So far this year I’ve interviewed several candidates for a security analyst position. It’s a pretty straightforward blue team role involving things like vulnerability assessment and remediation, identifying anomalies in user or system activity, and some internal audit functions. Unfortunately most of the candidates I’ve encountered are only interested in pure pentesting jobs.
The cool kids table
I get it, red team has all the fun right? Writing exploits, popping shells, they’re the Top Gun pilots of infosec. Don’t get me wrong, I fully realize the value of pentesting skills and even practice them myself. Having the knowledge and skillset required for red team work can be a huge benefit to those charged with defending a network. I’d just like to see more people interested in and excited about blue team.
The requisite gaming analogy
Have you played Plants vs Zombies or any other “tower defense” game? That’s one of my favorite analogies when people ask what a blue teamer does. Identify important areas or assets, stand up multiple layers of defenses, try to anticipate what the attacker might do, then adapt and evolve as needed (hopefully without being completely overrun at any point!) Sure you need to think like an attacker sometimes, but thinking like a defender is a thing too!
The pendulum may be starting to swing back the other way, though. With the rise of DFIR and threat hunting and the maturation of active or deceptive defense strategies, defenders are devising ways to not only keep their critical systems and data safe but also to learn more about attacker methods in the process. I’m even more excited when I see tips, tools, and techniques shared with the greater infosec community. The BrakeSec Slack community has been one of my favorite resources lately, lots of smart people sharing ideas there.
The soapbox message
While this this post started as a bit of a rant about my experience trying to fill a seat, I ultimately just want to encourage anyone out there considering a career in infosec to be open minded. By all means sharpen your hacking skills, but go a step further - set up something like Splunk or Graylog in the lab environment you practice in. Take note of the noise/logs you generate when trying to gain access to a system and elevate privileges. Think about ways you would automate the detection and alerting of such activity. If this kind of detective work interests you, consider a future on the blue team. We need talented people too.