Do You Have What It Takes to Hold the Line on the Blue Team?

Do You Have What It Takes to Hold the Line on the Blue Team?

Do You Have What It Takes to Hold the Line on the Blue Team?

The cybersecurity field has seen remarkable growth that is expected to continue through at least the next 10 years, fueled by increasingly sophisticated threats from hacking groups, individuals, and nation-state actors. The field is in demand for its earning potential, for the number of available jobs, and for its cutting-edge appeal. But what does a job in cybersecurity even look like?

Well, it depends. Cybersecurity is a broad field with a variety of potential roles and paths to employment. In this series of posts, we explore different types of cybersecurity jobs, from the type of work you might do in that role to what kind of experience, education, or certifications you might need to get the job.

What is the Blue Team?


In cybersecurity, the blue team consists of the people, processes, tools, and infrastructure that are set up to defend the confidentiality, integrity, and availability of an organization’s data and other assets. Members of the team work to detect threats and vulnerabilities and respond to security incidents. Depending on the organization, this could involve a variety of tasks, like creating methods of detection, remediating vulnerabilities, training coworkers to recognize phishing attempts, reviewing system security for compliance to regulatory or contractual requirements, and reviewing code for security vulnerabilities.

The blue team must remain vigilant and do their best to stay ahead of new vulnerabilities and zero-days. It is often remarked that while attackers only need to be successful once, the blue team has to be successful every time, every day. Fortunately, the blue team is exactly that: a team. For this reason, collaboration, communication, and teamwork skills are essential. This is a job for people who can pay attention to detail, be proactive about looking for issues, and who have enough breadth of knowledge about technology and cybersecurity to know what to look for.

Skills and Tools

Blue teamers can engage a wide variety of defensive tools and skills:

  • Effective Communication: Whether you are informing others of a new vulnerability, documenting a remediation plan, or teaching other, non-technical employees how to avoid subjecting the organization to attack via phishing, strong communication skills are a must-have for blue teamers.
  • Attention to Detail: Blue teamers may need to search through a haystack of log files to find a needle of malicious activity. They may need to hunt through false positives produced by their automatic detection systems to verify whether a true risk exists. The smallest gap in defense could mean a great deal of risk to the organization, so caring and paying attention to the details are essential.
  • SIEM (Security Information and Event Management): A SIEM (pronounced “sim”) is a tool used by blue teams to detect, analyze, and respond to threats. Typically, they do this by ingesting, storing, and analyzing a large amount of data, such as event logs, to identify activities that differ from normal or approved operations.
  • Threat Profiling: This skill involves performing and documenting an analysis of potential threats, risks, and vulnerabilities for the organization.
  • Packet Analysis (Wireshark): Wireshark is just one example of a tool used for packet analysis, which allows the blue team to view traffic between two points on the network and analyze for malicious traffic.
  • Endpoint Security and Detection: Endpoints are basically where users interact with a larger system, like the laptops, desktop PCs, phones, and other devices. These require safeguards and policies to be enacted to keep the overall system secure. There are products that exist at the enterprise level to address these needs, and they require configuration, monitoring, and updating.
  • image
  • Honeypots and Sandboxes: Sandboxes and honeypots are meant to be an attractive target for attackers that doesn’t expose the organization’s assets to risk, but instead of catching a hungry Poo-Bear, the idea is to trap an attack and allow the blue team to observe the method of intrusion.
  • Incident Response: When a security incident occurs, the incident response process is kicked off. In addition to identifying the attack and enacting technical remediations, the blue team must minimize the damage and identify ways of preventing future attacks of the same kind.

Paths to the Blue Team

There are several ways to prepare for a career in the Blue Team. In general, gaining technical knowledge and experience will be your first step.

  • Experience: If you’re having difficulty finding entry-level cybersecurity roles, start with any technical role or help desk and gain experience there. Gain level 1 experience, for example as a SOC (Security Operations Center) Analyst, detecting and responding to issues and becoming familiar with common tools and processes. Move laterally or find roles at new employers that help broaden your experiences to prepare you for the role you really want.
  • Education: A traditional bachelor’s degree in technology, cybersecurity, or a related field will help provide some foundational knowledge. Some roles might even prefer someone with a master’s degree, depending on the employer. Increasingly, more employers no longer require a bachelor’s degree if they find a candidate who can demonstrate their ability through other means, such as experience and certifications.
  • Certifications: There are a lot of certifications out there for technology and cybersecurity. A commonly recommended credential is the CompTIA Security+. GIAC has groupings of certifications for Blue Team Operations and Cyber Defense. MAD20 has a MITRE ATT&CK DEFENDER program. Microsoft has a variety of certifications for security engineers. There are many organizations providing even more certifications that could apply. Be sure to check role descriptions for the types of jobs you want to have and see what kind of certifications they list for “desired qualifications.”
  • Job Titles: In addition to looking for job roles with “blue team” in the title, other keywords to search for include “SOC” “Security Operations Center,” and “SIEM.” Some common job titles might be Security Engineer, SOC Security Analyst, Security Incident Responder, Cybersecurity Analyst, Threat Intelligence Analyst, Information Security Specialist, and Security Architect.
  • image

Bottom Line

The red team may often get the attention, but it’s the blue team that has to show up day after day and put forward first-class work. Not only does it take a breadth of knowledge to get into this type of role, you will need to learn and improve continuously. New exploits and vulnerabilities will always crop up, so it’s an in-demand job and will remain so for the foreseeable future. But that also means needing to be better at securing an organization’s environment than the bad guys are at attacking it.