Blue teaming is the bread and butter of the security industry. While offensive security looks cooler, and has more pop culture around it, defensive operations are what really keeps us all safe. Defending is a multi-faceted process that combines hardening your network against attacks, as well as improving your visibility and trying to detect attacks when they hit you or happen to slip by your other defenses.
The odds are stacked against defenders. Remember, Defenders have to successfully protects against thousands of different types of attacks. Attackers, only need one that you miss.For developing your defensive cyber skills, you must start as a generalist. Your knowledge must be an inch deep and mile wide, simply to understand where you need to go in the future. This starts with basic certification and terminology. From here you will learn more complex concepts and develop into a specialty. Understand one big important thing: Understanding how to successfully use a security tool, is just as important as understanding the theory behind it. A SIEM is useless if you don't know how to perform a query.
In this section I have added every bit of tool and reference to defensive operations that I have used. Try tools out, practice the labs, and as always, READ THE DOCUMENTATION.
For those wanting to build up their certifications and progress in your career, check out the Security Certification Roadmap to see what is next for you.
- Awesome Lists Collection: Security Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
- Awesome Lists Collection: Security - A collection of awesome software, libraries, documents, books, resources and cool stuff about security.
- Awesome Lists Collection: Industrial Control Systems Security - A curated list of resources related to Industrial Control System (ICS) security.
- NIST CSF: Cyber Security Framework - The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. This is a great place to start when building a security program from the ground up.
- NIST-to-Tech - An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
- NIST SP:800-37 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP:800-53 - Security and Privacy Controls for Information Systems and Organizations
- SANS Blue Team Operations - SANS Blue Team wiki built by the instructors of the SANS defensive courses.
- ISECOM - The Institute for Security and Open Methodologies (ISECOM) is an open, security research community providing original resources, tools, and certifications in the field of security.
- CIS Top 20 Controls - Looking for a place to start when improving your security program? Start here!
- Detection Maturity model - Guide for levels of maturity and development of a security program.
- Pyramid of Pain - Relationships between indicators and effectiveness of protection.
- Security Metrics by Mandiant
- 10 strategies of a world class SOC
For resources including offensive security courses, books, CTFs and much more, please check out the Training and Resources section of this guide.
- https://tryhackme.com/module/security-operations-and-monitoring
- https://tryhackme.com/path/outline/blueteam
{% content-ref url="../training/" %} training {% endcontent-ref %}
{% content-ref url="terminology-and-mapping.md" %} terminology-and-mapping.md {% endcontent-ref %}
{% content-ref url="query-languages.md" %} query-languages.md {% endcontent-ref %}
{% content-ref url="event-and-log-analysis.md" %} event-and-log-analysis.md {% endcontent-ref %}
{% content-ref url="event-detection/" %} event-detection {% endcontent-ref %}
{% content-ref url="packet-analysis.md" %} packet-analysis.md {% endcontent-ref %}
{% content-ref url="threat-hunting.md" %} threat-hunting.md {% endcontent-ref %}
{% content-ref url="active-defense.md" %} active-defense.md {% endcontent-ref %}
{% content-ref url="device-hardening/" %} device-hardening {% endcontent-ref %}
{% content-ref url="broken-reference" %} Broken link {% endcontent-ref %}
{% content-ref url="vulnerability-management..md" %} vulnerability-management..md {% endcontent-ref %}
{% content-ref url="blue-toolbox.md" %} blue-toolbox.md {% endcontent-ref %}