Table of Contents
Blue Team is in charge of all the defensive layers of an organization to prevent, detect or correct security incidents that could affect the business
6 billion dollars a day. The CERT in Israel, one of the countries hardest hit by cyberattacks, estimates that security incidents cost companies around the world this amount every day. This is an economic loss that is detrimental to companies’ profitability, impacting their business model and negatively affecting their reputation.
This estimate shows that companies must place security at the heart of their strategy. This means having a Blue Team in charge of designing, implementing, improving and managing the organization’s defensive layers.
In a scenario characterized by the growing cyber-exposure of companies due to digitalization, cybersecurity must be approached holistically. This implies that the Blue Team has to take charge of multiple activities, from creating hardening guidelines to vulnerability lifecycle management.
Although the Blue Team concept is now commonly used in the cybersecurity arena and the corporate world, many professionals and managers still need to be made clear about its objectives and scope.
We will now dissect the essential characteristics of the Blue Team and the activities it carries out to protect organizations against malicious actors and shed light on the hackneyed dichotomy between the Blue Team and the Red Team.
1. What is the Blue Team?
The Blue Team is often described as a team of cybersecurity professionals who act as an organization’s last defence against cyber-attacks. However, this concept is much broader and encompasses all activities and competencies related to the defensive layers of a company.
We could say that the Blue Team’s work begins at the very moment when a company’s senior management (CEO, Board of Directors, etc.) decides to place security at the heart of the company’s business strategy.
This decision is transformed into a security policy, and the company’s Chief Information Security Officer (CISO) is entrusted with implementing all necessary activities to comply with it effectively.
Under the responsibility of the CISO, the Blue Team actively supports those defensive activities that allow the correct fulfilment of the policy, which implies strengthening the company against the identified risks.
Therefore, contrary to the popular belief that the Blue Team is a team of internal company professionals whose mission is to respond to cyber-attacks, in reality, the Blue Team’s functions are much broader and more ambitious.
1.1. Protecting the business
All companies have the same objective: to carry out activities to generate business and achieve economic benefits. It makes no difference whether we are talking about a bank focused on marketing financial products or a telecommunications company that provides telephone and Internet services.
If we start from this brief idea a priori, the Blue Team does not seem to be a first-rate business asset. After all, it does not generate business.
However, the Blue Team has become an essential company team in a fully digitized world. Indeed, it does not generate business, but it is in charge of protecting it. This is why it has become so important in strengthening companies in the face of an increasingly complex and pressing threat landscape.
1.2. A multifaceted and wide-ranging concept
Precisely because the context of cyber risks is so complex, it is not difficult to predict that the puzzle of all the activities that need to be put in place to prevent security incidents and their pernicious consequences is also complex.
This is why we can characterize the Blue Team concept as multifaceted and wide-ranging.
In terms of its own functions, the Blue Team stands out for its breadth. It must not only respond to attacks, as has been erroneously spread in the public domain but is also involved in designing, implementing and continuously optimizing an organization’s defensive capabilities. Some of its competencies, such as vulnerability management, are closely related. Others, such as incident response, require significantly different skills and knowledge.
Why do we say that the Blue Team is multifaceted? It is a broad concept encompassing many functions, some connected and others less so, but because of its role as an advocate, the Blue Team interacts with other cybersecurity services, from Red Team or Purple Team exercises to the management of security reviews conducted within the organization.
The Blue Team does not have a single face but comprises several communicating vessels that, in turn, interrelate with other cybersecurity domains.
1.3. Multidisciplinary team(s): The Justice League of cybersecurity
It is easy to see that if the Blue Team is broad and multifaceted, the configuration of the team that carries out its functions must also be broad and multifaceted.
After all, cybersecurity is an extremely broad area of expertise. Professionals performing pentesting have different skills than those performing an IoT device security audit.
Due to its transversal nature in the company’s securitization, the Blue Team must comprise professionals with diverse profiles: threat hunters, security auditors, forensic analysts, hardening experts, and incident response specialists…
Multidisciplinarity is essential for the Blue Team to develop all its activities and meet its objectives. In contrast to some security services provided by profiles highly specialized in a particular subject, the Blue Team must draw on varied and complementary profiles, taking advantage of different expertise to compose a broad overview of security and threats.
In many cases, the Blue Team comprises several teams, coordinated by those coordinating defensive capabilities, to work together towards the ultimate goal: strengthening defensive capabilities and improving resilience against cyberattacks.
Suppose we resort to a comic book analogy. In that case, when putting together a Blue Team, the aim is to create a Justice League in which Superman’s superpowers are complemented by Wonder Woman’s and Batman’s skills to protect the company and its business model with maximum guarantees.
1.4. Defensive and personalized security
The Blue Team, as we have already noted, is responsible for managing and operating an organization’s defensive security. This differentiates it from Red Team and pentesting services, which carry out offensive security activities.
Hence, its mission is to defend the company over time and continuously.
To carry out their defensive security tasks, Blue Team members must design all their actions in a customized manner, starting, of course, with their security policy. To this end, they must be aligned with the company’s resources, the characteristics of the business model and the objectives of the corporate strategy.
The Blue Team acts as one more actor within the organization; its tasks cannot be understood in isolation but fulfil the mandate of protecting the business against malicious actors seeking to commit fraudulent actions and/or paralyze its activities.
There is, therefore, no single Blue Team model, nor is there a magic formula for creating one. Instead, each Blue Team must be designed optimally to comply with the security policy and cover all its assigned functions. From vulnerability management to system hardening, among many other activities.
1.5. A holistic, inside-out approach
In addition to being a defensive security team, the Blue Team is characterized by the approach it takes to protect the organization from attacks: from the inside out. What does this mean?
While the professionals who run Red Team services put themselves in the shoes of the malicious actors to act like them and understand their tactics, techniques and procedures, the Blue Team approaches security from the heart of the organization.
This approach carries over into all its activities. It enables the Blue Team to gain extraordinary knowledge of the organization, its assets and the defensive layers to be managed and optimized.
At the same time, it should be noted that the Blue Team’s approach is holistic, i.e. it does not limit itself to understanding a company’s defence from a single point of view, for example, by looking at response capabilities but combines different points of view to address all aspects related to a company’s defensive layers. The governance of the security practice, the detection of vulnerabilities, the management of third parties to correct problems, the response to incidents, the training and awareness of employees in security matters… The Blue Team has to cover all these aspects to ensure that the company is strengthened against potential risks.
1.6. Continuous activity
In light of what we have been saying about the Blue Team, another fundamental characteristic is that it continuously carries out its activities. From the design of security policies to the forensic analysis of an incident to elucidate the causes and prevent future attacks to the management of vulnerabilities and the proactive search for threats.
Contrary to the reductionist concept of Blue Team, which limits its actions to the mitigation and containment of security incidents, this team works continuously not only to act in the event of an incident but also to prevent it from happening, strengthening the security of the organization and protecting its assets.
For this reason, their work must be stable over time. Unlike other cybersecurity services such as pentesting, the Blue Team does not operate at a specific time, but its activities are carried out continuously. Otherwise, it would need more time to meet its objectives.
1.7. Business knowledge
This characteristic is directly related to some of the previous ones. A Blue Team must have a very high level of knowledge of the business it seeks to protect to focus its strategy from the inside out and customize its actions to the maximum.
Likewise, business knowledge is essential to balance the two central issues in protecting a company: security needs and business interests.
More is needed for the Blue Team to be composed of professionals with extensive knowledge of multiple areas of cybersecurity and the optimization of defensive capabilities. In addition, the Blue Team must understand how the business operates, the critical assets, and the business strategy. Only then will their work be aligned with the business objectives and be of great added value to the company and not an impediment that hinders the proper development of the business.
If it is not known precisely what needs to be protected, the means deployed will likely be suboptimal.
2. From coordination to response: How to secure an enterprise
A good way of graphically showing the complexity of the Blue Team’s mission is to point out the basic strategies pursued by the Blue Team. What strategies are we talking about? Some of the main ones are the following:
- Proper governance of the security practice
- Detect and respond to threats
- Detect and correct vulnerabilities
- Design, implement and operate any measures aimed at risk prevention, such as:
- Elaboration of secure software design guidelines and promotion measures to detect their correct compliance.
- Elaboration of hardening guides and promote measures for their correct compliance.
- Security training and awareness
The Blue Team works to support these strategies in each of its functions. For example, security governance is managed through the coordination of defensive capabilities. System hardening is part of the prevention tasks. Finally, the patching of vulnerabilities is a corrective action…
We must therefore continue to insist on the Blue Team’s cross-cutting nature in any company’s security strategy.
Security governance is essential for the strategy to work efficiently. If no one is in management and coordination, compliance with security policies would be impossible.
In this sense, the Blue Team carries out security governance tasks under the direction of the CISO and following the corporate mandate.
One of its most important tasks is coordinating defensive capabilities so that all professionals working to protect the organization can perform their assigned tasks. In addition, that information exchange and collaboration are fluid.
The Blue Team is also in charge of vulnerability management, which involves interpreting and prioritizing the vulnerabilities found by detection services, from Threat Hunting, part of the Blue Team, to other services, such as the Red Team. What for? Organize, coordinate and validate their remediation.
2.2. Detection capabilities
For the defensive layers of a company or administration to be solid, it is essential to have detection capabilities, to identify weaknesses or vulnerabilities and threats.
2.2.1. Detection and response
As we have just pointed out, the Blue Team performs detection tasks through Threat Hunting and scanning systems for advanced and innovative persistent threats to cut the Cyber Kill Chain of the most sophisticated attacks before the bad guys achieve their objectives but also from the SOC, which monitors the infrastructure permanently and can detect other more known threats.
This threat detection work is complemented by other cybersecurity services, such as the Red Team, pentesting or security audits, which facilitate the detection of vulnerabilities.
2.2.2. Detection and remediation
On the other hand, the Blue Team is responsible for correcting weaknesses and vulnerabilities. Therefore, security Path & Management is one of its most important tasks. This is crucial for closing gaps before they are exploited by malicious agents and constantly optimizing the defensive layers to protect the organization against new threats.
2.3. Prevention capabilities
As with governance tasks, the Blue Team is responsible for designing, implementing and optimizing attack prevention and response capabilities.
To this end, the Blue Team draws on all the information at its disposal and the lessons learned to ensure that risk situations do not recur. Thus, for the organization to be able to anticipate such situations, it will need to strengthen its prevention layers to prevent incidents from occurring.
In addition to being specifically responsible for responding to and analyzing incidents, the Blue Team must also carry out prevention tasks. This is a good example of the hardening of systems to ensure that all corporate equipment is securely configured.
2.4. Training and awareness
It is common knowledge that an organization’s employees are often the weakest link in the security chain. For this reason, keeping employees trained and aware of security issues is critical to prevent the success of a large number of attacks.
Training and awareness is a cross-cutting activity in security because it enables employees to be resilient to attacks and operate securely daily and form a fundamental part of the organization’s threat detection capabilities.
3. Activities performed by a Blue Team
How does the Blue Team support the security strategies we have just outlined? Developing activities to fulfil their assigned competencies and strengthen the company.
All the actions undertaken by a Blue Team can be grouped into eight major activities.
3.1. Threat Detection and Threat Hunting
As we pointed out when talking about the multidisciplinary nature of the Blue Team, this team needs to have Threat Hunters since one of its essential activities revolves around Threat Hunting and Threat Detection. In other words, the active search for threats in SIEM or EDR solutions.
Threat Detection teams create and monitor indicators of compromise (IOCs) so that the Blue Team can detect suspicious activity early in a cyberattack and respond to attacks. In contrast, Threat Hunting teams perform proactive searches to detect Tactical Techniques and Procedures (TTPs) suspected of being part of a sophisticated, targeted attack.
Time is of the essence in the cybersecurity arena. Hence, Blue Team professionals must be able to detect threats early.
The Blue Team carries out a series of actions that serve to set up an effective detection system:
- Study of the latest hacking techniques
- Analysis of CVEs and zero-day vulnerabilities
- A systematic search for attack patterns
- Research of new attack techniques and proactive search for malicious activity in the available EDR or XDR telemetry.
- Deception or decoy deployment
3.2. DFIR. Digital Forensics and incident response
What happens if threats are not detected in time, and a security incident occurs? First, the Blue Team must deploy all necessary measures to respond to and contain the incident in the shortest possible time.
Incident response is an essential task. If an organization does not have an effective response system, the incident could spread, affecting critical assets, paralyzing the company and triggering economic, reputational and even legal impacts with devastating consequences for the company.
The Blue Team must also be trained to perform in-depth forensic analysis as part of the security incident response. This is essential to obtain objective evidence to help understand the sequence of actions that actively supported the materialization of the incident.
The professionals study any existing information to trace the origin of the incident suffered and evaluate its impact and scope on the company as a whole.
As is popularly said, «We learn from everything, and from the bad things that happen to us, even more so».
3.3. Security Operations (SOC)
The SOC is in charge of permanently monitoring corporate systems to detect known attacks.
It is, therefore, relevant within an organization’s security scheme. However, its ability to detect and respond to more sophisticated threats is limited.
To carry out its task, the SOC looks for Indicators of Compromise on the organization’s networks, servers, workstations or applications, tracking indications of security incidents.
3.4. Vulnerability lifecycle management
Vulnerability management is one of the Blue Team’s core competencies. The professionals performing this activity must analyze the vulnerabilities detected in security reviews to manage their correction.
In addition, vulnerability management is responsible for coordinating all the teams and professionals involved in detecting and correcting weaknesses to streamline the process of finding solutions.
3.5. Security Patch & Management
How are vulnerabilities corrected? This function is carried out by technical teams that apply patches and configure the affected assets to remedy the risks detected.
It is only possible to have controls and measures to detect vulnerabilities if a team can manage their resolution effectively and in the shortest possible time.
Patching is performed according to the vulnerabilities’ risk level and the impact a successful attack could have on the organization’s assets.
This task of the Blue Team is essential to protect the assets necessary for the correct development of the business.
3.6. System hardening
Another of the activities to be carried out by the Blue Team is the creation of hardening guidelines to implement measures, both at the technical and organizational levels, to reduce the risks that could affect corporate assets and minimize the impact in the event of risk materialization.
Therefore, the Blue Team must define hardening guidelines to ensure that corporate assets have adequate security from the moment they are put into production.
3.7. Coordination of defensive capabilities
The Blue Team professionals in charge of this activity do not perform purely technical tasks. Still, the governance team manages and supervises that the actions carried out actively support compliance with the security policy, coordinating all professionals and fostering the security culture throughout the organization.
In all areas that we can imagine, coordination is essential. When it comes to cybersecurity, it is even more important. All the activities we have described and other tasks that do not directly depend on the Blue Team must be carried out following the same objectives and, in many cases, in a coordinated manner.
To this end, the organization needs to establish who manages and coordinates defensive capabilities. With this governance, the Blue Team can achieve all its objectives and strengthen the company’s security.
3.8. Training and awareness-raising
In addition to all the activities described above, we can add a final task which, at first glance, may seem less relevant but which can nevertheless make a difference. We are talking about the training of all the company’s professionals, not only those related to cybersecurity, as well as general awareness of the dangers faced by the organization.
Many cyberattacks succeed because of human error. After all, business mail is an attack vector constantly employed by malicious actors. It is, therefore, important for all employees to implement safe practices in their daily work. For example, downloading a file or clicking on a seemingly innocent link can lead to a security incident with unpredictable consequences.
As we have repeated throughout this article, the Blue Team should not be isolated from what is happening in the company it protects. Quite the contrary. Training and awareness are two basic tasks to help all professionals, especially managers, understand what they do, why they do it and what each person can do to help protect the company and its assets.
4. Ten core objectives of the Blue Team
The Blue Team’s commitment to protecting an organization from cyber-attacks translates into ten major objectives, ranging from compliance with security policies to extending good security practices to everyone in a company.
4.1. Ensuring compliance with security policies
Security policies are not pointless. On the contrary, they define the security strategy and the actions to be implemented to achieve the ultimate goal: to protect the company.
The company’s CISO is responsible for ensuring compliance and implementing initiatives to facilitate it. All Blue Team actions are aimed at complying with security policies.
4.2. Coordinating all the actors involved in the defensive layers
As mentioned above, coordination is essential in cybersecurity in general and concerning an organization’s defensive capabilities.
Contrary to the stereotypical image of a group of professionals focused on responding to attacks, the Blue Team fulfils numerous functions and comprises actors performing multiple activities. Moreover, it is not only necessary to coordinate all the defensive layer teams, but it is also essential to have a close collaborative relationship with other cybersecurity services, such as the Red Team.
Only through coordination will each team be able to perform its tasks and be enriched by the work of the others.
4.3. Proactively detecting threats and attacks
A Blue Team does not simply respond reactively to attacks but carries out tasks such as Threat Hunting that enable it to detect threats proactively.
This can distinguish between detecting an attack in the early stages of the Cyber Kill Chain or identifying it when the targets have already been met. And it can translate into heavy financial losses, business downtime and damage to a company’s reputation.
To have effective defensive layers in place, it is essential to have controls and mechanisms to detect and respond to threats before their attacks are successful.
4.4. Threat Detection and Threat Hunting
As mentioned at the beginning of this article, the Blue Team operates continuously. Therefore, security controls should include monitoring events and logs of the company’s IT infrastructure for Indicators of Compromise.
The most sophisticated attacks will take time to identify, hence the importance of Threat Hunting services. But the most known threats can be detected through these controls.
The bad guys don’t take weekends. Neither can companies.
4.5. Respond effectively to incidents
What happens if a malicious actor manages to evade the preventative layers? The Blue Team must be prepared to respond.
The professionals of this offensive security team have to perform incident response tasks to:
- Thwart attacks.
- Contain and isolate compromised assets.
- Prevent their propagation.
- Expel the malicious actors.
- Safeguard critical assets.
- Assist business continuity.
- Restore normality as soon as possible.
4.6. Analyze security incidents
In addition, Blue Team professionals must also be responsible for the analysis of security incidents:
- Forensic analysis of the affected machines.
- Tracing the timeline of an attack.
- Proposing solutions to remedy the effects of the attack.
- Establishment of detection and response measures to deal with future cases successfully.
4.7. Assess vulnerabilities to prioritize remediation.
Assessing weaknesses looming over the company is also a priority objective of the Blue Team.
The professionals in charge of vulnerability management must:
- Coordinate with the offensive teams so that they report identified vulnerabilities.
- Establish their risk level based on the potential impact on the organization and the likelihood that malicious actors will exploit them.
- Manage their remediation.
- Prioritize them to manage resources efficiently, considering security and the business model.
4.8. Implement plans to remedy weaknesses.
The information gathered in the vulnerability assessment enables the Blue Team to draw up remediation plans to mitigate the identified risks.
Vulnerability remediation plans are essential to ensure corporate assets do not present gaps that threats can exploit. As well as to prioritize their resolution based on available resources and business objectives.
Designing, evaluating and managing the implementation of remediation measures is essential to protect corporate systems and assets.
4.9. Create guidelines to support the secure configuration of equipment.
Although it needs the pomp of the other objectives we have described, the Blue Team has the duty to create guidelines for securely configuring corporate equipment among its missions.
This task is essential if a system or corporate network’s security is not compromised by an insecure configuration that makes it easier for malicious actors.
Many attackers take advantage of configuration problems to escalate privileges, make lateral moves and persist undetected on corporate systems until they achieve their goals. For example, hijacking corporate customer data, exfiltrating strategic documents, subjecting critical services to DDOS attacks or even threatening to report the breach to the regulator.
4.10. Encourage best practices among professionals
If configuration problems are dangerous when it comes to fortifying a company and its assets, the people who make them up are no less so.
Recklessness and human error open the door to many attackers.
Beyond all the complex tasks performed by Blue Team professionals, it is important to point out an objective that is often forgotten but crucial: company professionals must employ good practices in IT infrastructure management.
Awareness of the seriousness of threats and caution is essential today. Otherwise, all the work done by the Blue Team to optimize the defensive layers may fall on deaf ears. This is why professionals on the offensive security team must maintain sight of the goal of training all their colleagues to reduce risks.
5. Red Team: The Avengers of offensive security
What if the Blue Team’s «rival» were not a movie villain but another team that seeks to achieve the same things it does to help improve the defensive layers? That’s precisely what the Red Team does.
To continue with the simile of the comic book world, if the Blue Team is the Justice League of defensive security, the Red Team would be the Avengers (Captain America, Iron Man, Hulk…) of offensive security.
With the particularity that both teams work in the same universe. The Blue Team carries out all the actions described in this article. And the Red Team services test, to a large extent, the Blue Team’s effectiveness in meeting its objectives and help train Blue Team professionals to be prepared to deal with real intrusions and attacks.
To do so, the Red Team simulates acting as a malicious actor, aiming to enter corporate systems, persist over time, perform privilege escalation and lateral movement, avoid detection and demonstrate business impact.
What is the purpose of all these actions performed during Red Team services? First, they help the organization to prepare for real attacks, detect them in their early stages of development and respond effectively to any security incident.
Red Team services are, therefore, of great added value and are extremely useful in accelerating the Blue Team’s evolution in its mission to strengthen an organization’s defensive security. Therefore, RT and BT are not antagonists but allies.
5.1. Identifying security gaps
Because of the above, it is clear that the Red Team acts from an opposed approach to the Blue Team: from the outside in. Or, in other words, from the attackers’ point of view.
Red Team services are therefore used to evaluate and improve defensive layers.
The Red Team explores attack vectors and routes to get into the system and succeed in breaching the organization’s assets. In this way, they can detect breaches and weaknesses that have gone unnoticed by the Blue Team and other cybersecurity services.
5.2. Optimizing defensive security
The raison d’être of offensive security is to strengthen defensive security. Red Team activities optimize the organization’s defensive layers, mitigate weaknesses found and improve resilience to attacks.
By acting as malicious actors, Red Team professionals can evaluate the defensive layers from a different perspective and find weaknesses that the bad guys can detect.
5.3. Exploiting vulnerabilities to simulate real attacks
Red Team services do not simply detect vulnerabilities; they exploit them. As a result, their actions resemble real attacks.
By exploiting weaknesses, Red Team can complete the phases of a real attack, studying the routes that malicious actors might take and extracting valuable information from them.
This is where the Blue Team’s ability to detect and respond to the Red Team’s actions comes into play.
For the Blue Team to improve, the Red Team must be able to push it to the best of its abilities and teach it about the various attack options it faces.
5.4. Supporting the training of the Blue Team
The Red Team does not seek to undermine the Blue Team. On the contrary, one of its most important objectives is to help train Blue Team professionals.
Red Team scenarios offer Blue Team professionals a perfect opportunity to learn, train and improve their detection and response capabilities.
We are all aware that no matter how much we study, the best way to learn how to do something is to do it. Putting knowledge into practice. Red Team’s services allow defensive teams and technologies to test their robustness against attacks without risking a real security incident.
5.5. Improving Blue Team Detection and response capabilities
In addition to optimizing how defensive layers and threat monitoring are deployed, Red Team services enable the Blue Team to improve its detection and response procedures in the face of real attacks.
As we said earlier, time is of the essence when it comes to cyber-attacks. The Red Team makes it possible to evaluate the effectiveness of a Blue Team in detecting an attack and the effectiveness in containing it and expelling the malicious actors.
If cybersecurity were a sport like boxing, the Red Team would be a major rival seeking to train a champion. An opponent who would surely be able to make you kiss the canvas. And become stronger after the blow.
Red Team’s services are of great added value for companies with advanced cybersecurity maturity. Since it allows them to evaluate the efficiency level of the defensive layers and, therefore, the activities carried out by the Blue Team, the Red Team is grounding the Blue Team in the reality of an increasingly complex and dangerous cyber threat landscape.
If companies worldwide could count on the Justice League and the Avengers to protect them, they would not suffer security incidents costing them $6 billion daily. This is because the Blue and Red teams are not mutually exclusive but strongly complementary.
In short, the Blue Team is a puzzle in which all the pieces related to an organization’s defensive layers fit together. Once the puzzle is completed, the result is a company that is efficient in the face of attacks and prepared to handle security incidents successfully.