BLUE TEAM

What is a “Blue team”?
A blue team is similar to a red team in that it also assesses network security and identifies any possible vulnerabilities.

But what makes a blue team different is that once a red team imitates an attacker and attacks with characteristic tactics and techniques, a blue team is there to find ways to defend, change and re-group defense mechanisms to make incident response much stronger.

Like a red team, a blue team needs to be aware of the same malicious tactics, techniques and procedures in order to build response strategies around them. And blue team activity isn’t exclusive to attacks. They’re continuously involved to strengthen the entire digital security infrastructure, using software like an IDS (intrusion detection system) that provides them with an ongoing analysis of unusual and suspicious activity.

Some of the steps a blue team incorporates are:

Security audits, such as a DNS audit
Log and memory analysis
pcap anlalysis
Risk intelligence data analysis
Vulnerability management
Digital footprint analysis
Reverse engineering
DDoS testing
Developing risk scenarios

RED TEAM VS. BLUE TEAM

What are the differences? Know the basics:

https://blog.eccouncil.org/red-team-vs-blue-team/

FREE TRAINING RESOURCES

Free Wireshark training playlist: https://www.youtube.com/playlist?list=PLY-M-dfKubpeB7xftLBRclgva0lsg214r

BLUE TEAM TRAINING RESOURCES

Blue Team Training Resources: https://securityblue.team/training/

CRASH COURSE IN VULNERABILITY MANAGMEMENT

What is vulnerability management?

https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180 (a really long, involved and boring read)
https://www.techopedia.com/definition/16172/vulnerability-management (a much more approachable version)

Tenable:

Shodan:

https://www.shodan.io/
https://hack-ed.net/2016/01/30/shodan-the-internet-of-things-search-engine/ (how to use Shodan)

CVE's:

https://nvd.nist.gov/ -- massive CVE database -- official
https://vuldb.com/ - massive CVE database -- unofficial, community driven, more approachable at times

Threat feeds:

https://www.kb.cert.org/vuls/
https://research.checkpoint.com/
https://www.darkreading.com/vulnerabilities-threats.asp
https://thehackernews.com/search/label/Vulnerability
https://threatpost.com/category/vulnerabilities/
https://security.paloaltonetworks.com/ (vendor specific threat feeds related to your particular environment)

Back