In the world of cyber, there are many different teams and roles to play. The Blue Team generally doesn’t get the spotlight but are vital to the defense of an organization. In the book “Cybersecurity Blue Team Toolkit”, Nadean H. Tanner explains what the basic tools of the trade are. Coming from a system and network administration background, a lot of these tools were familiar to me. A lot of people ask about how to transition into security. My way in? Translate the skills I attained while troubleshooting and fixing computers and networks into securing them. If you want to protect enterprises and already have familiarity with these tools, that can be your path, too. Nadean masterfully turns that concept into an easy to read guide for aspiring blue teamers.
Like most technical books, this tome is organized into chapters covering various topics in a natural progression of difficulty. Personally, I skipped around going to the topics that most interested me. This book doesn’t require reading from beginning to end, as all of the chapters contain valuable nuggets of information. So in a slight change from the norm, this review is composed to match the way in which I read it.
Details of Cybersecurity Blue Team Toolkit
Nadean starts by writing about the importance of tools to every profession, and how, in order to get to the complex tools, the basic tools must be understood first. It is hard to figure something out when you don’t have the foundational knowledge. Just to confirm I had the basics down as well, I started with the first 4 chapters. Come to find out, an old dog can learn new tricks!
In chapters 1 and 2, Nadean covers Fundamental Networking and Security Tools and Troubleshooting Microsoft Windows. These are the first tools I learned during troubleshooting efforts. They help you gather valuable information about systems and networks under your watch. Even the most seasoned veterans need these tools, and she goes into a good amount of detail into how and why they work. Some of the Windows tools, like the hidden GodMode utility, I haven’t heard of before and it’s cool. Chapter 3 covers NMAP and how to use it. NMAP can be used for a lot of different purposes other than just mapping a network like finding open ports, what OS is running, and more.
Chapter 4 covers Vulnerability Management which is a vital part of defending networks. There are a couple of software packages that are covered here that are of high quality to assist not only with managing vulnerabilities but also ranking their priorities using the CVSS rating automatically. OpenVAS, a vulnerability scanner that is free to use, and Nexpose Community, a light version of Rapid7’s commercial tool, are covered here. Overall, this is a solid chapter explaining what vulnerability management is and how to maintain it.
Let the Skipping Begin
Chapter 12, Patch and Configuration Management, goes hand-in-hand with Chapter 4, so this is where the chapter skipping begins. You must know which versions of software and system configurations you have in your inventory first, then you can figure out which vulnerabilities you need to look out for. Only then can you patch those vulnerabilities. The author covers a couple of tools for this that seem useful, and, since I wasn’t familiar with them, I learned a bit here also.
Chapter 5 is all about Monitoring with OSSEC, something I hadn’t heard of until reading the book. It is covered very well. Nadean explains why it is useful, how to configure it, and how to use it. It is a free host-based intrusion detection system that is not only useful for protection but can also be used in conjunction with hacking tools to see what happens on the host during attacks.
Although this is a “Blue Team” toolkit, I applaud the author’s choice in adding several chapters dedicated to the “Red Team” side as well. In Chapter 10, Nadean covers one of the most useful hacking tools, Metasploit. She covers Web Application Security tools like Burpsuite in Chapter 11, and one of the most useful hacking platforms, Kali Linux in Chapter 14. Kali Linux is an operating system that you can download and deploy rather quickly. It comes preloaded with a lot of tools like Metasploit, Burpsuite, Maltego, John the Ripper, and many more. The author covers all this in depth and it’s a very good introduction if you don’t have experience with these tools, or an understanding of what they do or how they work. Whether your interests are blue or red team focused, the basics are simple and useful to get. Having an understanding of attack tools can only make you a better defender.
Chapter 6 is about Protecting Wireless Communications. More devices are turning wireless than ever before, so securing wireless technology is becoming more important. Nadean covers a few interesting topics here like wireless basics such as 802.11, the standard covering wireless technology, insider and Wireless Network Watcher. And, although not specifically just for wireless clients, she also covers ways of protecting your communications with VPNs, the Tor Browser and privacy-focused search engine, DuckDuckGo. This chapter provides a great explanation of how and why secure comms is an important issue for organizations as well as for people individually.
Understanding how networks function is a vital part of any blue team effort, which takes us to Chapter 7, Wireshark. Nadean covers the basics of the OSI model and the titular tool. the featured tool in the chapter, One can’t cover all of the features of this highly used network protocol analyzer, however the author shows how to use it and gives a great explanation of it’s usefulness to hunt attackers as well as for basic troubleshooting.
Access Management is covered in Chapter 8. It is high on the list of important basics for blue team success. Least privilege is covered and how vital it is, because if people have the wrong permissions, they can do massive damage both intentionally and unintentionally. Single sign-on (SSO) is a feature that she also addresses, and how it can be dangerous but is convenient to the user. She introduced me to JumpCloud, an identity management solution that’s worth checking out.
Chapter 9 is important for any digital forensics effort. It covers Managing Logs which contain vital information. They tell investigators what happened and when. They are also important for root-cause analysis for the same reason. Syslog is covered which is a very popular tool I’ve seen and used.
Chapter 13 is about Securing OSI Layer 8, which is another way of saying the humans. Social Engineering is an attack that has no simple preventive solution. In this chapter, Nadean talks about human nature, why we are susceptible to being conned, and describes some common attacks. The only way to combat this is to educate users, but that presents a lot of problems.
The final chapter is about CISv7 Controls and Best Practices. CIS stands for Center for Internet Security and is a non-profit entity that publishes controls to help protect organizations. Nadean writes about what they do and some of their controls. I have not come across these before, but they seem very interesting. Since it is free, everyone can get a copy and implement them, unlike some other frameworks where you must pay for the documents.
The first three chapters cover the basics, and I highly recommend getting started there if you don’t have any experience at all. After that, the chapters can really be covered in any order, if you are just starting out in security. Nadean is a great author who gives anecdotes and stories that complement the material very well. Overall, “Cybersecurity Blue Team Toolkit” can and should be used as a reference throughout a young blue teamer’s career.
See all Book Review on EH-Net.
Jonathan Metrick, CISSP (aka InfoSecJon) – Security Consultant, still considers himself a newcomer. Jon recently discovered the world of Red v. Blue and loves to learn about both. He comes from a system administration background, and mostly handles security appliance work. Jon is currently in his last class for his M.S. in Information Assurance. He writes on his own website, InfoSecJon.com, about career, certification and productivity advice, Imposter Syndrome, and is currently working on his “Cybersecurity roles” article series. Jon is a proud Navy veteran, father of two and husband to the best wife on the planet. He enjoys hiking, swimming, gardening, trips to the brewery, and relaxing in the backyard when he’s not in front of the computer. @InfoSecJonTags: 2019 blue team book review career highlight