Blue team

careersincyber securityoperations defensivesecurity principlesofsecurity

The blue team is specialized in defense, which involves protecting the systems, whether proactively or not.

  • 🛡ī¸ Secure the system/business activities (and document them)
  • 🔎 Monitor logs (traffic, user activity...)
  • 👮 Detect and stop attacks (as fast as possible)
  • 🚓 Do digital forensics
  • đŸŦ Track down hackers
  • 🖋ī¸ Do security awareness training
  • 🔁 Ensure their measures/systems/... are still up-to-date

Some jobs in the blue team are:

  • Security Architect 👷‍♂ī¸: plan the security of activities and systems in accordance with the business needs and requirements.
  • Security Analyst 📝: analyze and remediate issues. Develop security plans to keep the company safe, and implement them.
  • Incident responder 🧑‍🚒: handle and remediate incidents
  • Digital Forensics 🔎: investigate attacks and policy violations.
  • Malware Analyst/Reverse-engineer đŸ’Ĩ: analyze/detect malware, statically (read the code), and dynamically (see what it does).
  • Security researcher 🔓: research on Linux, hashing algorithms...

Pillars & Foundations

adventofcyber4 adventofcyber4 securityprinciples

The security triad (CIA) is a famous principle used everywhere in security. The opposite is DAD (Disclosure, Alteration, and Destruction).

  • 🔒 Confidentiality: only those allowed can access resources
  • 🔎 Integrity: only allowed modifications can modify resources
  • 📂 Availability: resources are available when needed

The French "DICAI" model extends the CIA principle with:

  • 🔑 Authentication and Identification: verify the identity of users
  • ⌛ Irrevocability: once performed, it cannot be undone

See also: Parkerian Hexad (6 layers).

Reduce the attack surface 🏄‍♂ī¸: avoid unused software, plugins, solutions/... that are potential attack vectors.

Defense-in-depth/Multi-Level Security 🕸ī¸: use of multiple layers of security, along with various tactics, to slow down/stop an intruder

Triple-A principles 🔒: Authentication (verify the identity), Authorization (determine the permissions), and Accounting (logs).

Zero trust 🔎: a concept. No blind trust, verify everything, assume everyone is a threat, and continuously monitor resources.

Trust but verify 📇: trust security measures/..., but still log and verify that there is nothing unexpected/not allowed.

Principle of the least privilege 👮: everyone, regardless of their role in the company (CEO...), should have the least privilege that they require to do their job.

Sweet spot 🍭: find the right balance between security and productivity. Don't burden users too much.

Activities and tools đŸ¤ĩ


Designing the architecture involves multiple aspects:

Security models (conceptual)


  • Bell-LaPadula Model (focus on confidentiality)
  • Biba Model (focus on integrity)
  • Clark-Wilson Model (focus on data integrity)

Security frameworks (practical)

adventofcyber4 redteamfundamentals

  • Cybersecurity Framework (CSF) by NIST
  • ISO/IEC 27000 series
  • MITRE ATT&CK Framework (TTP=Tactics, Techniques and Procedures)

Cyber Threat Intelligence (CTI)


Threat intelligence is a process during which a company collects information about potential threats and prepares for them.

➡ī¸ See also: Threat hunting (hunt down a suspicious movement), Threat modeling (review, and improve the security measure, see STRIDE, PASTA).

Security Operation Center (SOC)


A security operation center is a war room where security professionals work 24/7. They are:

  • Detecting unusual activity
  • Detecting intrusions or violations
  • Monitoring vulnerabilities
  • Training or raising awareness
  • ...


đŸ‘ģ To-do đŸ‘ģ

Stuff that I found, but never read/used yet.


  • The five "As" in security



  • Security Control Framework
  • Endpoint Detection and Response (EDS)
    • antivirus
    • anti-malware
    • intrusion prevention
  • Deceptive security
  • Building Security In Maturity Model (BSIMM)
  • Microsoft Security Development Lifecycle