WEBVTT 00:00:00.000 --> 00:00:06.023 align:middle line:90% 00:00:06.023 --> 00:00:07.940 align:middle line:84% In this video we're going to be talking about, 00:00:07.940 --> 00:00:10.430 align:middle line:90% what is a Blue Team? 00:00:10.430 --> 00:00:13.820 align:middle line:84% Now in the previous video, we talked about Red Teams. 00:00:13.820 --> 00:00:17.150 align:middle line:84% Well, the counter to a Red Team is called the Blue Team. 00:00:17.150 --> 00:00:20.570 align:middle line:90% 00:00:20.570 --> 00:00:23.960 align:middle line:84% Now typically, Red Team and Blue Teams 00:00:23.960 --> 00:00:26.420 align:middle line:84% will work in opposition to each other. 00:00:26.420 --> 00:00:29.120 align:middle line:84% While the Red Team's job is to attack a network, 00:00:29.120 --> 00:00:31.600 align:middle line:84% a Blue Team's job is to help protect it. 00:00:31.600 --> 00:00:35.810 align:middle line:90% 00:00:35.810 --> 00:00:40.520 align:middle line:84% So some things a Blue Team's job entails 00:00:40.520 --> 00:00:42.920 align:middle line:84% are, they are a security team tasked 00:00:42.920 --> 00:00:45.420 align:middle line:90% with protecting the network. 00:00:45.420 --> 00:00:48.650 align:middle line:84% They will have an understanding of the business and policy. 00:00:48.650 --> 00:00:52.130 align:middle line:84% A Blue Team is going to be a group that works within 00:00:52.130 --> 00:00:56.620 align:middle line:84% the organisation, so they're going to need to be familiar 00:00:56.620 --> 00:00:58.750 align:middle line:90% with everything on that network. 00:00:58.750 --> 00:01:01.990 align:middle line:84% Not only just what services are running, 00:01:01.990 --> 00:01:04.030 align:middle line:84% what servers are there, what operating system 00:01:04.030 --> 00:01:08.845 align:middle line:84% they're running, the type of security updates, 00:01:08.845 --> 00:01:14.080 align:middle line:84% when to run the updates, the OS versions and whatnot. 00:01:14.080 --> 00:01:15.940 align:middle line:90% They need to understand policy. 00:01:15.940 --> 00:01:18.910 align:middle line:84% They need to understand the physical layout 00:01:18.910 --> 00:01:22.210 align:middle line:84% of the building, they need to understand where the security 00:01:22.210 --> 00:01:24.520 align:middle line:84% cameras are, how many security cameras there are, 00:01:24.520 --> 00:01:27.790 align:middle line:90% who's monitoring them, whatnot. 00:01:27.790 --> 00:01:32.710 align:middle line:84% They also are tasked with protecting 00:01:32.710 --> 00:01:34.450 align:middle line:90% critical assets of the company. 00:01:34.450 --> 00:01:37.570 align:middle line:84% So protecting critical assets not only 00:01:37.570 --> 00:01:41.510 align:middle line:84% means protecting the servers, protecting the users. 00:01:41.510 --> 00:01:45.430 align:middle line:84% It also means protecting the information within that. 00:01:45.430 --> 00:01:46.760 align:middle line:90% Protecting the building itself. 00:01:46.760 --> 00:01:49.840 align:middle line:84% It could be - again, it doesn't necessarily mean 00:01:49.840 --> 00:01:51.800 align:middle line:90% just files on a file server. 00:01:51.800 --> 00:01:56.170 align:middle line:84% It could also be critical paperwork, critical paper 00:01:56.170 --> 00:01:57.640 align:middle line:90% files. 00:01:57.640 --> 00:02:00.925 align:middle line:84% So anything related to that is going to be 00:02:00.925 --> 00:02:04.150 align:middle line:84% - typically fall under a Blue Team. 00:02:04.150 --> 00:02:06.310 align:middle line:90% They also gather data. 00:02:06.310 --> 00:02:10.120 align:middle line:84% They gather data for things like network attacks, 00:02:10.120 --> 00:02:12.880 align:middle line:84% vulnerabilities, things that they 00:02:12.880 --> 00:02:15.770 align:middle line:84% find that needs improvements, and whatnot. 00:02:15.770 --> 00:02:17.770 align:middle line:84% And then they're going to take that information, 00:02:17.770 --> 00:02:18.978 align:middle line:90% they're going to document it. 00:02:18.978 --> 00:02:20.410 align:middle line:90% They're going to document well. 00:02:20.410 --> 00:02:22.660 align:middle line:84% We could do this and this better. 00:02:22.660 --> 00:02:25.420 align:middle line:84% This is a vulnerability that we need to address. 00:02:25.420 --> 00:02:30.325 align:middle line:84% This door lock on this building is faulty, 00:02:30.325 --> 00:02:31.660 align:middle line:90% it doesn't always lock. 00:02:31.660 --> 00:02:34.240 align:middle line:90% That needs to be addressed. 00:02:34.240 --> 00:02:37.840 align:middle line:84% A network attacker tried to attack the network 00:02:37.840 --> 00:02:38.860 align:middle line:90% on this time and date. 00:02:38.860 --> 00:02:40.870 align:middle line:84% This is the information that we found on it, 00:02:40.870 --> 00:02:45.500 align:middle line:84% this is the measures that we took to prevent and mitigate 00:02:45.500 --> 00:02:47.790 align:middle line:90% it, and also investigate. 00:02:47.790 --> 00:02:52.930 align:middle line:84% So documentation is going to be very important for Blue Teams. 00:02:52.930 --> 00:02:57.160 align:middle line:84% And also, they are going to be making recommendations again. 00:02:57.160 --> 00:03:00.070 align:middle line:84% Things like, well, we should update our servers 00:03:00.070 --> 00:03:00.940 align:middle line:90% on this date. 00:03:00.940 --> 00:03:06.510 align:middle line:84% We should get this other intrusion detection system 00:03:06.510 --> 00:03:11.030 align:middle line:84% and replace this other one we have. 00:03:11.030 --> 00:03:13.740 align:middle line:90% And so on. 00:03:13.740 --> 00:03:20.680 align:middle line:84% So Blue Team is more than just a basic network security. 00:03:20.680 --> 00:03:26.260 align:middle line:84% Again, you're protecting potentially more than just 00:03:26.260 --> 00:03:28.240 align:middle line:90% your network final structure. 00:03:28.240 --> 00:03:30.700 align:middle line:84% You're protecting the building, you're protecting users, 00:03:30.700 --> 00:03:33.520 align:middle line:84% or protecting the physical assets 00:03:33.520 --> 00:03:36.470 align:middle line:90% that affect the network also. 00:03:36.470 --> 00:03:41.340 align:middle line:84% And again, gathering data, documentation, 00:03:41.340 --> 00:03:42.450 align:middle line:90% is going to be huge. 00:03:42.450 --> 00:03:43.800 align:middle line:90% And recommendations. 00:03:43.800 --> 00:03:45.990 align:middle line:84% So they need to know the company inside and out, 00:03:45.990 --> 00:03:48.650 align:middle line:90% both operations and policy. 00:03:48.650 --> 00:03:51.360 align:middle line:90% 00:03:51.360 --> 00:03:55.700 align:middle line:84% So this is essentially why the two teams worked in opposition 00:03:55.700 --> 00:03:56.540 align:middle line:90% to each other. 00:03:56.540 --> 00:03:58.310 align:middle line:84% Again, Red Team's trying to break in, 00:03:58.310 --> 00:04:01.960 align:middle line:84% Blue Team is trying to protect them. 00:04:01.960 --> 00:04:08.080 align:middle line:84% So the Blue Team is really based on your organisation structure 00:04:08.080 --> 00:04:09.760 align:middle line:90% and size. 00:04:09.760 --> 00:04:14.830 align:middle line:84% So should your Blue Team be in-house or outsource? 00:04:14.830 --> 00:04:17.649 align:middle line:84% Again, it's going to be just like the Red Team. 00:04:17.649 --> 00:04:21.579 align:middle line:84% A Blue Team could be housed in-house or outsourced. 00:04:21.579 --> 00:04:24.220 align:middle line:84% But again, it's going to depend on how large your organisation 00:04:24.220 --> 00:04:24.720 align:middle line:90% is. 00:04:24.720 --> 00:04:28.930 align:middle line:84% If you have an organisation of say, 10 people on your IT team, 00:04:28.930 --> 00:04:32.200 align:middle line:84% probably not going to make a lot of sense to have a Blue Team, 00:04:32.200 --> 00:04:38.050 align:middle line:84% because you probably won't have the actual staff to protect it. 00:04:38.050 --> 00:04:40.630 align:middle line:84% Blue Teams can be an incredible asset, especially 00:04:40.630 --> 00:04:42.100 align:middle line:90% for larger networks. 00:04:42.100 --> 00:04:45.490 align:middle line:84% A Blue Team is an asset that can protect your network. 00:04:45.490 --> 00:04:47.170 align:middle line:84% Because again, they know your policies, 00:04:47.170 --> 00:04:52.870 align:middle line:84% they know your objectives, they know your network, and whatnot. 00:04:52.870 --> 00:04:56.870 align:middle line:84% And even though Red Teams are designed 00:04:56.870 --> 00:04:59.180 align:middle line:84% to break into your network and Blue Teams 00:04:59.180 --> 00:05:02.070 align:middle line:84% are designed to protect it - they have different objectives, 00:05:02.070 --> 00:05:05.120 align:middle line:84% but they both are designed to protect your overall network 00:05:05.120 --> 00:05:08.525 align:middle line:84% by looking at it from two different areas. 00:05:08.525 --> 00:05:13.700 align:middle line:90% 00:05:13.700 --> 00:05:16.420 align:middle line:84% So Blue Teams, again, should have a solid understanding 00:05:16.420 --> 00:05:17.650 align:middle line:90% of the company's policies. 00:05:17.650 --> 00:05:20.080 align:middle line:84% They should understand the company's goals, 00:05:20.080 --> 00:05:23.290 align:middle line:84% have a solid understanding of the network topology, 00:05:23.290 --> 00:05:26.950 align:middle line:84% be good at documentation and communication with management. 00:05:26.950 --> 00:05:30.460 align:middle line:84% Because after all, a Blue Team is most likely 00:05:30.460 --> 00:05:33.100 align:middle line:84% going to be talking with some sort of manager 00:05:33.100 --> 00:05:35.380 align:middle line:90% about what's going on. 00:05:35.380 --> 00:05:40.450 align:middle line:84% Issues, things that were mitigated, and whatnot. 00:05:40.450 --> 00:05:42.700 align:middle line:84% They should understand networking and security 00:05:42.700 --> 00:05:47.110 align:middle line:84% practises, and also they should be working with the Red 00:05:47.110 --> 00:05:50.860 align:middle line:90% Team in some capacity. 00:05:50.860 --> 00:05:52.240 align:middle line:84% Because after all, they are going 00:05:52.240 --> 00:05:54.280 align:middle line:84% after the same overall goal of protecting 00:05:54.280 --> 00:05:58.240 align:middle line:84% the network, and the users, and the company's 00:05:58.240 --> 00:05:59.860 align:middle line:90% goals, and whatnot. 00:05:59.860 --> 00:06:02.640 align:middle line:90% 00:06:02.640 --> 00:06:05.600 align:middle line:84% So this was about Blue Teams, and in the next video, 00:06:05.600 --> 00:06:07.350 align:middle line:84% we're going to be talking about whether it 00:06:07.350 --> 00:06:09.720 align:middle line:90% should be in-house or contract. 00:06:09.720 --> 00:06:10.720 align:middle line:90% Thank you for watching. 00:06:10.720 --> 00:06:12.740 align:middle line:90% I'll see you in the next video. 00:06:12.740 --> 00:06:14.000 align:middle line:90%