Blue Teaming

Blue Teaming is an exercise that focuses on the process of defending a company’s critical business assets using means of preventative measures. Prescient Security Blue Teaming is designed to give our client a strong defense against potential attacks. Fortifying defenses for our clients ensures a resilience to loss of sensitive data.

Phase 1 Discover (Reconnaissance)

The discovery phase involves understanding the target of the engagement. In regards to blue teams and defensive methodologies, the “target” can be viewed in several forms ranging from entire enterprise infrastructures to a single file. Depending on the purpose of the blue team engagement, the Rules of Engagement (RoE) will be cast to one or more of the following types (non-exhaustive):

Hunt: Hunt engagements task a highly specialized team of security professionals with an understanding of both offensive and defensive security domains with finding the root cause of a critical high impact compromise and determine the appropriate actions needed to dissolve the imminent threat.

Incident Handling and Response: Incident Handling (IH) and Response (IR) engagements involve the process of handling a compromise asset or continuous monitoring of a network segment for malicious logic and activity. Responders, similar to Emergency Management Services (EMS) professionals, surge into action to detect the threat and eliminate it.

Compliance: Compliance professionals act in the role of auditors to ensure that an organization is meeting and exceeding the requirements set forth by common frameworks and standards needed to remain in business with target entities (such as the federal government). A few of these standards include the Risk Management Framework (RMF), PCI-DSS (payment systems security), and HITRUST (when dealing with HIPAA data).

 

Phase 2 Assess

During phase two, all entities are tasked with determining the security posture of the target organization. In contrast to red team or penetration testing, these teams seek to find any vulnerabilities in their network, discuss potential business and technical solutions to any discovered issues, and determine the direction to be taken to ensure all assets are accounted for in analysis of the environment. This phase typically involves the use of protocol analyzers and port scanners such as NMAP and Nessus.

In addition, the beginnings of static and heuristic as well as network and digital forensics analysis is set into motion to understand the capabilities of the security appliances and procedures in place and gain a wider perspective on the true architectural defensive needs of the target organization.

 

Phase 3  Protect

During this phase, all teams except for the Compliance team, are tasked with executing efforts to assert that the findings discovered are not false positives and that any vulnerabilities that require immediate attention due to having a significant severity rating are patched and addressed in accordance with change management policies in place at the target organization.

For Compliance agents, this phase serves as a point at which all data is aggregated from the interview processes and scans and the process of facilitating the creation of a plan of action for remediation takes place.

 

Phase 4 Report

Hunt: In regards to Hunt documentation, the deployed team will develop a report detailing the method of execution and efforts taken to determine the origin of the target threat and remediation efforts taken to assert enterprise stability and control is returned to the local defenders.

Incident Handling and Response: The incident response post engagement report will typically describe the severity of each event, it’s category in accordance with the appropriate reporting standard (e.g. CCJS6510 for the United States Army), analytics and packet analysis data, and remediation recommendations.

Compliance: In this domain, reporting will be delivered in the fashion of a “scorecard” or report detailing which security controls have been addressed, what new issues have arisen during testing, the results of the interview processes, and remediation techniques that can be implemented to aid in the mitigation of any discovered vulnerabilities. These findings are typically organized by severity and