Formation of a Blue Team (Incident response team)

From early stages in this maturity model it was recommended to Act upon Amazon GuardDuty findings , however the recommendation of the formation of an incident response team (Blue Team) implies much more than only responding to an incident.

The Blue Team, is a team specialized in responding to security incidents.

The work of the blue team involves acting in different moments:

  • Starting with the preparation for an incident doing the threat modeling , and ensuring that you are gathering the evidence/logs that will be needed for investigation.
  • The identification of what is happening when the incident occurs monitoring the alerts from threat detection services like GuardDuty and SIEM
  • The containment, to isolate the attackers and reduce the impact
  • The eradication of any access of the adversaries
  • The recovery to return to the normal state, and
  • The documentation of the lessons learned.

In the cloud, the response to cloud incidents can be very different from way the process is executed on-premise, since in the cloud all the technical information required for decision making for the Incident response process is available, thanks to services such as AWS Config , AWS CloudTrail , and the possibility of consulting data in a programmatic way, can achieve a much higher degree of automation. In fact Stephen Schmidt, CISO of AWS mentioned in his talk Security Leadership on re:Invent 2019 That 96.4% of our AWS infrastructure security incidents are automatically resolved, without human intervention.

Therefore, to manage the response to incidents, taking advantage of the cloud capabilities, The Blue Team should invest a large part of its time in building automatic remediation tasks for incidents, especially for the most recurring, or the ones with greater impact

The name Blue Team comes from the American military games where security was tested with a red group that pretended to be the enemy and a blue team that made the defense.