A Career in Defensive Security (Blue Team)

Author Swetha Kannan

What is the Blue team or Defensive Security?

A Blue Team carries out analysis of information systems or the IT infrastructure. The aim is to guarantee maximum security, recognize vulnerabilities, and confirm the efficacy of all the security measures applied. Blue Team security ensures that each of the defense measures implemented prove helpful.

Organizations that implement a Blue Team strategy can actively test their present cyber defenses and competencies in a low-risk setting. Blue Teams are defensive security experts whose duty is to maintain the internal network defense of an organization against all forms of cyberattacks. Blue Team exercises typically include preparation, identification, containment, eradication, recovery, and lessons learned. Steps to becoming a blue team professional

Blue teams consist of several career paths in different teams such as SOC analysis, Incident response, threat intelligence, malware analysis, BCP DR and so on. Here we cover the steps to entry level SOC analyst. Once you are in the field you may experiment and follow your interest to choose the field of expertise.

Step 1: Strengthen computer networking basics

Begin by reading about the subject. Use articles, textbooks and guides, and find videos on the subject — not just on SOC teams but on general cybersecurity practices, roles and researches.

As a beginner you must be familiar with basics of one or more of the following:

• Familiarity with the concepts of software applications, Security Information & Event Management (SIEM), Intrusion Detection and Prevention System (IDS & IPS) etc.

• Knowledge of the security approach across technologies, people, and tools.

• Technical hardening skills of all systems for decreasing the attack surface that perpetrators can exploit.

• Knowledge of attack and threat vectors or Analysis competence for correctly detecting critical threats and prioritizing responses appropriately.

• Ability to analyze logs to find potential intrusion and create playbooks (scripting knowledge) to automate defensive techniques

Job experience in roles such as sysadmin or network tech will help you build a good foundation for blue team roles. In a technical role, you’ll gain a thorough practical understanding of how networks, applications, and systems work. Once you know how they work and interact with each other, it’s easier to defend and secure them. Those initial years will also allow you to assume security roles to build your security resume. It may not be a security role right away. Instead, it might be network configuration compliance, log analysis, scripting and automation, etc. Use your current job to get the security experience and use it to build your resume

Step 2: Learn the Tools and gain hands-on experience

There are several online materials/training videos that talk about day-today operations in Security Operations Centre (SOC). Read and understand these material to see if your interests align with the roles offered in blue teams. Splunk provides free training materials for beginners to get hands on experience on SIEM. You can access the material here

In addition to MOOCs, you can get hands-on training on blue team skills on various platforms such as:

• Security Blue Team

• Blue Team Labs

• Open SOC Network Defense Range

• Try Hack Me

Use these resources and platforms to learn the necessary skill sets required for the blue team role you aspire for.

Step 3: Get Certified

Roadmap to Blue Team Security Certifications

You should apply for network defense certification when you are working as an IT or Network Admin or have knowledge of Linux along with basic computer and internet usage. Network+, CCNA, Security+ will help you establish your competence in computer networking basics. Once you are in the industry you may choose to do one of the following certifications based on your interest and career.

Splunk fundamentals 1 & 2

Splunk provides materials training and certifications for beginners as well as advanced levels. The details can be found in their official website. SIEM platforms in general are the hotness at the moment so studying and training yourself on those products is a good move for your career. There also isn't another product currently that can compete with Splunk's capabilities or customization at the level Splunk is at.

Network Security Fundamentals

Network Security Fundamentals (NSF) is ideal for building a solid grasp of the basics of network security. But, at the same time, it doesn’t miss any of the vital elements of network security. NSF covers the key issues plaguing the network security world. The course module covers subjects like the fundamentals of networks, various components of the OSI and TCP/IP model, and concepts of identification, authentication, and authorization.

Certified Network Defender (CND v2)

Certified Network Defender by EC-Council focuses on a Protect, Detect, Respond, and Predict approach which enables a blue team security officer to stay ahead of hackers by anticipating their moves. CNDv2 maps to maps to NICE 2.0 framework and offers hands-on approach to learning. The certification program is accredited by U.S. Department of Defense (DoD), American National Standards Institute (ANSI) and NICF. These credentials make Certified Network Defender an ideal network defense program for aspiring blue team security officers.

The learning path for a network defender doesn’t stop at CNDv2. You can grow further with niche industry specializations programs offered by EC-Council.

Step 4: Getting your foot on the ladder of SOC roles

Once you are comfortable with the basics and have a little experience in the practice labs you may start applying for jobs. Leverage your professional network, get help from mentors/cyber security communities to get the chance to interview. There are several cyber security nonprofits that extend support to beginners and minorities. Join these communities to be benefitted and pay-it forward in the future. You may initially apply for internships/apprenticeships and learn on the job before you secure a full-time role.

Job Roles and Future Career Prospects

Recent reports have predicted that the ongoing pandemic has led to a boom in remote workforces, which has increased cloud breaches. Given that 45% of breaches in 2020 included hacking, there will be an increase in demand for Blue Teams and ethical hackers. With a Blue Team training and certification in hand, you would qualify for the following job roles:

• Entry-level Network Security Administrators

• Data Security Analyst

• Junior Network Security Engineer/Defense Technician

• Security Analyst/Operator

As you grow further in your role as a Blue Team security specialist, you can pursue other certifications such as Certified Network Defender (CND v2), Certified SOC Analyst (CSA), Business Continuity and Disaster Recovery (EDRP), Computer Hacking Forensic Investigation (CHFI), Certified Threat Intelligence Analyst (CTIA), to hone your skills further. These certifications provide the following career opportunities:

• Application Security Engineers/Analysts/Testers

• SOC Analyst (Tier 1/Tier 2/Tier 3)

• Threat Intelligence Analyst

• Security Threat Analyst

• Cyber Threat Intelligence

• Analyst Threat Response/Cybersecurity/Investigator/Finance Intelligence Analyst

Note: This article was compiled by Swetha Kannan with significant research from various Security Training forums/websites.

About the Author: Swetha Kannan has over 6 years of experience in cyber security consulting working across several industrial sectors. She currently volunteers with Cybertrust America, a non-profit organization, as a Tech Lead and Director. Swetha is also actively involved in mentoring beginners and spreading awareness around cyber security.