The Myth of Blue Team Responsibility

Knight defending castle wall

The Myth of Blue Team Responsibility

As I’ve spoken with my peers in the #infosec community I’ve heard several individuals say something along the lines of “the red team only needs to find one way in, but we have to stop everything!”  I understand the feeling.  As soon as they “get in” we (blue team) have failed.  That is not the case.  Think about it this way: if the intruder has not achieved their objective, have they succeeded?

We Are Not Invincible

The problem is that we all like to think that we are invincible; that nothing can get past our defenses.  If that were true there would be no point in network monitoring!  Between you and me, we both know that if someone wants to get into your network they can.  As a blue team, our job is to set as many traps as possible and to catch them before they can execute their final objective. 

What’s the Goal?

For the purposes of this discussion, I’m calling the final objective data extraction.  Of course, there may be certain intellectual property, proprietary information, or possibly contractual data that may not require extraction.  However, for this discussion, let’s go with exfiltration being the final objective.  The goal of the blue team is to stop data from being extracted.

MITRE ATT&CK Matrix

As the blue team, we want to detect the adversary as early in the path from initial contact through data exfiltration.  There are many different models to walk you down this path.  I will be addressing the MITRE Adversarial Tactics, Techniques, and Common Knowledge matrix, also known as the ATT&CK matrix (often spelled ATTACK) which can be found at https://attack.mitre.org/wiki/Main_Page

The attack matrix goes through 11 different stages that an adversary is going to go through to “win”.  Those stages are as follows:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evasion
  6. Credentialed access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Exfiltration (this is the “win”)
  11. Command and Control

The earlier an adversary is detected in these stages the less risk.  Conversely, the fight is not lost until data is extracted.  As a blue team, we have to engineer our castle (network) to be filled with obstacles, hazards, barricades, troops, and observation points from which to direct the battle.  Just because there is a battle does not mean that you have lost. 

Battle Plan

So now what?  It is time to engineer your castle, set up your mote, establish observation points, determine courses of action, and prepare your soldiers for battle.  I feel that the use of the military theme here is very appropriate, but for those less familiar with military terminology, let me break it down a little bit further.

Your castle is your cyber key terrain (CKT) – the most important thing you are trying to protect.  It could be patient records, R&D projects, software that has not been released, customer credit cards, etc.  This is a decision the business side of the house has to make.  Your mote is another layer of security standing between your network and your CKT.  It could be anything from a separate subnet or VLAN to an air-gapped network with no connection to the outside.  The field surrounding your castle is the rest of your network.  The observation points would be your sensors on the network, or possibly logs being gathered.  Now is the time to decide how you will act when a given circumstance arises.  This is your playbook.  However good or bad your castle, mote, playbook, or battlefield is the place where you will get the most bang for your buck is with your soldiers – the analysts. 

The Analyst

These are the ones who, like soldiers, train day in and day out to be ready to defeat the enemy when called upon.  They train to be able to recognize the enemy on their network.  They are the ones who give their all… okay, maybe not their lives.  But they do give early mornings, late nights, weekends, and holidays to ensure the safety and security of the business assets.  These Guardians, Sentinels, and Defenders are the ones who protect the kingdom. 

Now, let’s take another look at our scenario.  Let’s say the enemy has sent a phishing email with a link that got clicked and downloaded malware onto the network.  That’s it, the game’s over!  Just pack up and go home now!  They got in!  Run for your lives!  These sayings are all ridiculous, aren’t they?  Just because the enemy is present doesn’t mean you have lost.  Remember, until they complete their objective, we are still in the race.  But let’s be clear, the race is well underway.  They have achieved initial access but there is still much to do for them to get all the way to data exfiltration.

Let’s talk about how we could have caught them already.  The phishing link was sent in an email.  Why do you let your email open links?  Is your email formatted to display HTML or text?  If it was text then there would be no clickable link.  Someone would have to copy and paste the link into the browser.  Next, does your email server only allow certain types of attachments that are verified BEFORE being passed to the end user?  Since our scenario is clicking on a link, this would not have mattered but it is still something to think about.  Finally, did your email server check the header data for known malicious IP addresses or senders?  If so it could have generated a log and dropped the email instead of delivering it to the end user.

For the sake of argument, let’s say our antivirus noticed some weird behavior of the executable downloaded.  Since it wasn’t a known bad file, it generated a log and let it go.  Now we have another source of data, the antivirus log.  We already know what they are going to do next right?  Remember the ATT&CK matrix?  Next, they will try to escalate privileges so they can establish persistence.  Yes, there are some fancy and cool ways to do this, but most malware will just set registry keys (in Windows) and/or create a backdoor that can be accessed from elsewhere.

This particular malware sets registry keys and installs a new service as a backdoor so it can persist through a reboot.  Here we have caught them again!  We had ElastAlert scanning the Windows host logs looking for any new services that have not been seen in the last 60 days.  Boom!  The backdoor service is caught!  Of course, you had Sysmon from SysInternals monitoring all registry changes so when we got the ElastAlert notification we pivoted to the Sysmon logs and found the registry keys added.

At this point, we know they are here and we are watching them.  Right now we have the jump on the enemy because they don’t know that we are watching.  What are they going to do?  Do we keep watching to see what they are going after or do we drop them like a bad habit now?  That is a question for legal and leadership.  Because we know their end goal and where they are now, we can determine what move is next; credentialed access.  They will likely try and steal some local credentials, maybe crack the local Administrator account password.  If not then they are on to discovery.

Discovery is all about enumeration or scanning to see what is around.  Several scanning tools hit all of the important protocols.  Just to name a few there is NetBIOS, PPS (ports, protocols, and services), DNS, NTP, LDAP, and SNMP.  All of these protocols are naturally occurring on most networks; however, they can also be used for malicious intent.  Each one has certain things that the blue team can look for.  Just using DNS, for example, there should never be a zone transfer request from a workstation, only another authorized DNS server.  The likelihood of the enemy landing exactly on the resource they are after is slim to none therefore they must move around the network using lateral movement.

Again, as with previous steps, there are things the local defenders can do to detect lateral movement.  In most environments, a workstation should only ever talk to a server and not to another workstation.  A local Administrator account should also never be trying to log in to a box over the network.  All of these things are tripwires that clue us into what the enemy is doing.

We know the plan; the enemy will try to collect and exfiltrate the data. So far we have not lost the battle yet, but it’s getting close!  Now we watch for compressed files crossing the network, large outgoing emails, data being passed via DNS tunnels (abnormally large packet count to a single DNS source), or other abnormal ways of passing data.

Let’s say that we missed all of that and that the data gets exfiltrated.  Now we’ve lost, right?  Not quite.  We have one last-ditch, pie in the sky, effort.  As part of our security planning, we analyzed what we needed to protect or what we thought the enemy would be interested in and we placed a web bug in a couple of dummy files.  Now as soon as those files are opened from outside of our network they will “call home” and let us know where they are.  This will at least give us a starting point for an investigation if nothing else.

Whew!  We’ve done it.  We walked through an entire scenario where the bad guy gets into our network, enumerates it, laterally moves, finds and compiles data, and then exfiltrates it.  Despite the blue team myth that “They (the red team) only have to find one entry point, but we have to defend all of them” is false.  Just like they only have to find one entry point into the network, we only have to log them once.  As long as we appropriately construct our security system and monitor it, they can be caught long before achieving their objectives.