Introduction
Our last blog examined what the Red Team does in a Penetration Testing exercise. This team is often viewed as the “bad guys” because they are trying to act like a Cyber attacker in order to break down your lines of defenses. In this blog, we examine the “good guys” – the Blue Team. This the group of Penetration Testers that is trying to thwart off the Cyber attacks being launched by the Red Team.
The Blue Team
The overall, arching task of the Blue Team is fight off the Cyber-attack that has been launched by the Red Team. But apart from this, the Blue Team has other specific responsibilities in the efforts to overcome the Cyber-attack. These are as follows:
1) Preparedness:
The Blue Team will do everything possible in its role in order to protect the business or corporation from any looming Cyber based threats. This will include testing of all of the Security technologies that are in place in order to make sure that they are in optimized to detect any sort of anomalies or outliers; making sure that the Incident Response and the Disaster Recovery plans are set in motion should a Cyber-attack actually occur; keeping all employees informed of the upcoming Cyber threat landscape.
2) Identification:
Here, the Blue Team will make every effort to correctly identify any potential Cyber-attacks that are posed to the business or corporation.
3) Containment:
If the organization is hit by a Cyber-attack, it will then become the responsibility of the Blue Team to contain the damage caused by the attack in this regard, one of the best tools that the Blue Team will have at hand is the Incident Response Plan. By initiating at the time of the Cyber- attack, the members of the Incident Response Team will also be called into action in order to mitigate any losses from the Cyber-attack.
4) Recovery:
In the unfortunate chance that the business or corporation has been breached by a Cyber- attack, it will also be one of the main responsibilities of the Blue Team to also activate the Disaster Recovery plans in order to bring the entity back at a predefined level of operations before the incident occurred. This should occur, at maximum, no more than one or two days after the Cyber-attack. At this point, one of the main priorities of the Blue Team is to bring up many mission critical processes as possible during this short time span.
5) Lessons Learned:
Obviously, once the damage from the Cyber-attack has been mitigated, and the organization is up and running at near 100% operational levels, a Forensics Investigation Team will be called in to conduct an exhaustive study as to what happened and how the Cyber-attack could have been avoided. It is also one of the responsibilities of the Blue Team to compile all of this into a report, as well as to formulate strategies as to how such types of incidents can be avoided in the future.
The Blue Team, during the Penetration Testing exercise(s) also assumes the following responsibilities:
1) Operation System Hardening:
The Blue Team will further fortify the Operating Systems of all of the hardware that is being used at the business or corporation. This will include primarily all of the servers, workstations, and wireless devices (securing both the Android and iOS). The goal here is to decrease the “surface of vulnerability” of all the Operating Systems that are currently being used.
2) The Perimeter Defense:
The Blue Team will also ensure that all Firewalls, Network Intrusion Devices, Routers, Traffic Flow devices, Packet Filtering devices, etc. are all up and running, and operating at peak conditions. In order to further fend off any Cyber-attacks, the Blue Team typically uses such tools as Log Management and Analysis, and Security Information and Event Management (SIEM) Technology.
Conclusions
Our next blog will examine the “Purple Team”. This team is a combination of both the good guys and the bad guys.