My Top 10 Tips for Blue Teamers
As I move into penetration testing, I will be leaving my blue team side behind, and my knowledge will fade as time goes on. So here are my top 10 tips for blue teamers written down while my knowledge is still at the tippidy top. These tips are tailored towards internal blue teams, but an MSSP SOC analyst can find most of these useful as well.
Tip #1: Understand the environment you’re protecting
It is very important for you as an analyst to have a solid understanding of the environment you’re protecting. Do you know how many servers and workstations you have? What’s the split between Windows/Linux/Mac? What core applications does the business run on? What file shares are exposed on the network? What’s the layout of the network? Is it flat or segmented? Is there a DMZ? What security tools are in place? How many data centres do you have? How is identity management handled? Who has domain admin? Is there a cloud presence? What is exposed on the internet? Do you have web servers, RDP servers, CCTV portals etc? You need to be aware of what’s there and the worst case scenario if it’s hacked, and then defend accordingly.
Tip #2: Understand Active Directory, Kerberos and common AD attacks
This is irrelevant if you work for a fruity tech startup that doesn’t use AD and exists solely on Slack and Macs, but the vast majority of enterprises use AD so I think it’s very important to know inside and out. Active Directory, in my opinion, is very under appreciated. People just don’t seem to know much about it, outside of a vague description like the fact you can manage users and computers with it. I cannot overstate how important it is to understand Active Directory, how it works, and how it can be attacked. Once you learn it, you will know how to defend it. This means you need to understand Kerberos, which is the authentication protocol used in Active Directory. Kerberos is a ticketing system, you need to learn how the authentication via tickets works. Why? Because Kerberos is the primary AD attack vector, and if an attacker has a foothold in your domain, you can almost guarantee they will try to Kerberos attacks. You should be able to explain how an attacker, from a domain user, can get to domain admin using Active Directory exploitation techniques. Also, it’s easy to forget about Active Directory Certificate Services, which is another attack vector that is increasingly popular in recent years thanks to Spectre Ops (see their work here). The bottom line is: Learn AD, learn AD attacks, and you will know better how to defend it.
Tip #3: Use enumeration tools on your own organisation
Use open source enumeration tools that hackers would use on your own organisation. That way, you can easily find misconfigurations and vulnerabilities, and better yet, you’ll know what an attacker would see because you’re using the same tools they would use. Use Snaffler to find sensitive information on exposed network shares. Use Certify to check for ADCS vulnerabilities. Use BloodHound to map out your AD environment and look for misconfigurations and potential privilege escalations. Use Rubeus to kerberoast yourself and see what accounts are returned (make a note of these accounts, an attacker will focus on them, make sure they all have long passwords).
Tip #4: Know how to hack, at least to a beginner level
You don’t have to do OSCP (although I recommend it), but you should have a basic understanding of hacking and common attacks. Do at least 25 boxes on HackTheBox and a few Academy modules and that at least gives you a baseline. You need to be familiar with what commands a hacker would run once they get a foothold, how they would escalate privileges, how they would move laterally etc. Understanding these attacks makes it easier for you to understand what is happening when you’re reading logs in an incident.
Tip #5: Put yourself in the shoes of an attacker
Imagine you’re the attacker looking at your environment. Knowing what you know, how would you go about hacking into the network? What steps would you take? What are the weakest links? Playing this out in your mind will help you understand the weaknesses that you need to look out for. Consider every entry point: websites, emails, internet exposed services, your service desk. Do some external recon on your own organisation. Have a look at Shodan. Use a website like dnsdumpster. What can you find? You should use what you learn from this exercise to better tune your defences.
Tip #6: Keep up to date on new vulnerabilities
New vulnerabilities come out all the time, most of them won’t be relevant to your organisation, but some will be, and some will be critical. It’s important to be aware of what’s out there, you want to know if a CVSS 10 gets released for a firewall your organisation is using as soon as possible. Therefore, make a habit of reading infosec news on a daily basis. You can use bleepingcomputer, thehackernews, twitter, or anything else you like. Just make sure you’re staying in the loop.
Tip #7: Don’t neglect email
Email is likely your number one attack vector. There’s basically three main types of attack to be wary of. The first is phishing credentials, where the attacker directs the user to a fake login page and they input their credentials. This is particularly worrisome because it can be difficult to know whether or not someone has had their credentials stolen. The second is malware, where the attacker tricks the user into downloading and executing malware. The third attack is invoice fraud, where an attacker will try to trick your finance department into sending money to a bank account that the attacker controls. Make sure you are covered on these three attacks. Make sure you have email security that tracks when a user opens a credential harvesting page, and talk to the user and reset their password. For malware, just make sure you have a good EDR and that it feeds into your SIEM, and hope that your email security caught it before it got delivered. For invoice fraud, make sure you know the ways in which money leaves your organisation, and educate the money people so that they are aware of this type of attack. Email is noisy, old and annoying. It can be neglected, but it is one of your biggest weaknesses because it’s an interface between an attacker and your users, so don’t neglect it!
Tip #8: Create tailored SIEM rules, don’t rely on defaults
Every organisation is different. They have different applications, networks, tools, users, priorities. Whatever your SIEM is, don’t be content with default rules. Make sure you create custom rules for your environment. Maybe you work at an organisation where the crown jewels are on a development server. In that case, create SIEM rules looking at that development server. For example, you could have a list of approved users who should be accessing that server, and if anyone else accesses it, then raise an alert. Use your imagination coupled with knowledge of your environment to create a really bespoke set of SIEM rules.
Tip #9: Develop good relations with other teams, including your service desk
Be nice, respectful and helpful to everyone. Not everyone cares about security, and you can very quickly become a pain in the ass for people. If you maintain positive relationships, it will make your life a lot easier. People will be more likely to work with you, and may even flag security concerns to you because they feel comfortable enough to do so. If you ever have dealings with a service desk, then especially cultivate a positive relationship with them. They may share with you things you didn’t know about or processes that could be improved. Also, service desk people are usually quite new to IT, and I’ve had more than one tell me they want to get into cyber security. So be nice and be helpful.
Tip #10: Save logs from incidents
Whenever you have an incident, or a penetration test or red team exercise, save the relevant logs from the attacks to csv files. That way, you can always refer back to them when you need a refresher on what attacks look like in the logs. Additionally, you can use them as training material for new starters in your team.