Training blue teams is a key focus for SOC managers, CISOs and any party involved in cybersecurity staff training. Our defensive team is our last line of defense, and keeping it well-versed and skilled in using the tools, executing the playbooks and no less important, having the teamwork and communication skills, is not an option, but a necessity. A trained blue team can mean the difference between a successful response process and a compromised network.
What is an Effective Blue Team Training Environment?
Unlike red teams, which I’ve covered in an additional post, and who only need to get it right once, blue teams must be right on the money, every time! This obviously makes their lives more challenging, and their training essential.
I’ve trained countless blue teams in tabletop exercises, theoretical courses and cyber range simulations. Eventually, nothing can replace the experience of a real-world attack unfolding in front of the team, which is why I always turn to cyber attack simulation in a cyber range as my preferred means of training. Having the incident response team experience a complete end-to-end attack exposes them to new evasive tactics they were not aware of and allows them to practice and improve detection investigation and remediation skills. Moreover, it flexes some of the “muscles” which we don’t often train in cyber security exercises, including our ability to work as a team, and to communicate effectively. Identifying a well-trained team is easy. They work in an orchestrated way, know their incident response playbooks, and are less stressed during an attack.
Training Exercises for your Blue Team
We’ve trained blue teams from a wide range of organizations including enterprise SOCs, national CERTs, and military cyber defenders, in cyber range simulation exercises. Here are three of my favorites scenarios. You can practice them by contracting a red team to run the attack or you can use a cyber attack simulator to run these scenarios independently at the convenience of your office. We’ve provided a high-level overview of the scenarios, which I believe are self-explanatory.
WordPress Exploit
Blue Team Objective: Trace the origin of the attack, the information leaked, the vulnerabilities and remediate.
Most of us (including our very own site) use WordPress as their website content management system (CMS). An opensource platform, WordPress is inevitably prone to vulnerabilities. A Sucuri report revealed that WordPress vulnerabilities accounted for 90% of hacked websites in 2018. Aside from the obvious need to patch and continuously update our CMS, and to use industry-standard website security systems, we need to have our blue team prepared for the moment attackers were able to bypass our security and train them for the common scenario of an attack starting with a WordPress exploit.
In this exercise, blue teams experience a simulated scenario where the company’s blog was hacked using an installed vulnerable plugin. This plugin attempts to exfiltrate sensitive payment information from a database that is a direct part of the internal network, testing how long your blue teams take to detect and remediate.
Your blue team members must locate and trace back the origin of the attack using the database’s firewall logs, detect and classify the vulnerable plugin, understand what information was leaked, create new rules for the system to remediate the vulnerability and finally, mitigate the attack.
This exercise should take between 2 and 4 hours depending on the level of your blue team member’s expertise. Additionally, this exercise is at an intermediate-advanced level of complexity, most suitable for tier 2 analysts rather than entry-level. A successful blue team exercise is concluded in proper brainstorming of various mitigation methodologies.
Data Leakage Prevention (DLP)
Blue Team Objective: To detect, contain and remediate a spear-phishing attack, simulated across the entire kill chain.
Spear phishing attacks, by way of social engineering, have become some of the more noted in the cybersecurity realm. Through DNS poisoning, a website, like YouTube, is fully cloned and an end-user is redirected to the clone rather than the original site. At this point, the user is encouraged to interact with the site by clicking on a specific link (to watch the video for example), which then downloads a malicious file onto the user’s computer, providing the attacker with full control.
DLP is considered an “oldie but goodie” in that it is one of the most important KPI flows in a SOC and must be the frequent subject of training as detecting and remediating this type of attack is complex. Examples of such attacks were the RSA, HBGary Federal and Operation Aurora, which was an attack on Google. It is evident that these attacks are common and could most definitely hit your organization, which advocates even further for this type of exercise.
This exercise should take up to 2 hours and is ranked at an intermediate complexity level meaning your Tier 2 analysts should be able to use their experience and existing tools to overcome this training exercise. This exercise should reflect the readiness and cybersecurity training for all employees due to the major role that human interaction plays in such an attack.
Ransomware
Red Team Objective: To construct a clear chain of events and conduct a technical forensic investigation of the infected stations
Ransomware remains a common form of attack which does not spare any sector including municipalities, health care, and enterprises. It is essential to include various strains of ransomware leveraging multiple attack vectors, in your blue team training plan.
This exercise allows blue teams to deal with an actual ransomware attack that targets the organizational network, which the blue teams are expected to defend. Using extensive tools and methodologies, the blue team must focus on various prevention methods in addition to detection, which is equally important.
This exercise runs between 2 and 4 hours depending on the experience of the blue team members and is more of an advanced exercise designed to train Tier 2 & 3 analysts to detect and map out an accurate chain of events and a deep examination of infected stations, the network, and the C&C Server.
What Next?
These three examples are a great start for your blue team to practice responding to scenarios they are more likely to encounter in an operational SOC. I’d love to provide a deeper dive into these scenarios and demonstrate how these can be simulated and you can contact me anytime through our website or on LinkedIn. By offering your blue team this hands-on training BEFORE the attack, you can be sure they will be much better prepared for the moment one of them happens in real-time.
Kobi Leizerovich is an experienced cybersecurity trainer and has delivered thousands of training sessions to enterprise SOC teams, red teams and military cyber experts.