CAASM for the Blue Team

By

Recently, life has been chaotic. For two years, events have shattered our perspective on what work, health, and community means to us. As we try to sleep through this never-ending nightmare, a key part of what is holding us together is the heroes within our healthcare system. These defenders are working long, stressful hours to keep people alive. The reality of this situation is that they didn't foresee this happening. All of a sudden, they were forced to creatively solve problems that had serious consequences. 

Even while planning for short and long term events, it's naive to pretend we have a crystal ball and can prevent anything bad from happening. To prevent as many issues as we can, we opt to  prioritize our tasks in an order of value they provide to us. A mismanagement of priorities is likely to put the success of what we're trying to achieve at risk. As it relates to security in a digital environment, this problem is eloquently summarized as, 'the inequality of time'

In short, attackers have an abundance of time. You don't. 

At first this sounds like an insurmountable task. An obvious solution is to do more with less time. I'm not kidding. A CAASM such as JupiterOne enables you to do more with less time, leveling the playing field.

A Strategy for Securing Your Organization

A common strategy for assessing how secure your organization is to create Red and Blue teams within your cybersecurity business unit. Those on the Red Team provide an attacker-like function. The goal of a Red Teamer is to penetrate the defense of your digital infrastructure, uncovering all of its gaps. Within each of the gaps this team finds, they provide evidence for exploitation methods that a real malicious actor could use to extract data or processes and hold them ransom.

In contrast, those on the Blue Team act as defenders. If they're executing as intended, the attackers should struggle when trying to find exploitations. These two teams work together to create scenarios that simulate crises that, if successful, requires those on the Blue Team to creatively solve problems that have serious consequences.

Sound familiar?

Examples of Common Blue Team Tasks

Examples of common Blue Team tasks might include:

  • Auditing and verifying DNS records
  • Mandating least-privilege access, permissions granted to a user is the bare minimum for the task they are working on, across all accounts for services within your organization (even third-party tools your organization might use like Hubspot, Zendesk, etc.)
  • Reviewing and implementing security controls on the perimeter of your organization. Within your software, this includes your WAF, application authentication (API Gateway Authorizers),  and VPC security groups. More broadly speaking, within your digital environment, this relates to endpoint security, the firmware on the router in your office, and the level of access to internal information provided to non-employees.
  • Creating processes to identify and remediate irregular behavior within your infrastructure. Ideally, the team determines a baseline for their organization so that the definition for anomalies is clear.
  • Hardening the physical machines that you use to build and run your software.
  • Deploying Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to discern unwarranted access and mitigate the pressure that current attacks impose on your infrastructure.

The majority of these tasks are non-trivial. Remember an important fact, that attackers have an unlimited budget of time to investigate and find issues with your system. 

Alas, the crux of the problem makes itself clear.

Blue Teamers are asked to cover a wide surface area of vulnerable vectors within their organization. This huge net of responsibilities paired with the reality that implementation of solutions for defending is difficult encourages cutting corners in an attempt to try and get everything planned complete. Normally, it's unrealistic to expect that Blue teamers can prevent even all of the components they planned to because of cognitive load and understaffed teams. 

With a CAASM tool like JupiterOne, you enable your Blue Team to complete the common tasks in half the time and empower everyone in your organization to become defenders of your digital environment. To prove it to you, let's walk through an example.

An Example: Blue Team Audit of your DNS Records

The reason this is possible is because JupiterOne has a robust classification system. This enables us to connect to a variety of different integrations and manage all of that data in one place. I might have DNS records in GoDaddy, Cloudflare, or AWS and yet I can still write a simple query to retrieve the information I want.

That query: `FIND DomainRecord`

Yup. That's it. In 16 characters, we have access to all of our DNS record information at our fingertips.

2022-01-26 CAASM for JupiterOne Blue Team

Blue Team Monitoring of IAM Policies

I've just showcased how JupiterOne can be a great tool for auditing DNS information and more generally, the right tool for observing the state of your data in your digital infrastructure. How about continuous alerting and monitoring for events that need perpetual attention? An example being the surface area of IAM controls in your environment. 

In the context of a digital environment where your infrastructure is managed by code, developers pushing commits that can alter infrastructure is a spotlight of concern for the Blue Team. In this scenario, it becomes difficult to ensure none of those commits contain IAM policies that put your environment at risk. The prevention of this becomes simple with JupiterOne.

While the software and its query language can easily solve these problems, I want to let you in on another tool you can leverage to make your experience with JupiterOne that much better:  the questions library.

Filled with over 500 preconfigured questions, this library is a key resource for finding the information you need in an easy way. In our scenario, we're looking for IAM policies that are dangerous. How about `Find anything that allows public access to everyone.`? Resources that allow public access to everyone must be carefully monitored - you could be unknowingly leaking information to external actors!

2022-01-26 CAASM for JupiterOne Blue Team

To access the questions library within the app, start by clicking on the library icon on the to the left of the query input field.

2022-01-26 CAASM for JupiterOne Blue Team

Once the questions library drawer is opened, you can easily select your question:

2022-01-26 CAASM for Blue Team - 04

JupiterOne puts the power of monitoring this ever-changing attribute right in your hands in a way that is easy to understand for everyone in your organization - not just technical folks.

One-Click Blast Radius

And finally, the Blue team pièce de résistance. The one-click blast radius. One of the most revolutionary paradigm shifts in how the Blue team operates has been to focus on thinking in graphs. Historically, Blue teamers have thought in list and it's easy to understand why. Remember the list for Blue team tasks? It's trivial to turn that list into a checklist and track your progress for protecting your software. Fundamentally though, this is flawed. Attackers think in graphs, not lists. As long as defenders continue to think in lists, attackers win. As easy as it was for you to imagine the list of example Blue team tasks as an actual checklist, watch how easy it is to start thinking in graphs with JupiterOne.

FIND aws_vpc 
THAT RELATES TO *
RETURN TREE
2022-01-26 CAASM for Blue Team at JupiterOne

You now have the knowledge to understand how your systems are connected to one another. Notice, there is no managing a spreadsheet, no collection of scripts that ties everything together. One query and the Blue team is thinking in graphs!

Everyone is on the Blue Team with JupiterOne

With JupiterOne, you empower your team to become digital defenders of your environment. The reality that we live in now is that protecting our digital infrastructure is a responsibility we all must have. Unfortunately, defending what you can't see is difficult. With JupiterOne, the visibility into how our software is run gives us the edge on attackers. All the information we need to protect our organization is right in front of us. So much for the inequality of time.

Know more, fear less, from the Blue Team at JupiterOne.

This is the second article in a two part series on the Red Team and the Blue Team at JupiterOne. Kenneth Kaye has provided us with the first article, Red Team, Go!. If you would like to participate in the discussion of Red Teams and Blue Teams, please join us on the JupiterOne, Ask J1 Community Site.

Chasen Bettinger
Chasen Bettinger

Chasen is a Senior Security Automation Engineer at JupiterOne. His background is in building production-ready, cloud-native applications across a myriad of different industries. Whether it's defining requirements or writing tests, Chasen is always ready to jump in and get the job done. Outside of work, you can find him watching Formula 1 or reading a book.

To hear more from Chasen, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.