Tribe Of Hackers Blue Team Edition

Wed, Sep 16, 2020 6-minute read

Tribe Of Hackers: Blue Team has been released and I am overjoyed to share with you that

Photo of 0xbanana

It’s been in the works for months and I’ve been waiting with bated breath for it to be released and to be able to share the good news with everyone.

If you want to pick up a physical or digital copy you can, here -

Below is my excerpt from the book

Jason Schorr has served as an information security professional for some of the largest technical companies in the world where he used his knowledge and experience to strengthen their security posture and minimize risk. He currently serves as Chief Operating Officer for Spyglass Security. Where most recently acting as project lead, developed Data Drifter, a tool to analyze the contents of insecure cloud storage buckets. He lives in New York City with an amazing partner and their two beautiful girls.

Q. How do you define a blue team? Especially when there are so many folks doing tangent work building secure systems or platforms but are not directly responsible for incident response?

A. We are all the defenders of the realm. Anyone who’s actively working to keep networks safe from malicious actors qualifies as blue team in my book.

We as security practitioners see security from different viewpoints. It would be a shame to discount someone else or their experience because they “do something different”, aren’t “eyes on glass” or “on the front lines”. This does not mean they don’t bring value to the table.

We can learn from each other; through that communal learning we all become stronger.

Q. How can blue teamers learn, practice, and grow?

A. There are so many skills needed for a well-rounded blue team practitioner. Since we live in a golden age for personal computing, every blue team practitioner needs their own personal lab. It doesn’t have to be big, expensive, physical, or even persistent to be effective and provide an abundance of educational value.

Cloud computing costs are at an all-time low. You can spin up any configuration of systems and services and only pay for the time and resources you use. Single board computing miniaturizes your lab and puts it in your pocket.

The most important needs for any practitioner? Motivation and dedication to learning.

Q. What are some core metrics that a blue team can use to build, measure, and maintain a successful information security program?

A. Metrics play a key role in any security program, especially since we cannot improve what we do not measure. Quality metrics give us insights to how our organization is performing and can highlight key deficiencies.

Metrics focused around the state of the network are paramount to understanding attack surface, identifying potential footholds, and the overall health of systems and networks.

Some helpful metrics to collect about your security program’s vulnerability management include

  • Network & Service coverage – Don’t assume vulnerability scans fully cover every system and service on the network. Full coverage depends on up-to-date asset inventories and usually authentication credentials to get detailed service information.
  • Vulnerability Dwell time – How long does a vulnerability exist before it is patched? The longer the dwell the greater the organizational risk. When dealing with vulnerabilities in business-critical applications and servers the impact is bigger and the more important this metric becomes.
  • Time to patch – Once a patch for a security vulnerability is released from a vendor, how long does it take your organization to apply these updates to your assets before they’re exploited by attackers.

Q. Where would you start if you were the only information security staff member at a small to medium-sized business with a primitive security infrastructure? **What is the one foundational element in building a secure network from the ground up?

A. The foundation of any good security program is good visibility. You can’t defend what you can’t see and don’t know about. The first thing I would do is build an asset list: an enriched list of every piece of technology and software owned and operated by the business.

Yes, this will take time. Yes, this will be a living document. Yes, this will be frustrating. Yes, this will be worth it.

Once you know the details about what you’re defending, you can start planning the best ways of defending it.

Q. What is the most bang-for-your-buck security control?

A. Host based firewalls are the best bang-for-your-security-buck control. Every modern operating system has one built in and can be configured before mass deployment.

If we cannot create a perimeter around our entire network, we must bring the perimeter down to individual network items. Some folks call this a “zero trust” model.

Limiting ingress and egress network traffic will mitigate the majority of attacks from bad actors. In the event a compromise occurs, the chances of further exploitation, data exfiltration, or internal network propagation will be drastically reduced.

Q. How do you approach data governance and other methods of reducing your data footprint?

A. First, take a big look at all your accounts, apps, devices, services, subscriptions, etc.… and try to classify them in big buckets like “personal”, “school”, “work” – or whatever works best for you.

Now, start deleting those unused accounts, and not just by removing an app (do this too), but by finding the “delete account” option buried under all that UI. Unsubscribe from unwanted and unused subscription services. Spend an afternoon cleaning up the files on your computer and properly backing them up.

Reducing our footprint depends on knowing what we have out there; once we have that we can begin assessing specific risks, then work to minimize the impacts if something were to go wrong.

**Q.__ **What is your opinion on compliance? **

A. “Compliance” is a wonderful way to get companies to do the absolute barest minimum when it comes to securing their networks and keeping data safe.

Q. What strategies do you use to communicate the threats you encounter to non-technical decision-makers?

A. To communicate technical threats to non-technical decision-makers, I begin the same way I would with anyone: by first working to understand their current perceptions. Security is a key part of every enterprise and organization, and while how we view security may be different, our desired end goal is the same: operational and business success.

What do you think of my answers?

Do you agree, disagree, or have an entirely different viewpoint?

Let me know on Twitter!