threats automatically. They sensitize and strengthen the organizational network infrastructure to withstand potential cyberattacks.

Let’s presume that a novel ransomware cyber threat has surfaced recently (such as Lockbit 2.0 or BlackMatter). A threat hunter will investigate this danger and use automation to prevent it from infiltrating the company and identify it if it does intrude.

A candidate is required to be experienced in the SOC analyst and IR work roles as well as proficient in computer and systems networking and administration to get hired for a threat hunter role. Also, it is good to be familiar with the various sources of threat intelligence on the surface of the web, as well as the dark web. Having a deep understanding of the business sector-specific cyber threats often provides the candidate with a competitive edge in the threat intelligence and threat hunting job market. A good threat hunter or Threat Intelligence Analyst (TIA) is proficient in obtaining proactive and actionable Threat Intelligence (TI) via any number of sources from the surface of the web, as well as the dark web, including the various Internet Relay Chat (IRC) servers and forums. A good threat hunter must be able to choose the appropriate technical and non-technical methodologies, as well as have the know-how to use various TI frameworks at their disposal.

Security consultant

Security consultants are often hired on a contractual basis and perform tasks throughout the project’s life cycle as and when required. They may also be hired from outside the organization to bring in a reliable source of knowledge or expertise in a specific tool or area of security. They are often regarded as experts in their domain of knowledge. Another term often used to designate security consultants is Subject Matter Experts (SMEs). Security strategy consultant and security operations consultant are a few examples of specialized roles.

Security administrator

A security administrator is not the same as a SOC analyst. However, often, it has been seen that organizations consider security administrators as Level 4 (L4) SOC analysts, whose job is to download, install, configure, deploy, and launch various security tools in the SOC. They also take care of updating those tools when the vendor updates arrive. This job is similar to that of a systems administrator’s, but it deals with all the security tools in SOC such as SIEM, SOAR, AV-NGAV, EDR-XDR, DLP, honeypots, cloud governance, WAF, firewall, load balancers, IAM and AD, brand abuse and defamation monitoring solutions, and more. The job also entails applying patches or fixes released by the respective tools’ vendors and configuring security tools to ensure optimum performance. They often collaborate with threat hunters and IRs to create security scripts and programs that automate some of the redundant security tasks. However, they are not tasked with investigating security events and incidents flagged by the security tools.

Identity and Access Management (IAM) administrator

This role provides Identity and Access Management (IAM) support to several departments within a firm. Managing application/system authority and privileges, Single Sign-On (SSO), application reporting, and working with developers to integrate identity and access management policies for new applications and software are some of the key responsibilities of an IAM admin. These professionals have niche expertise in the use of various IAM tools, as well as networking administration.

Compliance analyst

A compliance analyst is often tasked with the internal audits of a corporation or a business. They check and verify whether the business is following its security rules, privacy policies, national data privacy laws, or any other applicable laws/regulations. They have experience in all the aforementioned work roles since a compliance analyst is required to handle frequent discussions with all the other work roles as part of compliance checks. They derive regular reports of non-compliance found or detected in the network infrastructure and submit them to senior management. Additionally, they assist firms in preparing for external audits, which may be necessary, depending on the business sector (for example, healthcare, BFSI, energy and utilities, and others).

This section covered what organizations need to understand to compose a blue team. There will be more roles to consider, depending on the type or complexity of an organization. However, in this section, we covered some of the skills that are typical in any organization. Next, we will briefly touch upon the red team and the purple team. These two teams may not be part of a blue team, but it is important to understand what these teams do as well. Moreover, we will also understand the role of a cyber threat intelligence team. This skill set typically sits within the blue team, but it is also common to have this team segregated from the blue team.