Blue team
The blue team is specialized in defense, which involves protecting the systems, whether proactively or not.
- đĄī¸ Secure the system/business activities (and document them)
- đ Monitor logs (traffic, user activity...)
- đŽ Detect and stop attacks (as fast as possible)
- đ Do digital forensics
- đŦ Track down hackers
- đī¸ Do security awareness training
- đ Ensure their measures/systems/... are still up-to-date
Some jobs in the blue team are:
- Security Architect đˇââī¸: plan the security of activities and systems in accordance with the business needs and requirements.
- Security Analyst đ: analyze and remediate issues. Develop security plans to keep the company safe, and implement them.
- Incident responder đ§âđ: handle and remediate incidents
- Digital Forensics đ: investigate attacks and policy violations.
- Malware Analyst/Reverse-engineer đĨ: analyze/detect malware, statically (read the code), and dynamically (see what it does).
- Security researcher đ: research on Linux, hashing algorithms...
Pillars & Foundations
The security triad (CIA) is a famous principle used everywhere in security. The opposite is DAD (Disclosure, Alteration, and Destruction).
- đ Confidentiality: only those allowed can access resources
- đ Integrity: only allowed modifications can modify resources
- đ Availability: resources are available when needed
The French "DICAI" model extends the CIA principle with:
- đ Authentication and Identification: verify the identity of users
- â Irrevocability: once performed, it cannot be undone
See also: Parkerian Hexad (6 layers).
Reduce the attack surface đââī¸: avoid unused software, plugins, solutions/... that are potential attack vectors.
Defense-in-depth/Multi-Level Security đ¸ī¸: use of multiple layers of security, along with various tactics, to slow down/stop an intruder
Triple-A principles đ: Authentication (verify the identity), Authorization (determine the permissions), and Accounting (logs).
Zero trust đ: a concept. No blind trust, verify everything, assume everyone is a threat, and continuously monitor resources.
Trust but verify đ: trust security measures/..., but still log and verify that there is nothing unexpected/not allowed.
Principle of the least privilege đŽ: everyone, regardless of their role in the company (CEO...), should have the least privilege that they require to do their job.
Sweet spot đ: find the right balance between security and productivity. Don't burden users too much.
Activities and tools đ¤ĩ
Architecture
Designing the architecture involves multiple aspects:
- Security Architecture: plan your organization security
- Data governance: how to handle data from creation to destruction
- ...
Security models (conceptual)
- Bell-LaPadula Model (focus on confidentiality)
- Biba Model (focus on integrity)
- Clark-Wilson Model (focus on data integrity)
Security frameworks (practical)
- Cybersecurity Framework (CSF) by NIST
- ISO/IEC 27000 series
- MITRE ATT&CK Framework (TTP=Tactics, Techniques and Procedures)
Cyber Threat Intelligence (CTI)
Threat intelligence is a process during which a company collects information about potential threats and prepares for them.
- Platforms â: Cisco Talos Intelligence, Open Threat Exchange, cyware, pulsedive
- Alerts đĸ: secalerts, stack.watch
- IP analysis đ: AbuseIPDB (malicious IPs), IPinfo (location)
- Malware analysis đŖ: VirusTotal, Hybrid Analysis, joesandbox
- Others đš: Threatmap, ShadowServer...
âĄī¸ See also: Threat hunting (hunt down a suspicious movement), Threat modeling (review, and improve the security measure, see STRIDE, PASTA).
Security Operation Center (SOC)
A security operation center is a war room where security professionals work 24/7. They are:
- Detecting unusual activity
- Detecting intrusions or violations
- Monitoring vulnerabilities
- Training or raising awareness
- ...
...
đģ To-do đģ
Stuff that I found, but never read/used yet.
Stuff
- The five "As" in security
- cyberdefenders
- nuclei
Tools/methods/...
- Security Control Framework
- Endpoint Detection and Response (EDS)
- antivirus
- anti-malware
- intrusion prevention
- Deceptive security
- Building Security In Maturity Model (BSIMM)
- OWASP SAMM
- Microsoft Security Development Lifecycle
- STIGS