Do you ever play computer games like Halo or Gears of War? If so, you’ve probably noticed a game mode called Capture the Flag that pits two teams against each other, one of which is tasked with protecting the flag from opponents who try to steal it.
This type of exercise is also used by organizations to evaluate their ability to detect, respond to and mitigate a cyber attack. Indeed, these simulations are key to identifying weaknesses in organizations’ systems, people and processes before attackers take advantage of them. By emulating realistic cyber threats, these exercises allow security professionals to refine incident response procedures and strengthen their defenses against ever-evolving security challenges.
In this article, we will examine, in general terms, how the two teams match up and what open source tools the defensive side can use. First of all, a quick refresher on the roles of the two teams:
- The red team plays the role of the attacker and leverages tactics that mirror those of real-world threat actors. By identifying and exploiting vulnerabilities, bypassing an organization’s defenses, and compromising systems, this adversary simulation provides organizations with invaluable insights into chinks in their cyber armor.
- The blue team, meanwhile, takes on the defensive role as it aims to detect and counter opposing incursions. This involves, among other things, implementing various cybersecurity tools, checking network traffic for any anomalies or suspicious patterns, reviewing logs generated by different systems and applications, monitoring and collecting data from individual endpoints and rapid response to any signals of unauthorized access. or suspicious behavior.
As a side note, there is also a purple team that relies on a collaborative approach and brings together both offensive and defensive activities. By promoting communication and cooperation between offensive and defensive teams, this joint effort enables organizations to identify vulnerabilities, test security controls, and improve their overall security posture through an even more comprehensive and unified approach.
Now, back to the blue team, the defensive side uses a variety of proprietary and open source tools to accomplish their mission. Let’s now look at some of these tools in the first category.
Network analysis tools
ARKIM
Designed to efficiently manage and analyze network traffic data, Arkime is a large-scale packet search and capture (PCAP) system. It features an intuitive web interface for browsing, searching and exporting PCAP files while its API allows you to directly download and use session data in PCAP and JSON formats. By doing so, it allows you to integrate the data with specialized traffic capture tools like Wireshark during the analysis phase.
Arkime is designed to be deployed on multiple systems simultaneously and can scale to handle tens of gigabits/second of traffic. PCAP’s handling of large amounts of data relies on the sensor’s available disk space and the scale of the Elasticsearch cluster. Both of these features can be expanded as needed and are under the full control of the administrator.
Source: ARKIM
He snorts
Snort is an open source intrusion prevention system (IPS) that monitors and analyzes network traffic to detect and prevent potential security threats. Widely used for real-time traffic analysis and packet logging, it uses a set of rules that help define malicious activity on the network and help find packets that match suspicious or malicious behavior and generate alerts for administrators.
According to its homepage, Snort has three main use cases:
- package tracking
- packet logging (useful for debugging network traffic)
- Network Intrusion Prevention System (IPS)
For detecting intrusions and malicious activity on your network, Snort has three global rule sets:
- rules for community users: those that are available to any user without any cost and registration.
- rules for registered users: by registering on Snort the user can access a set of rules optimized to identify much more specific threats.
- Subscriber Rules: This set of rules not only allows for more accurate threat identification and optimization, but also provides the ability to receive threat updates.
Source: He snorts
Incident management tools
The hive
TheHive is a scalable security incident response platform that provides a collaborative, customizable space for incident management, investigation and response activities. It is tightly integrated with MISP (Malware Information Sharing Platform) and facilitates the tasks of the Security Operations Center (SOC), the Computer Security Incident Response Team (CSIRT), the Computer Emergency Response Team (CERT) and any other security professional who faces security incidents that need to be investigated and resolved quickly. As such, it helps organizations effectively manage and respond to security incidents
There are three features that make it so useful:
- Collaboration: The platform promotes real-time collaboration between analysts (SOC) and the Computer Emergency Response Team (CERT). Facilitates the integration of ongoing investigations into cases, tasks and observables. Members can access relevant information and special notifications for new MISP events, alerts, email reports and SIEM integrations further enhance communication.
- Processing: The tool simplifies the creation of cases and associated tasks through an efficient template engine. You can customize metrics and fields via a dashboard, and the platform supports tagging of essential files containing malware or suspicious data.
- Performance: Add one to thousands of observables to each case you create, including the ability to import them directly from a MISP event or any alert sent to the platform, as well as customizable classifications and filters.
Source: The hive
Quick Response GRR
GRR Rapid Response is an incident response framework that enables real-time remote forensic analysis. Remotely collects and analyzes forensic data from systems to facilitate cybersecurity investigations and incident response activities. GRR supports the collection of various types of forensic data, including file system metadata, memory contents, log information, and other artifacts crucial to incident analysis. It is designed to handle large-scale deployments, making it particularly suitable for companies with large and diverse IT infrastructures.
It consists of two parts, a client and a server.
The GRR client is deployed on the systems you want to examine. On each of these systems, once deployed, the GRR client periodically queries the GRR frontend servers to see if they are working. By “working” we mean performing a specific action: downloading a file, enumerating a directory, etc.
The GRR server infrastructure consists of several components (frontend, workers, server UI, Fleetspeak) and provides a web-based GUI and an API endpoint that allows analysts to schedule actions on clients and view and process the collected data.
Source: Quick Response GRR
Operating system analysis
LIGHT
HELK, or The Hunting ELK, is designed to provide a comprehensive environment for security professionals to conduct proactive threat hunting, analyze security events and respond to incidents. Leverage the power of the ELK stack along with additional tools to create a versatile and extensible security analytics platform.
Combine various cybersecurity tools into a unified platform for threat hunting and security analysis. Its main components are Elasticsearch, Logstash and Kibana (ELK stack), which are widely used for log and data analysis. HELK extends the ELK stack by integrating additional security tools and data sources to enhance its threat detection and incident response capabilities.
Its purpose is research, but thanks to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.
Source: LIGHT
Volatility
The Volatility Framework is a collection of tools and libraries for extracting digital artifacts from a system’s volatile memory (RAM). It is therefore widely used in digital forensics and incident response to analyze memory dumps from compromised systems and extract valuable information related to ongoing or past security incidents.
Because it is platform independent, it supports memory dumps from a variety of operating systems, including Windows, Linux, and macOS. In fact, Volatility can also analyze memory dumps from virtualized environments, such as those created by VMware or VirtualBox, and thus provide insights into physical and virtual system states.
Volatility has a plugin-based architecture: it comes with a rich set of built-in plugins that cover a wide range of forensic analysis, but also allows users to extend its functionality by adding custom plugins.
Source: Volatility
Conclusion
So that’s it. It goes without saying that blue/red team exercises are essential for assessing the preparedness of an organization’s defenses and as such are vital to a robust and effective security strategy. The wealth of information gathered during this exercise provides organizations with a holistic view of their security posture and allows them to evaluate the effectiveness of their security protocols.
Additionally, blue teams play a key role in cybersecurity compliance and regulation, which is especially critical in highly regulated industries, such as healthcare and finance. The blue/red team exercises also provide realistic training scenarios for security professionals, and this hands-on experience helps them hone their skills in actual incident response.
Which team will you join?