CYBERWARFARE LABS

Blue Team
Fundamentals
Module : 01 | INTRODUCTION TO CYBER DEFENCE
Introduction to
Cyber Defense
Introduction to Cyber Defense

● Cyber defense is the strategy or a practice of ● Cyber defense is a vital part of cybersecurity, as it
protecting IT infrastructure from an malicious aims to safeguard the confidentiality, integrity,
intrusions. and availability of data and resources

● It encompasses with a variety of practices, ● Generally It involves taking proactive or a reactive

technologies, and processes which are measures to anticipate, prevent, detect, and
designed to safeguard digital assets against respond to cyber threats.
cyber threats.
Introduction to Cyber Defense

Proactive Cyber Defence :

Security Operation Center

Proactive defense Is a process of identifying and preventing
cyber attack before they get successfully exploited. This
Risk Assessment
involves implementing multiple security measures to secure
systems, networks, and data to reduce the likelihood of Security Tools & Technology
successful cyber attacks.
Introduction to Cyber Defense

Reactive Cyber Defence : Digital Forensic Investigation

Reactive defense Is a investigative method which typically Incident Response

used for post compromise analysis scenarios.
Threat Intelligence

These approach will be followed when an enterprise is been

Threat Hunting
compromised and the security team proceed investigating
to determine the root cause of the triggered incident. Malware Analysis
CIA : Confidentiality Integrity & Availability
CIA triad, are considered as a three main objectives of security. They
are used to design, implement, and evaluate the security policies
and practices,

● Confidentiality: A process of protecting digital assets from an

unauthorized users
● Integrity: A process of protecting digital assets from
unauthorized modification or tampering
● Availability: The process of maintain constant available of
information to an authorized users.
Overview of Enterprise Security
Enterprise security is an ongoing and evolving process
that requires a proactive/reactive approach to address
the continually changing threat landscape.
● Access Control
● Network Security
● Endpoint Security
● Data Security
● Physical Security
● Application Security
● Vulnerability Management
Importance of
Cyber Defense
Importance of Cyber Defense
Cyber defense is of paramount importance in today's
interconnected and digitally dependent world on IT infrastructure.

As we aware that the organisation store a vast amounts of

sensitive and confidential data, including customer information,
financial records, and intellectual property etc. it became a
priority to implement both proactive & reactive cyber defense
Importance of Cyber Defense

An improper or an un-effective cyber defense will lead us

with a sensitive data breaches, compromised reputation can
have long-lasting business consequences, impact the
working production of Business Continuity, financial loss and
Compliance with Regulations.
Uber Data Breach

The attacker can successfully compromise an Uber’s IT environment

via gaining access to credentials to Uber’s VPN infrastructure.
1. Credential extracted via dark web
2. MFA spam for VPN Authentication
3. Internal scanning
4. Sensitive file discovery
5. Privilege escalation

Ref: https://www.cyberark.com/resources/blog/unpacking-the-uber-breach
OKTA Data Breach
The attacker can successfully extract an session & cookies from a
compromised third party entity.
By the result of the attack OKTA experienced down fall of shares upto 11.5%.
1. Attacker compromised an okta employee or a third party entity
2. OKTA support case management system
3. HAR File access
4. Extracting sessions & cookies

Ref: https://www.cyberark.com/resources/blog/unpacking-the-uber-breach
Key Component of
Cyber Defense
Red X Blue X Purple
Teaming
Red Teaming
● Red teaming is commonly used in the context of ● Red teaming is a structured and strategic approach
cybersecurity to identify and mitigate vulnerabilities in used to assess and improve an organization's security.
an organization's IT infrastructure and data protection Some important pointers :
measures. ○ Identify Vulnerabilities
○ Attack Simulation
● Red teaming is a strategic process used to evaluate ○ Improve Security Measures
and improve an organization's security, ○ Evaluate Security Controls
decision-making by simulating adversarial attacks
and threats
Blue Teaming
● Blue team is generally responsible for defending an ● Blue teaming plays a critical component of a robust
organization's systems and networks against the cybersecurity strategy.
external/internal cyber attacks. ○ Continuous Monitoring
○ Incident Detection
● Blue teaming is primarily concerned with proactive or ○ Incident Response
reactive security measures, monitoring, incident ○ Security Improvement
detection, response, and maintaining an
organization's security posture
Purple Teaming
● Purple teaming is a cybersecurity exercise or testing ● Generally Purple teaming focus on continuous
methodology that combines elements of both red improvement and learning. Several key concepts of
teaming and blue teaming to improve an purple teaming are:
organization's overall security posture. ○ Continuous Improvement
○ Breach and Attack Simulation
● The key concept of Purple Teaming is to enhance an ○ Scenario-Based Testing
organization's cybersecurity by fostering collaboration ○ Realistic Assessment
between red teams and blue teams. ○ Reporting
Roles & Responsibilities
of Cyber Defenders
Roles & Responsibilities
of Cyber defense
The role hierarchy in cyber defense varies across
organizations, and the specific titles and responsibilities
may differ. However, in a typical cyber security hierarchy,
you may find the following roles, organized in a
hierarchical structure based on increasing levels of
responsibility and expertise:
 Leadership Positions

● Chief Information Security Officer (CISO)

Heads the organization's cybersecurity program,
implementation Security Strategy
responsible for overall strategy, risk management, and
compliance. Risk Management

● Director of Cybersecurity Security Budgeting and Resource

Allocation
Provides strategic direction, manages cybersecurity
initiatives, and collaborates with other business leaders.
 Senior-Level Positions

● Security Manager Manages a team of ● Security Analyst (Tier 3) Provides expertise in

security professionals, oversees day-to-day threat intelligence, leads advanced investigations,
operations, and ensures compliance with and guides incident response efforts.
security policies.
Team Management

● Security Consultant Offers expert advice on

Fine tuning alerts & Incident
cybersecurity strategies, conducts security
assessments, and provides guidance on risk Client Engagement / Collaboration with
management. Cross-Functional Teams
 Mid-Level Positions

● Security Analyst (Tier 2)

Investigation and Analysis
Conducts more advanced analysis, investigates security
incidents, and assists in incident response. Incident Triage

● Security Engineer: Documentation

Designs, implements, and manages security infrastructure
and solutions. Security Infrastructure Design:
 Entry-Level Positions

● Security Analyst (Tier 1) Log Monitoring

An Entry-Level Level 1 (L1) Security Analyst is typically
Alert Investigations
responsible for foundational tasks in a cybersecurity role.
This position is often the starting point for individuals
Security Reporting
entering the field and provides a valuable learning
experience.
Basic Security Analysis
Cyber Security
framework
Cybersecurity Framework : NIST

● NIST stands for National Institute of Standards and

Technology.

● The NIST Cybersecurity Framework (CSF) is a set of

guidelines, best practices, and standards developed
by the National Institute of Standards and Technology
(NIST) to help organizations manage and improve
their cybersecurity posture.
Cybersecurity Framework : NIST
The framework provides a risk-based approach to cybersecurity and is designed to be flexible,
scalable, and applicable across various industries. The NIST CSF consists of five core functions: Identify,
Protect, Detect, Respond, and Recover.
Identify
● Asset Management: Develop and maintain an
The first step of the framework recommendation is to
inventory of information systems and assets.
identify and determine the business model and its
● Business Environment: Understand the organization's
working.
mission, objectives, stakeholders, and risk tolerance.
● Governance: Establish and maintain an effective
Understanding the business context, will helps in prioritize
governance structure to manage and oversee
its efforts, consistent with its risk management strategy
cybersecurity risks.
and business needs.
Protect ● Access Control: Limit and monitor access to systems and
data based on business and security requirements.
The next step is to implement protective security
● Awareness and Training: Provide employees with
measures.
cybersecurity awareness training and education.
● Data Security: Implement measures to protect data,
By implementing such function which increase the ability
including encryption and data loss prevention.
to limit or contain the impact of a potential malicious
● Information Protection Processes and Procedures:
attacks.
Develop and enforce policies and procedures for
information protection.
● Physical Security: Secure physical access to facilities,
systems, and equipment.
Detect
The next step is to implement logging & monitoring
● Anomalies and Events: Implement processes and
technology to detect unauthorized personnel access or
technologies to detect unusual activities and events.
an external intrusion.
● Security Continuous Monitoring: Continuously monitor
systems and networks for security events and incidents.
By implementing such function which increase the ability
● Detection Processes: Develop and maintain processes to
of timely discovery of cybersecurity events which can be
identify and respond to security incidents.
further investigated.
Respond
● Response Planning: Develop and implement an incident

The next step is to implement reactive response response plan.

methodology, this method helps us to contain the ● Communications: Establish and maintain communication

impact of a potential cybersecurity incident plans for cybersecurity incidents.

● Analysis: Conduct thorough analysis of incidents to

By implementing such function which increase the determine their scope and impact.

ability to reduce the impact of a potential ● Mitigation: Implement measures to contain and mitigate

cybersecurity incident the impact of cybersecurity incidents.

● Improvements: Identify lessons learned and make
improvements to incident response capabilities.
Recover
● Recovery Planning: Develop and implement plans for
The final step is to implement plans for cyber system and data recovery.
resilience and ensure business continuity. ● Improvements: Identify lessons learned from incidents to
improve recovery capabilities.
By implementing such function which increase the ● Communications: Communicate with stakeholders and
business continuity in the event of a cyberattack, coordinate recovery efforts.
security breach, or other cybersecurity event ● Documentation: Document the recovery process and
incorporate improvements into future plans.
 Thank You
For Professional Red Team / Blue Team / Purple Team / Cloud Cyber Range labs / Trainings, please contact

[email protected]
To know more about our offerings, please visit: https://cyberwarfare.live