Tips for Blue Team [Cyber Security]

Cybersecurity team conversations these days can feel like a rainbow, with mentions of red, blue and even purple teams. While each team has its unique perspective and tasking, the blue team is trusted with arguably the most critical mission of all: protecting organizations from cybersecurity threats and vulnerabilities.

Photo by Shamin Haky on Unsplash

To do this, the blue team must be aware of the organization’s business/mission needs, relevant threats, digital footprint, and the associated vulnerabilities. From there, the team can bolster the security posture of the organizations by implementing security controls and mitigations to address the most pressing threats and vulnerabilities.

What follows are practices blue teams can take to carry out their critical focus and mission:

• Disable NTBNS, LLMNR, NTLMv1, SMBv1, and enable SMB signing. Also enable UNC hardening at a minimum on SYSVOL and NETLOGON. It’s no joke, any of those in the list give a bad actor easy access to your servers.
• If you don’t have a PAM then get AUTH lite.
• Do everything you can to protect your DA accounts. Disable credential caching on anything you might use them on, then test yourself using Mimikatz.
• EDR is key. It’s the one thing which alerts us to red team / attacker activity and get real-time actionable data.
• Long passwords are key, and pass phrases are good. It’s almost guaranteed they can get someone password hash, so make it impossible to break. Use a password manager and do at least 20 mixed character passwords for anything of value.
• Configure switches to drop traffic between endpoints and only allow traffic between them and servers. This slowed attackers down, and force then to go through hardened and protected servers to get to other endpoints, helping compartmentalize any cleanup.
• One slip up, one mistake, one unprotected server will give attackers the access they need to drastically expand their access and start pivoting like crazy. Your network is only as strong as its weakest link.
• Buy Tenable Nessus, run monthly scans, and remediate the findings. Any bad actors will do the same and will exploit anything they find. Or get GreenBone OpenVAS (free) if there are budget constrains.
• The pen testers / attackers are very aware of the latest vulnerabilities and are ready to use them. Stay up to date on patching and run regular scans to insure no servers are missed.

Blue Team! Blue Team! Blue Team!