Blue Team is part of the information security department, a team of which consists of highly qualified analysts working to protect and improve the status of the organization’s security system in real time.
Blue Team should detect, confront and weaken both the actions of intruders as well as Red Team. The scenario of a fictitious attack by Red Team is designed to improve their skills, preparing for attacks in case of real danger.
Many modern threats, such as malware and phishing emails, stop with automatic tools on the perimeter of the network and solutions to protect end devices and threat detection platforms. Blue Team, in turn, adds vital human intelligence to technical tools and security solutions.
The task of Blue Team is to identify and neutralize more complex attacks (ART, 0-day), monitor current and emerging threats for preventive protection of the organization.
Goals and responsibilities of Blue Team include:
• Understanding each phase of the incident and adequate response;
• Detection of suspicious traffic anomalies and detection of signs of compromise;
• Rapid localization of the incident or any other form of compromise of the system;
• Preparation of the incident report, adjustment of response algorithms to the incident;
• Detection of command and control servers of Red Team/ Attackers (C&C or C2) and blocking their connection to the target;
• Analysis and forensic expertise in systems, including the use of third-party systems.
Blue Team methods include:
• View and analyze event log data;
• Use of information security platform and event management for monitoring and detection of intrusions; sorting of warnings of security systems and anomalies in real time;
• Collection of new information about threats and prioritization of relevant actions in the context of risks;
• Analysis of traffic and data flow.