Practical Blue Teaming by Peter Jones

all right good morning everybody I will assume that you can't hear me because I'm quite loud person on the best of days uh my name is Peter Jones uh also known as a cyber Badger why do I call it but it didn't cyber budget because I'm not gonna tell you who I work for oh yeah it's quite simple um it's good to be back all right I am from the motherland uh I don't live here anymore so it's nice when I get excuse to come up home uh these days I tend to have a nice walk towards the beach uh so you've got people to Source investigation for stuff for you so so much I see so all right

um I commute to the office one day a week because that's another 200 miles away so 300 miles to get here calculate 200 miles finding this conversation if you can work out who I work for give me a CV uh order to buy trade I've been a consultant I've been an author I wrote a number of books also been on TV and radio probably explains why I'm so bloody loud um made a career in digital forensics all right that's where I started breaking into Mobile phones and when I say mobile phones if you're a bit too young for this I apologize but break it into that first Apple phone the first Windows phones and when I say the first

Windows forms I mean the ones in 2003 another ones in 2011. uh I'm a university lecturer I have taught a number of universities on the m62 corridor um but more recently uh one of the chairs of the child Institute I cover the Southwest another clue where I am best uh I'm also the co-founder of Southwest cyber security cluster yeah you're getting there right here and I'm also a mentor for these lovely ladies at the bottom so what what's this job about so we're on a blue team track aren't we I've been to see so you've all automatically people thinking you know is that a pretentious prick all right or he doesn't know what he's all about

and we're all super technical he's probably not well I've just told you about my background so I'll hopefully give you an idea of my track I've got to where I am I deal with response on a regular basis okay we'll see false positive cyber defense GRC uh I've got soccer to deal with on a regular basis the old Supply Chain management uh and I deal with pen testers and yes like Holly said downstairs I do ask you how are you doing every couple of hours do you want to brew um because I'm actually quite a nice guy like that I don't send other people to make Bros working down south I make a wicked cup of tea so you know

if you're a pentas in my environment I'd be white I'm talking about practical blue team in answer and the reason I wanted to do this talk is because I get people who assume my environment they assume they know what they're coming to face well my day-to-day my day-to-day bear in mind you know thinking about incidents and all that stuff I'm always looking for the latest attacks the latest threats against the business I am looking at threat intelligence I'm not paying somebody else to do it I'm looking for it what might be the same for you it's not the same for me uh I'm also looking for issues to exploit I am that guy headed by the parapet

mentality I want to look for problems and yeah see so meetings I have Bloody Lords of them and I will do my down disk out of them or I'll go in what do I need to know well we've got an agenda no no what do I need to know well we need to sign off this luckily I get to send most of them virtually so I'll just turn off the camera turn off my microphone and continue what comes to my house and I'll say I do with those little security worries me I can't hear a single violin going on right now what this isn't about this is the most important this is not about me bashing

consultancies about the next 30 minutes not 25 perspective it's also not made on a rant about tools you can buy in the market there's lots of Fantastic Tools and also it's not my oh I'm gonna throw that out coffee forget about it there's a lot of perspective a lot of people try to be General about Bluetooth by our [ __ ] buy our product it will solve your problems well actually there's a lot of stuff I have to deal with all the time and I've got to sort of work out what my day today is about otherwise I will be working 24 7. I'll never get to sleep so what's my noise my noise is alert

listening to business priorities because I tell you now my business priorities are not the same as the actual business because they want to go off and do their thing they want to do the thing that earns us Millions for the business the noisest threats are actually ambulance Chasers I hate ambulance Chasers perhaps he frustrates the hell out of me because it's all about perspective why do I mean by that well actually I'll tell you what let's just rewind a bit lock 4J was probably for me one of the biggest grenades I got thrown in and it was pretty genuine I think we all went what the hell is this a patchy vulnerability and then we all lost our

Christmas I actually lost my Christmas uh and that cost me daily with a wife I think it still cost me daily ever since and we still Found Love Before J issues now okay fine that was a critical that was something we all had to jump on that ship for and get resolved but I'm here in the same War sounds and seeing noises to move it well I don't think about you I never bloody heard of it never heard of this transfer tool I was panicking and we're going on conference calls and I go on conference calls with all the seesaws in the industry I work with which is about usual nonetheless nobody else had heard of it right we'll

need to check our supply chain nay never heard of it is actually a big problem not for us what's my inbox say patch patch patch everybody buy ah [ __ ] come on context there's a lot of reality though I've got faced with not everything I do is going to line to the business objectives also you're all gonna be pretty techy in this room actually from a seesaw's perspective I'm sitting down with financial officers CEOs managing directors for multiple countries for the same company my American friends will have a different priority to my UK friends but there's only one of me who's got to cover all of them so when they turn around say align your

security strategy to your business objectives good luck with that I can't do that so this is where blue team as a principal is really really important I just see it on LinkedIn LinkedIn can be a very linkedin's a new Twitter I would probably say right there's a lot of noise occupancy the same old blah blah blah seashells need to sit on the board no no don't I'll actually have no benefit to the company fights on the board zero benefit however I need Executive comms that's what I need I need to be able to talk to the various companies or parts of the company that'll actually make my job a lot easier to get the message across

but we've not even got to the point of the people I work with that people sit with me behind me perspective and the budget needs you know more and more I'm still here in the line of oh it's really difficult to get security budget well actually if I speak to seesaws security budgets tend to be ring fence these days so the message isn't always lining up and just remember execs don't know what you're doing you are witchcraft you are Black Arts I had an interesting conversation with our CFO recently and he turned around and says I just thought you were a technical nerd who likes to sit in the corner and do your thing

I wish I could do more of it foreign what is going on so that that's one first thing from a Bruce opens perspective and I've purposely stolen crowdstrikes threatens our report right I have no finishes craft strike nor that I don't really give total what they sell I just want to make a point about read our threatens our report it's really really important I would threat and teleport we'll have something different to their threat and teleport I'll have some different to their threat and teleport he knows there's key pieces of information actually breakout time okay I'm listening of course what we're here to do with you to defend and I'm seeing the industries of what's

being affected and I'm going oh yeah all right okay we're quite popular we're quite popular no no I see diagrams like this noise absolutely nice and I'm sure it's really interesting for selling their products and install this from all our Keynotes today and I don't disagree with this by the way any security at all badly manage will not enhance your cyber security posture stop buying the tools and starting applying sense to cyber defense well I've got 20 minutes to convince you that's absolutely right because you know let's hold up a second and what you're telling me there's no silver bullets in the industry well yeah hopefully if you've not got that message by the first 10 minutes of this talk

I'm failing what I'm trying to get across and particularly because I have these sort of people knocking on my door can I take a full coffee can I take you for launch pay the account because I don't care for myself I'm still a tight Yorkshire but stuff I've heard it or before and I I emphasize as well I am pretty technical I actually say that but for those seesaws who aren't and for those who have got there via and they'll be played by this because he's recording me other means everything else why I will say it if you want actually what I mean I'll say it off camera they won't have the same technical expertise there we go play

so what is just enough well this is sort of tidal wave I still have to battle regardless I'm quite confident in what I do as a professional positive procedures be reviewed annually and underutilized and that drives me insane I actually do it with my own time to go okay what about this yeah what do I do I'm not gonna SMS yeah but what am I looking at so what I've started doing is when it comes to audits I don't go to audits anymore you go so when they turn around and go well they couldn't find his policy procedure no problems obviously for improvement training I find ways to utilizing it one-off annual training it's a bit of

work you're just not going to get that message across it's very similar to what Holly was saying downstairs one-off pen testing great snapshot in time treating audits of tick boxes and actually my favorite story is that caps lockers happens one of my first cohorts and they learn about audits for the first time and they're drained audit well speaking as an auditor I was like what five downloads um audit to your best friend why because somebody else is finding my gaps my opportunities to make my life easier so what's wrong with an audit and I I actually recently off with a conversation with a colleague because I can't accept that why it's because what's going to go to the

board wow why am I bothered because it gives me opportunity to say actually we're doing something about it we're growing as a business and financially we are we'll do better at this point two latter points are still unfortunately still a big thing buy an antivirus products and thinking you're protected people still think that we've still got compliance standards where having antivirus is a tick box right let's have a firewall and put allow all and nothing is broken why fix it's these are just enough and reality is this happens so let's get some value out of this talk because people offered it for 15 minutes Let's Get Back to Basics of blue team right Splatoon is not all being sat behind the

keyboard we buy tools like a crash like she got dresses or whatever whatever the risk that's the problem this word risk and actually the people that both care about the r word do not care about the tool they just want to make sure they can continue doing their business operation so when they're coming to sell that product you're not going so it covers identity protection and the architect viruses and sometimes you can make me a cup of coffee if you don't know what risk you're trying to protect you you've lost the first rule of blue teaming and also not because every tool solves their threat and that's your ambulance Chasers buy our tool because it'll protect you

from move it well let's touch it right it's like a patch everything else I'll patch you do a process that policy and process or procedures that GRC component that actually says no I don't need to spend thirty thousand dollars I can continue what I'm doing because as part of blue teaming that cycle and most importantly that tool is is exactly what it is it's notability spanner screwdriver in your box is toolbox each door sort of tool and I like this I got this from LinkedIn as well this is reality of what's going on we've got a lot of noise from the torque vendors from a security point of view security teams are always off stretched under

exhaust my security team internally is is Tiny compared to the whole business we must take up 0.1 of the business record 24 7 working all hours God sends even that was uh security alerts this morning we have too many competing priorities and weirdly my team just gets left to it a lot I have a report in line or because people are more bothered by their Excel crashing or or coffee machine not working but we're doing our thing we fall off the radar such an odd things like we're doing it we're doing a good job but we could do some help yeah but people need coffee yeah all right okay um and we like resources for security

awareness and behavior you know that and that's been a really interesting thing and for a long time and I'll put this on the table because obviously we're in the Tweed room yeah the early north of them in the village well yeah I am I feel like I am the tick box exercise in the office uh and uh a lot of Andrew have been to one of our seesaw meetings and if we could vouch for that could either very very quickly um what I do for culture because I'm gonna guess you're fairly um to the points like I am doesn't always work with colleagues inside M25 um not in the same way so that's great um

what not here blue team is not about looking for failure nor should Consultants be assuming you're failing good and um we've always had a couple of foot talks this morning we just want to improve things aren't we we want to make sure we're actually defending the business and I actually had an auditor and until I I brought a consultant to do an internal audit if he's watching this on YouTube later I'm talking about you um who says right we're going to do internal audit I want to see why you're failing I want you up stopped him dead yeah hard enough for me who's a Quantified author to bring somebody else in because he got proof Independence

why your system's failing well I said if that's the case well you're not coming in I'm not gonna I would stop that he did reply to my emails after that I had to ring up these bottles and why is he gone I was a bit upset with your response who's who's paying for this service here so all right I've griped a bit Yeah okay I've had around but I've ranted a little bit and we're talking about that far column I think it's important to know the other streams and we know as hardly said upstairs your pen testers think the best thing that's in sliced bread all right they know a bit those blue as blue team as well I like

to think we've got quite a good knowledge bed blue team is said to be a well-oiled machine and that's what we want to achieve all right we're not just there to keep the lights on and I kind of sort of always think about the I.T crowd I forget the character's name no field then plays it and he comes out he goes I just watched the lights I think sometimes that's what people think was blue teams do so therefore we get pigeonholed because we're not sexy and directing and actually I think we do a better job than they do yeah fine this is something basic gaps that Pinterest test is fairly easy like into domain admin

and also the other issue about Bluetooth it's very difficult to go on a promotional ladder there's nowhere really to go so why would you want to be a blue team any skills our blue team needs I think it's poorly measured pen testers a lot of gold pen testers but this is Bluetooth I'm gonna have a good one ish especially what they're doing really well by how they progress through the attack chain and they can sort of measure themselves on the top on the back I did a good job because I got certain amount of movement in the network well actually one blue team I would argue we've got to know a lot more however not on this slide does it tell

you have to be an expert so what I'm still cast me back to my university date there's a big difference between information and knowledge on his about having experience familiarity being able to use your experience defend the best with our business and not be generic like some of the vulnerability announcements we've had previously so if you are thinking about coming to Blue Team in all right whilst it's not massively measurable there's not a lot of work to do quite frankly the Practical bit is about understanding what you're trying to protect in the first place let's go back a couple slides risk information data or what I tell my business is why am I trying to protect you're not losing your

jobs you said I've got nothing to do with it on security yeah but if I get a 40 million pound ransomware that's your bonus goal do you want to stay oh well what do you mean my bonus is gone we've got another snippet somebody in the industry I work in had to pay 40 million recently as of recently or in the last two years so it was in dollars as well just kissed another bit more skeptical approach what work the message about a scoping bad pen testers do we're looking to protect pii maybe PCI information maybe are we looking to protect custom information maybe am I looking to protect the print server uh possibly maybe depends on where it is

an infrastructure but be prepared to do your research don't wait for people to come to you and that's a big thing about blue teaming you can be proactive you don't have to be reactive because you're still watching the lights flickering in the server room and don't fall into the traps probably the geekiest slide I'll probably put in my slide there today think nothing's ever changed speak to YT nothing's changed the patch oh yeah we've patched if you choose from configuration well you have to change the configuration has anything changed no people change processes change as well and what's even worse is when people who processes change and you don't know about it but it's not practical to know about it

because you might be a one thousand two thousand fifty thousand people business and security team is still five and also thinking the fact your tools already protecting you so one of the things I talk about while we've had so far is verification and validation and if you go into response of forensics you kind of get forced down this line but I think it's useful to be aware of it you got ISO 17 uh zero two zero which is for is a response and 25 which is your friends why I think they're really useful and you're less likely to be compliant against it in the private sector because you don't have a requirement it's in there it talks about verifying the tool

is doing its job father date the process Point did you check your antivirus is doing its job I ran I got so I downloaded AI car okay how did you validate that was actually a thing I'm actually going back to my friends at crowdstrike that's why they had such a problem with cyber Essentials for such a long time because of how their program works it it ignored the icar look at what you're doing look at the your econstructor or your infrastructure look at how your tool is working um I will quite have to say I'm an advocate for dark Trace dark Trace has such a bad rep because of LinkedIn but actually if you spend time and

effort tuning it working with it validating its results it's actually a really beautiful tool but of course I got it in this is who fixed the risk whilst discover put your head above the parapet look at what you've got going on don't wait for your pen tested to find out okay he's a princess a badge flashing session sorry um said this if your asset tool says you've got 400 servers fine okay what was on them don't believe what the Tool's telling you I'll tell you about this I like this whole thing about humans being your weakest link I don't really balance for that if you've let the door open and have gone through it that's

your fault and if the door's open enough save something really really important on the G Drive which is available to the whole business and you haven't don't think about it that's blue team we need we need to protect that information look at the classification don't ignore it that is so often ignored oh I see confidential I stay restricted or see Secret and do all the same aren't they you know and why are they not the same because that gives you priority how you prioritize your costs your values how you go a point to go right my very very tiny team that I need to go on I need to do all that work over that

takes 10 days that's 20 days but we made that 20 days is to protect of confidential service I should do the confidential stuff and that stops US doing that scattergun attack and also helps using pen test and properly scoping properly and it helps you with your costs

being brave follow a proactive Journey I like this human mind I I really do like it I follow it a lot and it's also quite telling when you get certain artists anyway yeah so I'm saying am I I'm doing some work about um defining some policies and methodology I'm optimizing but there's also some policies that manage stage let's explode because they think you're the only one you're only one in the other and also this is weird perspective that you go up the chain because it depends what you're looking at in the business recognize where you are in your maturity it doesn't matter if you think you're still on one two some of your that is just an opportunity

to improve what you're doing so go look at the problems it's all right if your management turn around to you and go why the hell you found this management needs to be trained they need awareness they need a better cultural change and I heard we should talk about miter that I heard I heard one of the previous talks about mindset from a routine perspective look at this on a regular basis look at this based on the risk you're trying to mitigate not because it's part of your quarterly review or it's part of your penetration testing review I use this a lot and I just look at this actually from a human's perspective from a physical

perspective of social engineering perspective not just your day-to-day defense of the 19 infrastructure the remedial action that comes from this and the overlap with GRC just gets forgotten about

and there's no heroes in this process right security team don't have to be ripping shirts with your big Superman logo on find your friends find your knowledge base your your end users your heads-up Department make friends with it they are a lovely bunch I find Dawn's help um actually fully enough with our cab we've introduced Donald fines if you don't do a change successful um unfortunately one of our young uh Desai guys I think the authors four boxes of a crispy Kerman woman um hitch are we friends you know these are people who can help push things along um and devs system devs or they are wild boat they're Wild Bunch like feral cats um make friends with them honestly uh

I've spent time working with them and I spent a year as a programmer hands up that was awful that was a terrible programmer if I went to forensics so I could break things I suppose to put things together get devs on side they're the ones who want admin controls you know that it was we need additional privileges get one side they're going to talk to you they'll tell you about how their system works why did they privilege and and if you want to know how that world can get really really wild it's just to speak to my friend over here Stuart Baker the global incident response manager who has to deal with devs all the time he

just have a lot of hair to lots of improves I think looking for opportunities okay I've talked about this before until on external opportunities look forward to speaking of orders challenge your Auditors we've got to settle your hands in this way to what they say I turn around and say when you speak into songs or drill down on that for me please can you look at that a bit more detail and as we come to finish right so I've done a lot of things I've talked about the the real things that's happening from a management of the security perspective and I like this one I'm I'm a big fan of Mr Robot that was a great

series um [ __ ] does hit the fan I think it does happen system failures happen it doesn't mean it's happened because it's a Cyber attack what problems do happen can go wrong so understand how you can recover big fan of wargaming I'm a big fan of looking at tools from a Defender recover point of view not just as it stop the latest antivirus as this virus remember to verify and validate and when you do walk gaming get forensics involved not just because they need to leave the office sometimes and you know it's very very difficult for them they're brilliant for understanding your environment so not just going it's all right Pete we would have done this we

would have done that we would have done the other all right great you've done the failover you've done the recovery and forensics had to do their job oh no no because we've blotted the machine before if you didn't ever go at it foreign requirements

understand the risk you're trying to control where does the tool fit in your environment where is the thing that's been proposed to an environment and what effort does it require to get it working and we could let our consultant friend back through the door because we understand what we're trying to achieve thank you foreign