When it comes to diagnosing the health of a company’s IT and Network Infrastructures, Penetration Testing is like an angiogram for detecting vulnerabilities. The teams that conduct Penetration tests are known as a Blue Team, a Red Team, and (sometimes) a Purple Team. The Blue Team consists of ethical hackers who work internally with an IT Security Team, to react to and fend off attacks launched at them by the Red Team, other ethical hackers who are hired to try to break into the system. The Blue Team has additional responsibilities in fending off the Cyberattack. Those responsibilities are as follows:
- Preparedness: The Blue Team will do everything possible in its role to protect the business from any looming Cyber-based threats. This includes testing all security technologies that are in place to make sure they are optimized to detect any sort of anomalies or outliers; making sure the Incident Response and the Disaster Recovery plans are set in motion should a Cyberattack actually occur; and keeping all employees informed of the upcoming Cyber threat landscape.
- Identification: The Blue Team will make every effort to correctly identify any potential Cyberattacks that threaten the business or corporation.
- Containment: If the organization is hit by a Cyberattack, it then becomes the responsibility of the Blue Team to contain the damage caused by the attack. In this regard, one of the best tools the Blue Team has at its disposal is the Incident Response Plan. The Incident Response Team will also be called into action to mitigate any losses from the Cyberattack.
- Recovery: In the unfortunate case that the business has been breached by a Cyberattack, it will also be one of the main responsibilities of the Blue Team to activate the Disaster Recovery plan to return the entity to a predefined level of operations before the incident occurred. This should occur no more than one or two days after the Cyberattack. At this point, a top priority of the Blue Team is to bring up as many mission critical processes as possible during this short time span.
- Lessons Learned: Obviously, once the damage from the Cyber-attack has been mitigated, and the organization is up and running at near 100% operational levels, a Forensics Investigation Team will be called in to conduct an exhaustive study as to what happened and how the Cyberattack could have been avoided. The Blue Team is responsible for compiling all of the findings in a report, as well as to formulate strategies as to how such types of incidents can be avoided in the future.
The Blue Team, during the Penetration Testing exercise(s) also assumes the following responsibilities:
- Operation System Hardening: The Blue Team will further fortify the Operating Systems of all hardware being used by the business. This primarily includes all the servers, workstations, and wireless devices (securing both the Android and iOS). The goal here is to decrease the “surface of vulnerability” of all the Operating Systems that are currently being used.
- The Perimeter Defense: The Blue Team will also ensure that all Firewalls, Network Intrusion Devices, Routers, Traffic Flow devices, Packet Filtering devices, etc. are up and running, and operating at peak condition.
To fend off future Cyberattacks, the Blue Team typically uses tools such as Log Management and Analysis, and Security Information and Event Management (SIEM) Technology.
Next up: The next article in this series will explore the role of the Red Team in Penetration testing, essentially to launch an “ethical” Cyberattack against a company’s defense perimeters to uncover its Security vulnerabilities.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.