3 answers
John
Student
Rexburg, Idaho
1
Question
Asked
1109 views
What made you choose a career in defensive cybersecurity?
What led you to choose a career in Blue Team (defensive) cybersecurity, and how did you get your start in this field?
What tools and techniques do you rely on most for threat detection and response in your role?
Can you describe a memorable incident your team handled and what you learned from the experience?
How does your Blue Team role intersect with Red Teams or other cybersecurity functions?
What skills or certifications do you consider essential for someone interested in a Blue Team role?
What advice would you give to someone entering the cybersecurity field, specifically on the Blue Team side?
3 answers
Biplab Panda
Engagement Director
117
Answers
Atlanta, Georgia
Updated
Biplab’s Answer
Although I myself am not a blue team analyst, many people on my team are, so I can provide some examples
1. Several of them realized that cybersecurity is a growing field that is largely resistant to market pressures even in the post-Covid world where IT has seen some market pressures. They also find threat hunting to be an interesting game of "cat and mouse".
2. Many of them utilize the MITRE ATT&CK framework as a guide for the kinds of techniques that adversaries will use and employ appropriate countermeasures and pivoting amongst other tools, techniques and procedures.
3. Conferring threat databases and detonating suspected malicious files in a sandbox environment are some examples.
4. A non-confidential one would be responding to the CrowdStrike Falcon blue screen situation by being able to quickly identify and let our clients know machines on their network that may be experiencing the outage so they could take appropriate measures
5. We work with pen testers and other red team functions to get feedback on detections as well as to identify areas of vulnerability in order to come up with remediation recommendations.
6. Consider Security+, CYSA and other security certifications - eventually down the line you'd want to make CISSP an "endgame" certification goal.
7. Learn Splunk or other MDR tools and gain some basic certifications in addition to, if possible, taking cybersecurity and computer science coursework in college.
Good luck!
1. Several of them realized that cybersecurity is a growing field that is largely resistant to market pressures even in the post-Covid world where IT has seen some market pressures. They also find threat hunting to be an interesting game of "cat and mouse".
2. Many of them utilize the MITRE ATT&CK framework as a guide for the kinds of techniques that adversaries will use and employ appropriate countermeasures and pivoting amongst other tools, techniques and procedures.
3. Conferring threat databases and detonating suspected malicious files in a sandbox environment are some examples.
4. A non-confidential one would be responding to the CrowdStrike Falcon blue screen situation by being able to quickly identify and let our clients know machines on their network that may be experiencing the outage so they could take appropriate measures
5. We work with pen testers and other red team functions to get feedback on detections as well as to identify areas of vulnerability in order to come up with remediation recommendations.
6. Consider Security+, CYSA and other security certifications - eventually down the line you'd want to make CISSP an "endgame" certification goal.
7. Learn Splunk or other MDR tools and gain some basic certifications in addition to, if possible, taking cybersecurity and computer science coursework in college.
Good luck!
Thank you so much for the advice!
John
Angel S
UI/UX Design Aspirant
452
Answers
India
Updated
Angel’s Answer
My friend chose Blue Team cybersecurity because she wanted to protect systems from hackers. She started by taking online courses and earning certifications like CompTIA Security+. Through internships, she gained hands-on experience with tools like Splunk and CrowdStrike. A memorable experience was handling a malware outbreak, where she learned the importance of teamwork and quick response. She collaborates with Red Teams to improve security defenses. For anyone interested in Blue Team roles, she recommends learning networking basics, getting certifications like CISSP, and staying curious. Cybersecurity is always evolving, so continuous learning is key!
Thank you for sharing your friend's experiences!
John
Jen Kwas
Cybersecurity
1
Answer
Ann Arbor, Michigan
Updated
Jen’s Answer
These are such great questions!
- What led me to a career in Blue Team (defensive) cybersecurity was empathy. I know that sounds weird, but stick with me! I majored in Rehabilitation Psychology. I truly enjoy helping and empowering people. I was doing in-home care when a friend suggested working at the local Apple store where they prioritized the ability to empathize with the customer over prior tech knowledge. From there, I went into IT at a company and was able to help out on some cybersecurity incidents. This was critical as I was able to befriend the team and learn skills relevant to the role.
- I'm in cyber threat intelligence, so we rely on threat intelligence platforms that coalesce open source intel where we can filter it down to what's relevant to our intelligence requirements. We use various research techniques such as utilizing multiple sources and ensuring we adhere to disclosure policies set in place by CISA https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage. Some tools we use inclue:
- OpenCTI and MISP are good examples of low to no cost TIPs to start playing around with.
- URLScan.io is another tool we utilize heavily to assess domains that may be malicious without visiting them.
- Talos IP lookup also gives you great info on an IP address and its reputation
- VirusTotal where you can upload and search for files to assess their reputation
- https://github.com/hslatman/awesome-threat-intelligence also has a ton of great tools and repos to use!
- A memorable incident would be probably one where we had to contact customers, but unfortunately I won't be able to share too many details. What made it memorable was that our leadership was incredibly supportive of our work and acknowledged our long hours. We were sent goodie bags after the fact including incident-branded coasters. The calm, thoughtful ways our teams and leaders handled the incident were my biggest takeaway. I hope to emulate that as a future leader.
- CTI works with tons of teams!
- CTI informs red team engagements with what we're seeing adversaries utilize in the real world. This way, they're testing relevant techniques from campaigns that are likely to target our infrastructure.
- CTI works with incident response to enrich and help pivot based off of the raw data they acquire during security events
- CTI works with the detection teams to create new rules that would detect and prevent emerging threats
- CTI works with product and product abuse to implement security features that will prevent bad actors from abusing our product
- While there is not one standard roadmap for blue team roles, I would definitely recommend building skills on sites like coursera, udemy, and cybrary that are relevant to your interests. I would also recommend documenting all of this in something like a Github repo or a Medium blog. This will show hiring staff that you have experience, even if you may not have had the title. I use the following certification guide when making my recommendations: https://pauljerimy.com/security-certification-roadmap/ Any of the CompTIA certifications are reputable and a great place to start. There are also scholarship programs like https://www.udacity.com/scholarships and https://www.sans.edu/tuition-payment-program/
- My best advice to someone entering into blue team cybersecurity is to go in with an open mind. There is no one right way to do cybersecurity. What sets you apart is your perspective on a problem. For example, writing YARA rules. If you practice writing YARA rules, you may find that some publicly shared rules don't cover everything and you can improve them. Just because someone may say "we cannot detect X," doesn't mean you shouldn't try. Pivot that mindset to prevention or further understanding or breaking down of the problem. Keep and open mind and do not be afraid to ask for help. No one knows everything! You're going to be wonderful!
- What led me to a career in Blue Team (defensive) cybersecurity was empathy. I know that sounds weird, but stick with me! I majored in Rehabilitation Psychology. I truly enjoy helping and empowering people. I was doing in-home care when a friend suggested working at the local Apple store where they prioritized the ability to empathize with the customer over prior tech knowledge. From there, I went into IT at a company and was able to help out on some cybersecurity incidents. This was critical as I was able to befriend the team and learn skills relevant to the role.
- I'm in cyber threat intelligence, so we rely on threat intelligence platforms that coalesce open source intel where we can filter it down to what's relevant to our intelligence requirements. We use various research techniques such as utilizing multiple sources and ensuring we adhere to disclosure policies set in place by CISA https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage. Some tools we use inclue:
- OpenCTI and MISP are good examples of low to no cost TIPs to start playing around with.
- URLScan.io is another tool we utilize heavily to assess domains that may be malicious without visiting them.
- Talos IP lookup also gives you great info on an IP address and its reputation
- VirusTotal where you can upload and search for files to assess their reputation
- https://github.com/hslatman/awesome-threat-intelligence also has a ton of great tools and repos to use!
- A memorable incident would be probably one where we had to contact customers, but unfortunately I won't be able to share too many details. What made it memorable was that our leadership was incredibly supportive of our work and acknowledged our long hours. We were sent goodie bags after the fact including incident-branded coasters. The calm, thoughtful ways our teams and leaders handled the incident were my biggest takeaway. I hope to emulate that as a future leader.
- CTI works with tons of teams!
- CTI informs red team engagements with what we're seeing adversaries utilize in the real world. This way, they're testing relevant techniques from campaigns that are likely to target our infrastructure.
- CTI works with incident response to enrich and help pivot based off of the raw data they acquire during security events
- CTI works with the detection teams to create new rules that would detect and prevent emerging threats
- CTI works with product and product abuse to implement security features that will prevent bad actors from abusing our product
- While there is not one standard roadmap for blue team roles, I would definitely recommend building skills on sites like coursera, udemy, and cybrary that are relevant to your interests. I would also recommend documenting all of this in something like a Github repo or a Medium blog. This will show hiring staff that you have experience, even if you may not have had the title. I use the following certification guide when making my recommendations: https://pauljerimy.com/security-certification-roadmap/ Any of the CompTIA certifications are reputable and a great place to start. There are also scholarship programs like https://www.udacity.com/scholarships and https://www.sans.edu/tuition-payment-program/
- My best advice to someone entering into blue team cybersecurity is to go in with an open mind. There is no one right way to do cybersecurity. What sets you apart is your perspective on a problem. For example, writing YARA rules. If you practice writing YARA rules, you may find that some publicly shared rules don't cover everything and you can improve them. Just because someone may say "we cannot detect X," doesn't mean you shouldn't try. Pivot that mindset to prevention or further understanding or breaking down of the problem. Keep and open mind and do not be afraid to ask for help. No one knows everything! You're going to be wonderful!
Delete Comment
Flag Comment