Tribe of Hackers Blue Team (book)

A book interviewing many people about the [[Blue team]] in [[Computer security]]. Available at [[O'Reilly]] at [Tribe of Hackers Blue Team](https://learning.oreilly.com/library/view/tribe-of-hackers/9781119643418/). Many of the participants talk about visibility and asset management as the most fundamental necessities. > If I were to start at a business like this, I'd start with understanding what all exists and the current state of infrastructure and the environment. You can call this visibility and/or asset inventory, but having a true sense of the current state allows you to formulate where you should start from a security standpoint. Visibility is the number-one foundational element in building a secure network from the ground up. If you don't know what exists and what should be there, you will have a difficult time coming up with what a secure network should look like. # Amanda Berlin Quotes from Amanda Berlin. > The second half of this includes the tool and technology strengths that are needed, including the ability to perform log analysis and correlation, disk and file analysis, memory analysis, and network traffic analysis. An [[Computer Security Incident Response Team]] program **should cover analysis at each layer and step in the transmission of data** > Asset management hands down. It is one of the most difficult verticals to cover. Without proper asset management, an environment cannot be protected to its full potential. There is no way to craft a complete defensive strategy without knowing what is being defended. One of the first things an attacker or red teamer does during an attack or engagement is discovery. In larger networks, it is next to impossible to completely be aware of each and every device that is connected or every piece of software the users may have installed. However, with the correct security controls in place, it becomes much easier. > A member of the blue team who is **able to speak to groups in engaging ways to educate them without talking down to them** can also be a beneficial step to maximizing the security efforts. # O'Shea Bowens > Visibility and response capabilities. It's difficult to fight blind, which is essentially what you're doing if you have no methods of visibility across networks and systems. Ensuring you have the capability to respond to attacks is vital, whether that's memory artifacts collection, the ability to block layer 3 traffic on the fly, or tearing down systems and replacing with backups.