Welcome to the defensive side of cybersecurity. Instead of breaking things and pretending to be attackers, blue teamers build up defenses to prevent the bad guys from getting in. Typically, red team gets all the glory and attention. In reality, the benefits of blue team for beginners are numerous and should not be discounted off-hand. Choosing to work as a blue teamer comes with serious benefits compared to offensive security, such as:
- Easier to get jobs
- Higher pay
- Better job security
- More diverse technology to work with
All in all, blue team is a bigger market with more varied opportunities. By ignoring the hype and glitz of pentesting, we find better jobs where we get to work with cutting edge tech to keep companies safe from digital threats. If the idea of workign with an immense variety of tech to fight hackers in real time seems exciting, then keep reading!
What kinds of jobs are there?
First off, let’s talk about the major roles that exist on the defensive side of the fence.
- SOC Analyst
- Appsec
- Digital Forensics
- Researcher
Beyond these, there are many roles that kind of “mix” security with some other roles. For example, DevSecOps mixes security with DevOps. The role of “Security Developer” mixes security with software engineering. And so on. If you have some pre-existing tech background, your best bet is to simply specialize in the cybersec aspect of that discipline.
Of course, with infosec becoming a bigger priority every year in company budgets, the field’s specialties keep getting more intricate. For a more in-depth breakdown of the different cybersec roles, check out this exhaustive list: https://cybersn.com/45-cybersecurity-roles/
Learning blue team
A solid defensive security learning plan should rest on three pillars:
- Guides and tutorials (like this one) to create a map of what you need to learn.
- Exercises and practical challenges, which we’ll show you later on in this article
- A solid home lab where e.g. you can create scenarios and test out tech.
A home lab, however, is indispensable for learning security. You can start out by simply running Linux on an old PC, or even in a Virtual Machine, and securing it in every way you can. Set up strong file permissions, a firewall, a monitoring solution, and whatever else you can get your hands on. Send alerts to your phone. Mitigate denial of service attacks. Basically, do what a blue teamer would do, in your home. We have a guide for doing this to get you started: Linux server hardening for beginners.
You can do the same thing on Windows. Microsoft even publishes security advice for hardening Windows, which you can find here: https://www.microsoft.com/en-us/download/details.aspx?id=55319.
If you’re still confused as to how this looks in practice, that’s normal. Below we’ll walk you through a practical example of hardening your own computer using real cybersecurity principles
Hardening your home lab
Let’s install an intrusion detection system (IDS) so we receive automated alerts. Many IDS solutions exist. If you want a more serious project, I suggest trying out Wazuh. It’s fantastic, but we’ll do something simpler here just to show how it works.
First, download Fun IDS on the system you want to monitor:
wget downloads.funids.tech/selfhosted.gzip
Fun IDS is a small, self-hosted solution. We can install it with only a few commands.
tar -xzf selfhosted.gzip
./install.sh
To set up alerts, we go to the web interface located on port 8080. Since I’m running this on my local machine, the URL is localhost:8080.
Login with the default username “ids” and the default password “ids”. Because the dashboard is pretty intuitive, you can start experimenting! You can even create your own plugins as bash scripts. It’s really easy, which is why it’s a great option for new hackers who want to get started with defensive tech.
Key blue team technologies
Most security is defensive. As such, a complete list of defensive tech could fill a library. However, you can get a feel for some introductory blue team tech by introducing you to the following:
- IDS: Intrusion detection system (we just installed one of these in the previous section!)
- SIEM: security monitoring
- ACL: Control who can access a resource
Look into these and try to implement one of them in your home lab. Focus on the kinds of tools related to the subspecialty that most appeals to you. It’s best to start with tools that are the biggest in your chose field and apply them in practical ways. Like setting up a firewall for your home network or server.
Once you attain some level of skill with the tool, you should create an open source example project using it. Because this is something you can put in a portfolio and show to employers. It makes a huge difference in the hiring process.
Certifications
When it comes to certs that show off your cyber defense cred, there are two big players:
Although both of them are good, their price and weight in the industry vary considerably. It’s always changing and depends on what specific employer you want to work for. To understand the general landscape of defense certs, I recommend checking out this video: Cybersecurity Certificate Tier List.
Depending on your specialty, certs may be outright requirements, or simply decorations on your CV. Thus, check out jobs for your field on job platforms like the Hacker News monthly hiring thread, and see what kinds of certs they tend to ask for.
How to learn more
Like any skill, the best way to advance in cybersecurity is with hands-on practice. In red team, you can use CTFs to safely practice offensive hacking skills. These same tools are also helpful for defense, since you learn how attackers do what they do. Still, it’s better to also have something explicitly focused on defense, and luckily, a few such resources do exist. And they’re pretty good! Consequently, you should check out the links below for hands-on CTF-like defensive infosec games:
By the way, these links don’t just host games, they also have training paths for newbies to become defense masters. So log in and start to level up!
Leave a Reply