What is a blue team? NIST defines a blue team as “a group responsible for protecting an enterprise’s information systems by keeping them secure from a group of fictitious attackers.” If the red team plays offense, the blue team plays defense to protect the organization’s critical assets. Blue teams conduct proactive network security assessments and provide appropriate tools and mitigation techniques for organizations seeking to assess their defenses or prepare for red team attacks. Blue teams are often made up of security personnel within an organization, or that organization may select specific team members to form a dedicated blue team within a department. Blue teams can also be independent consultants hired for specific tasks who use their expertise to help validate an organization’s security posture.
A skilled cybersecurity blue team can play a critical role in developing an organization’s comprehensive defense plan using the latest tools and techniques—in other words, a “blue team security stack.” It is often best to think of them as the most active contingent of the security team. Not all security team members specialize in tasks that are considered high-level or relevant enough for testing. Blue Teams focus on high-level threats and continuously improve detection and response methods. Blue teams must be right all the time. In addition to attention to detail, blue teams must also think creatively and have the ability to adapt on the fly. Learn from Blue Teamers with the Blue Teaming Tips collection. These tips cover a number of tactics, tools and methodologies to improve your blue team abilities.
Malware Analysis Tip – Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes. Combined with DnSpy, it is possible to find and extract malicious payloads without the need for manual deobfuscation
In Windows, it is common to see attackers perform initial execution using malicious script files that masquerade as Microsoft Office files. A good way to prevent this chain of attacks is to change the default program associated with these files (HTA, JS, VBA, VBS) to
notepad.exe. Now, when the user is successfully tricked into clicking the HTA file on disk, they will open the script in notepad and no execution will occur.
Encryption malware is getting more sophisticated: mining malware uses DLL sideloading to hide on the machine and reduce CPU load to stay below detection thresholds. One thing they all have in common is that they have to make connections with mining pools, that’s where we can find them. Monitor your proxy and DNS logs for connections containing common mining pool strings (eg