The Benefits of Building a Mature and Diverse Blue Team

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate’s blue team.

What upset me was that my friend could not grasp the idea that I wanted to keep working as a blue teamer because, as far as he was concerned, the only natural progression is to move to the red team.

Red teams include many roles ranging from penetration testers to attackers and exploit developers. These roles attract most of the buzz, and the many certifications revolving around these roles (OSCP, OSEP, CEH) make them seem fancy. Movies usually make hackers the heroes, while typically ignoring the defending side, the complexities and challenges of blue teamers’ roles are far less known.

While blue teams’ defending roles might not sound as fancy and gather little to no buzz, they include essential and diverse titles that cover exciting and challenging functions and, finally, pay well. In fact, Hollywood should look into it!

Defending is more complex than attacking, and it is more crucial

Consider that you are a cyber security defender and that your assigned job is to protect your IT Infrastructure.

• As a defender, you need to learn all sorts of attack mitigation techniques to protect your IT infrastructure. Conversely, an attacker can settle for gaining proficiency in exploiting just one vulnerability and keep exploiting that single vulnerability.
• As a defender, you must be alert 24/7/365 to protect your infrastructure. As an attacker, you either choose a specific time/date to launch an attack or run boring brute force attacks across many potential targets.
• As a defender, you must protect all weak links in your infrastructure – xerox, machine printer, attendance system, surveillance system, or endpoint used by your receptionist – whereas attackers can select any system connected to your infrastructure.
• As a defender, you must comply with your local regulator while performing your daily work. Attackers have the liberty to mess up with laws and regulations.
• As a defender, you are prepared by the red team that assists your work by creating attack scenarios to test your capabilities.

Blue teams include complex, challenging, and research-intensive disciplines, and the related roles are not filled.

In the conversation mentioned above, my friend assumed that defending roles mainly consist of monitoring SIEMs (Security Information and Event Management) and other alerting tools, which is correct for SOC (Security Operations Center) analyst roles. Here are some atypical Blue Team roles:

• Threat Hunters – Responsible for proactively hunting for threats within the organization
• Malware Researchers – Responsible for reverse engineering malware
• Threat Intelligence Researchers – Responsible for providing intelligence and information regarding future attacks and attributing attacks to specific attackers
• DFIR – Digital Forensics and Incident Responders are responsible for containing and investigating attacks when they happen

These roles are challenging, time intensive, complex, and demanding. Additionally, they involve working together with the rest of the blue team to provide the best value for the organization.

According to a recent CSIS survey of IT decision makers across eight countries: “82 percent of employers report a shortage of cybersecurity skills, and 71 percent believe this talent gap causes direct and measurable damage to their organizations.” According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the United States faced a shortfall of almost 314,000 cybersecurity professionals as of January 2019. To put this in context, the country’s total employed cybersecurity workforce is just 716,000. According to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015. By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions.”

C Level executives are disconnected from reality when it comes to Internal Blue Teams

The above graph is from an excellent talk called “How to Get Promoted: Developing Metrics to Show How Threat Intel Works – SANS CTI Summit 2019”. It illustrates the disconnect between the high-level executives and “on-the-ground” employees and how high-level executives think that their defensive teams are much more mature than their team self-assessment.

Solving the Problem

Strive to teach SOC analyst’s new craft

Bringing new and experienced researchers is expensive and complicated. Perhaps organizations should strive to promote and encourage entry analysts to learn and experiment with new skills and technologies. While SOC managers might fear that this might interfere with experienced analysts’ daily missions or result in people leaving the company but, paradoxically, it will encourage analysts to stay and take a more active part in maturing the organization’s security at almost no extra cost.

Cycle employees through positions

People get tired of doing the same thing every day. Perhaps a clever way to keep employees engaged and strengthen your organization is to let people cycle across distinct roles, for example, by teaching threat hunters to conduct threat intelligence work by giving them easy assignments or sending them off to courses. Another promising idea is to involve low-tier SOC analysts with real Incident Response teams and thus advance their skills. Both organizations and employees benefit from such undertakings.

Let our employees see the results of their demanding work

Whether low-tier SOC analysts or Top C-level executives, people need motivation. Employees need to understand whether they are doing their job well, and executives need to understand their job’s value and the quality of its execution.

Consider ways to measure your Security Operations Center:

• How effective is the SOC at processing important alerts?
• How effectively is the SOC gathering relevant data, coordinating a response, and taking action?
• How busy is the security environment, and what is the scale of activities managed by the SOC?
• How effectively are analysts covering the maximum possible number of alerts and threats?
• How adequate is the SOC capacity at each level, and how heavy is the workload for different analyst groups?

The table below contains more examples and measures taken from Exabeam.

And, of course, validate your blue team’s work with continuous security validation tools such as those on Cymulate’s XSPM platform where you can automate, customize and scale up attack scenarios and campaigns for a variety of security assessments.

Seriously, validating your blue team’s work both increases your organization’s cyber resilience and provides quantified measures of your blue team’s effectiveness across time.

Note: This article is written and contributed by by Dan Lisichkin, Threat Hunter and Threat Intelligence Researcher at Cymulate.