A good defense takes some testing. Ethical hacking involves pitting two teams together for the sake of strengthening digital security defenses. The red team attempts to bypass digital security barriers. By doing so, they reveal both misconceptions and flaws in their employer’s attack detection. Then, the blue team tries to defend against the red team’s attack attempts. Putting together a good blue team can be difficult. How do you make the best one you can?

Making the Most of This Exercise

Both red teams and blue teams need trained personnel and sufficient resources to make an ethical hacking exercise work. This can be challenging for blue teams.

One of the biggest obstacles is a lack of knowledge. Sometimes, it’s an issue of not knowing what defenders are. Here’s Bill Mahony, a head of cybersecurity, with some insight.

For people just starting out in security, I think part of the issue is the lack of understanding of what “blue team” actually is.

The offensive security side certainly gets more press. I meet people who think it’s all about penetration testing and have little awareness of areas such as incident response, threat intelligence, etc. Without an understanding of what roles are actually available in cyber defense, it’s harder for people to identify and develop the skills they need to break into the industry.

Even when people are aware of the blue team, there can still be confusion around its nature. How does the defense team work, in practical terms?

“To be successful, defenders have to get it right 100% of the time, whereas when it comes to attackers, they need to get it right just that 1% of the time to break in and deliver a knock-out attack that halts business operations,” explained Jay Hira, a cybersecurity advisor. “This fact demonstrates how defenders must not just stay on top of security strategy for the business they’re defending but also have a deep and comprehensive knowledge of security detection and response tools and capabilities.”

Hiring for Blue Teams

This poses a bit of a problem. How are people supposed to develop that “deep and comprehensive knowledge” if they can’t gain entry into the industry? It’s a catch-22 of which James Hinton, an incident response team leader, is familiar.

“Many organizations desire candidates who have experience,” he noted. “This means it can be tough to get started in the industry.”

Plus, some employers aren’t as realistic as they could be with their job postings for defender roles.

In July 2021, for instance, the Information Systems Security Association released the findings of a study regarding the ongoing cybersecurity skills gap. A quarter of workers who responded said that their employers’ job postings tended to be not realistic by demanding too much experience, too many certifications or too many technical skills. An even greater percentage (29%) asserted that their HR departments didn’t understand the skills needed to work in the field, which they felt excluded people who would have otherwise been strong candidates for the job.

These skills don’t just cover a detail-specific mindset and technical hardening skills, as noted by Cybervie. They also include knowledge specific to the organization.

“Each organization has its own set of specific technologies they need to have to defend and tools they use to do so,” said Ed Moyle, a software security principal. “Blue team practitioners need to know both in depth. This means that each time someone new comes into the team, there is a large hill to climb for them to come up to speed.”

Uneven Obstacles for Red and Blue Team

What makes these barriers even more challenging is that they don’t apply evenly to the red team. Take the issue of technical knowledge as an example. Blue teams need to learn tools that are specific to a given organization. Meanwhile, red teams have a bit more leeway. Moyle put it this way:

The set of technologies they need to understand aren’t quite as varied between organizations. Likewise, because the tools they use are very specialized, there’s also typically less diversity of tools they would employ. For example, to do website testing, they’d need to know how to use the tools to do that (e.g., Burp, ZAP, etc.) and know how important technologies work (e.g., HTTP, websockets, JavaScript, etc.), but there’s less variability from organization to organization. Likewise, as a practical matter, a lot of red teams work in consulting, MSSPs, MDR firms, etc., since it is generally only the very largest of organizations that can afford to maintain a dedicated red team for their own use.

Not only that but opportunities for honing the right skills aren’t always evenly spread out for blue team and red team members.

“For offensive security roles, I think there are more options open to people to learn the skills they need,” Mahony clarified. “At least the options are more visible. You have plenty of CTF events, platforms like Hack the Box, etc. where you can learn about security testing. Less so on the defensive side. That said, events like Splunk’s Boss of the SOC have helped balance the tables a little.”

Hinton agreed with this sentiment, stating that it’s “possible to get started much easier. An app sec red team has a much narrower range of focus.” That makes their path sometimes easier to chart out and pursue.

How to Overcome These Barriers for a Blue Team

As stated above, organizations need blue teams and red teams to be equally prepared. Both need to test their security defenses. They need to spot potential gaps and learn from those weaknesses as a means of warding off incidents. Some of this falls on upcoming blue team members to learn all about what they want to do.

“Spend time researching the various cyber defense specialties that exist and take the time to learn the fundamental skills they require,” recommends Mahony. “Research open security roles and the skills they are looking for. You’ll quickly notice some common ones in whatever area appeals most to you. Just like CTFs, there are lots of free or low-cost options to learn these skills once you know where to look.”

Those resources include courses and certifications offered by the SANS Institute, online labs like Security Blue Team, access to free tools like the Blue Team Arsenal and to scripts and tips like Blue Team Notes as well as places to connect like IBM X-Force Exchange.

At the same time, the security community can raise the profile of defender roles. An important element of this involves outlining pathways for them to get there. Only then will candidates really be able to envision themselves entering the field.

“This could include more marketing events, industry engagement, work placements and so on,” in the words of Hinton. But it can also involve reaching out to diverse groups of people with various types of backgrounds, including younger generations.

An Important Caveat

There’s something important to keep in mind. For that point of reference, we turn to Daniel Miessler.

The best blue team members are those who can employ adversarial empathy, i.e., thinking deeply like the enemy, which usually only comes from attack experience.

People can gain entry into cyber on either side in more ways than one. Knowing what it’s like to be an attacker leads to even more chances to become a better defender. That’s what makes a well-rounded blue team member.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today