Or how to learn to love the bomb Blue Team Or how to learn to love the bomb

About Me Long term geek 20 years law enforcement B.S. in Physics from RPI M.S. in Economic Crime Management from Utica College 4+ years Defense Industry 1.5 years with GE Avid computer gamer 6 years adjunct faculty at Utica College (Cyber Security)

Blue Team vs Red Team - Military Different sides of an exercise Often have similar attack and defend abilities & tools Old school would try to have red team simulate likely opponents tools and abilities while blue team used organizations current tools, policies, and procedures Victory was measured by capturing flags (position on a map) This is where capture the flag (CTF) comes from Sometimes victory was a single flag, other times it was score based with multiple flags possible with different values

Corporate Blue Teams Vary by business Grow organically Typically based on using internal knowledge to test defenses Primary areas: Hardening Systems Evaluating Systems Testing Systems Championing Change

System Hardening Cyber Patriot Check lists https://www.uscyberpatriot.org/ Check lists http://lmgtfy.com/?q=system+hardening+checklists Goal is to have a build method that is Quick Repeatable Explainable

Evaluating Systems Focused Attack on Services Processes Work with internal knowledge of current defenses Policies Procedures Defensive devices Response plan

Testing Systems Systems Vulnerability Announcements Hardware Software Cloud Services Mobile Services Processes Vulnerability Announcements Quickly test systems Determine ways to alert Determine ways to defend

Champions for Change Subject Matter Experts (SMEs) Identify areas where change can have greatest impact Identify areas where lack of change can cause great pain Ability to demonstrate the issue with technical testing Ability to communicate the issue to leadership Ability to accept blue team doesn’t make the business decisions

Business Value Blue team is overhead They don’t make the company money They are expense to maintain What they recommend is expensive to impliment Must market themselves to business for value Just like another company might try to entice a customer to purchase a blue team evaluation Need to demonstrate not having the function will cost more than having it Similar to insurance

Value SMEs on staff to help with incidents Identify systems that need improvements Cost of doing nothing is more expensive than finding + fixing Cost of not knowing sometimes even higher, since ignorance of something you should be aware can make your business more liable Ignorance is not a defense when it is something you should being looking at Cheapest way to reach compliance Mandated by industry or government standards Champion cultural change Champion real change

Compliance Many industries have: Finance Defense Commerce Reasonable Due Dilligence Best Practices Regulations Finance Defense Commerce Compliance is south of secure, but protects against a lot of lawsuits Often being breached creates an out of compliance condition

Blue Team Goals Be the coolest team on the map Identify areas of weakness Identify ways they can be exploited Articulate the consequences of exploitation Demonstrate the consequences of exploitation Participate in remediating risk associated with explotation Patching Monitoring Responding

Reconnaissance/Research Blue team focuses on studying their targets Research what systems are used by a business Research methods for exploiting the systems Don’t stop with just one, the goal is to identify all possible vulnerable points in a system

Penetration Blue team tactics can be Scan Targets Active/Passive Social Engineer processes Stage Exploits Internal/External Malware Carbon Low Security Hygiene

Actions on Objectives Escalate Privileges Pivot Pillage Paralyze Persistence Avoid detection Interfere with responders

Value^2 Reporting out Yes, writing report is a highly valued blue team skill No matter how good at penetrating or exploiting, the results must be conveyed to: Leadership Detection team Response team Infrastructure/network team Personnel (HR) for training opportunities

Summary Blue team is full of the smartest of the smart Experience at detection and response are good base Experience at network/system administration help They do a lot of reading They do a lot of failing They add value by preventing damage in excess to their cost They protect a company’s: Intellectual property Real property Image Biggest difference, Blue team starts with knowledge to find weaknesses

Careers on Blue Team Skills learned in Military CTF challenges DFIR challenges (Home lab?) Network admin System admin Security (Physical || Digital) Liars & cheats Programming Did I mention that GE is hiring?

Appendix: Tools Kali Linux Metasploit Nessus Nmap Webshells Malware Credential crackers/scrapers Phone (never forget the social engineering portion of testing)