A good defense takes some testing. Ethical hacking involves pitting two teams together for the sake of strengthening digital security defenses. The red team attempts to bypass digital security barriers. By doing so, they reveal both misconceptions and flaws in their employer’s attack detection. Then, the blue team tries to defend against the red team’s attack attempts. Putting together a good blue team can be difficult. How do you make the best one you can?

Making the Most of This Exercise

Both red teams and blue teams need trained personnel and sufficient resources to make an ethical hacking exercise work. This can be challenging for blue teams.

One of the biggest obstacles is a lack of knowledge. Sometimes, it’s an issue of not knowing what defenders are. Here’s Bill Mahony, a head of cybersecurity, with some insight.

For people just starting out in security, I think part of the issue is the lack of understanding of what “blue team” actually is.

The offensive security side certainly gets more press. I meet people who think it’s all about penetration testing and have little awareness of areas such as incident response, threat intelligence, etc. Without an understanding of what roles are actually available in cyber defense, it’s harder for people to identify and develop the skills they need to break into the industry.

Even when people are aware of the blue team, there can still be confusion around its nature. How does the defense team work, in practical terms?

“To be successful, defenders have to get it right 100% of the time, whereas when it comes to attackers, they need to get it right just that 1% of the time to break in and deliver a knock-out attack that halts business operations,” explained Jay Hira, a cybersecurity advisor. “This fact demonstrates how defenders must not just stay on top of security strategy for the business they’re defending but also have a deep and comprehensive knowledge of security detection and response tools and capabilities.”

Hiring for Blue Teams

This poses a bit of a problem. How are people supposed to develop that “deep and comprehensive knowledge” if they can’t gain entry into the industry? It’s a catch-22 of which James Hinton, an incident response team leader, is familiar.

“Many organizations desire candidates who have experience,” he noted. “This means it can be tough to get started in the industry.”

Plus, some employers aren’t as realistic as they could be with their job postings for defender roles.

In July 2021, for instance, the Information Systems Security Association released the findings of a study regarding the ongoing cybersecurity skills gap. A quarter of workers who responded said that their employers’ job postings tended to be not realistic by demanding too much experience, too many certifications or too many technical skills. An even greater percentage (29%) asserted that their HR departments didn’t understand the skills needed to work in the field, which they felt excluded people who would have otherwise been strong candidates for the job.

These skills don’t just cover a detail-specific mindset and technical hardening skills, as noted by Cybervie. They also include knowledge specific to the organization.

“Each organization has its own set of specific technologies they need to have to defend and tools they use to do so,” said Ed Moyle, a software security principal. “Blue team practitioners need to know both in depth. This means that each time someone new comes into the team, there is a large hill to climb for them to come up to speed.”

Uneven Obstacles for Red and Blue Team

What makes these barriers even more challenging is that they don’t apply evenly to the red team. Take the issue of technical knowledge as an example. Blue teams need to learn tools that are specific to a given organization. Meanwhile, red teams have a bit more leeway. Moyle put it this way:

The set of technologies they need to understand aren’t quite as varied between organizations. Likewise, because the tools they use are very specialized, there’s also typically less diversity of tools they would employ. For example, to do website testing, they’d need to know how to use the tools to do that (e.g., Burp, ZAP, etc.) and know how important technologies work (e.g., HTTP, websockets, JavaScript, etc.), but there’s less variability from organization to organization. Likewise, as a practical matter, a lot of red teams work in consulting, MSSPs, MDR firms, etc., since it is generally only the very largest of organizations that can afford to maintain a dedicated red team for their own use.

Not only that but opportunities for honing the right skills aren’t always evenly spread out for blue team and red team members.

“For offensive security roles, I think there are more options open to people to learn the skills they need,” Mahony clarified. “At least the options are more visible. You have plenty of CTF events, platforms like Hack the Box, etc. where you can learn about security testing. Less so on the defensive side. That said, events like Splunk’s Boss of the SOC have helped balance the tables a little.”

Hinton agreed with this sentiment, stating that it’s “possible to get started much easier. An app sec red team has a much narrower range of focus.” That makes their path sometimes easier to chart out and pursue.

How to Overcome These Barriers for a Blue Team

As stated above, organizations need blue teams and red teams to be equally prepared. Both need to test their security defenses. They need to spot potential gaps and learn from those weaknesses as a means of warding off incidents. Some of this falls on upcoming blue team members to learn all about what they want to do.

“Spend time researching the various cyber defense specialties that exist and take the time to learn the fundamental skills they require,” recommends Mahony. “Research open security roles and the skills they are looking for. You’ll quickly notice some common ones in whatever area appeals most to you. Just like CTFs, there are lots of free or low-cost options to learn these skills once you know where to look.”

Those resources include courses and certifications offered by the SANS Institute, online labs like Security Blue Team, access to free tools like the Blue Team Arsenal and to scripts and tips like Blue Team Notes as well as places to connect like IBM X-Force Exchange.

At the same time, the security community can raise the profile of defender roles. An important element of this involves outlining pathways for them to get there. Only then will candidates really be able to envision themselves entering the field.

“This could include more marketing events, industry engagement, work placements and so on,” in the words of Hinton. But it can also involve reaching out to diverse groups of people with various types of backgrounds, including younger generations.

An Important Caveat

There’s something important to keep in mind. For that point of reference, we turn to Daniel Miessler.

The best blue team members are those who can employ adversarial empathy, i.e., thinking deeply like the enemy, which usually only comes from attack experience.

People can gain entry into cyber on either side in more ways than one. Knowing what it’s like to be an attacker leads to even more chances to become a better defender. That’s what makes a well-rounded blue team member.

More from Incident Response

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read

The Important Role of SOAR in Cybersecurity

4 min read - Understaffed security teams need all the help they can get, and they are finding that help through SOAR. SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response. The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read