G4G0-2/Penetration Testing/Week 3/Lecture 3 - Blue Team.md

Red Team - Seeking Success Blue Team - Destined to Fail Purple Team - Joint efforts yield higher investment return.

NCSC Cyber Assessment Framework (CAF)

Objective A - Managing Security Risk

• Governance, Risk Assessment, Asset Management, Supply Chain Objective B - Protecting Against Cyber Attack
• Policies and processes, identify and access control, data security, system security, resilient networks and systems, staff awareness. Objective C - Detecting Cyber Security Events
• Security monitoring, detecting malicious events Objective D - Minimising the impact of Cyber Security Incidents
• Response and recovery planning, Lessons learned.

Company Perspective

• Understanding:
  • Assets - Information Assets, System Assets, External Dependencies
  • Vulnerabilities - Weaknesses to exploit
  • Threats - Thinks that may exploit vulnerabilities to compromise assets
  • Incidents - Direct / Indirect
  • Risk Tolerance - Cant control everything
  • Budget - Demonstrate cost / benefit analysis

Risk-Based Approach

• Process of identifying, assessing and responding to risk
  • Organisations should understand chance of event, with potential impacts
  • Determine acceptable level of risk for achieving objectives. (Risk Tolerance)
• Prioritise cybersecurity activities
  • Informed decisions about cybersecurity expenditures
  • Quantify and communicate adjustments to programmes.
• May choose to handle risk in different ways: mitigation, transference, avoiding, accepting, depending on impact to service delivery.

Cyber Security V Information Security

Cyber Security

• Deals with security risks through use of IT and impact on company
• Considered vertical function, in remit of the CTO and network team.

Imformation Security

• Deals with security risks that impact information on which company depends, wherever risk comes from.
• Protection of Confidentiality, Integrity, Availability (CIA) of Information.
• Horizontal function, everyones responsibility
  • CISO and ISM lead, senior support

NIST Framework

• Adaptive to provide flexible and risk based implementation. Can be used with broad array of risk management processes.
  • It is not:
    • Checklist of actions
      • Set of activities to achieve outcomes, references to examples to achieve.
    • Global approach to managing risk
      • Will have unique risks - varied assets, threats, vulnerabilities, risk tolerance.
    • Intended to form serial path or lead to static end state
      • Performed concurrently / continuously to form operational culture addressing dynamic risk
    • Maturity model
      • While T-1 is bad, T-4 is not necessarily required.

Framework Functions

• Identify Develop organisational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.
• Protect Develop and implement safeguards to ensure delivery of critical services
• Detect Develop and implement activities to identify occurrence of event.
• Respond Develop and implement activities to take action regarding detected incident
• Recover Develop and implement activities to maintain resilience plans, restore capabilities or services impaired during incident

Example: Detect

NIST Tiers

Tier 1 (partial) - Risk management practices not formalised. Risk managed in ad-hoc / reactive manner. Implement risk management on irregular, case-by-case basis due to varied experience or external information. May not have processes that enable CS information to be shared within organisation. Does not collaborate or receive information (threat intelligence, practices, technologies) from other entities.

Tier 2 (risk informed) Tier 3 (repeatable) Tier 4 (adaptive) - Adapts CS practices based on previous and current experience, including methods learned from predictive indicators. Organisation-wide approach to managing CS risk using risk-informed policies, processes and procedures to address events. Relationship between risk and organisational objectives is understood and considered when making decisions. Organisation uses realtime information to understand and act upon risks associated with products provided.

Blue Team Function

• Understand normal traffic on network
• Use firewalls to block known issues
• Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to block unknown but predictable issues.
  • IDS - Scans for patterns in traffic (Ex. Snort)
  • Host IDS (HIDS) scans for unexpected traffic on specific computers
    • File Changes, Permission Changes, Installed Software, etc. (Ex. OSSEC)
• Use machine learning to spot unknown problems (DE.AE-5, DE.CM-1)
  • Set of normal data and set of known abnormal. Does data look more like normal or abnormal?

Establishing / Improving Programmes

1. Prioritise and Scope: Identify objectives and high level priorities
2. Orient: Identify related assets, requirements, risk approach. Organisation identifies threats and vulnerabilities.
3. Create Current Profile: Which outcomes desired from Framework Core currently being achieved.
4. Conduct Risk Assessment
5. Create Target Profile: Assessment of Framework Categories describing desired outcomes
6. Determine, Analyse, Prioritise Gaps
7. Implement Action Plan.

Purple Team

“The terms Blue and Red must merge under the umbrella of Purple Team. The teams must stop working as only adversaries, and instead start collaborating and working in unison in the future."

Issues with Automation

• Consider how automation process logs into devices, ex. automatically triage a compromised host. Be careful to inadvertently share more information with attackers, potentially giving them further control of the environment. Ex. Vulnerability Scanner operationg with domain administrator credentials may decide to scan attacker-controlled host, thus potentially allowing credentials to be sniffed or cracked.
  • This reminds me of the Apple Silicon vulnerability with the crypography process.