Blue Team X Black Hats – A Different Soccer Match
The metaphor of a football match to explain the daily confrontation of a blue team against Black Hats. Who is the winner?
I invite you to imagine a different soccer match. At one side, the Blue Team, in charge of your company’s cyber security protection. In the other, the Black Hats, eager to bypass your company’s cyber defenses and score goals at any cost.
Right now you may be imagining eleven players in each side of the field, properly uniformed, a referee at the center, some coaches, the reserves and so on, like a normal soccer match.
However, the reality may be quite different if we apply to the match the restrictions and challenges faced by cyber security. Let’s take a look:
- The Blue Team is usually composed of a very limited number of players, unlike Black Hat which is composed of an uncountable number of them, from random to focused attackers, amateur to professional, willing to score against you;
- There is no rule on accepting new Black Hat players in the game. In opposite, it is hard to find new Blue Team members due to investments that hardly ever approved by boards. At most, they are replaced;
- If sponsors investments are not adequate, the Blue Team players may have to play in the dark, unable to notice the opponent’s moves and attacks. Even the opponent’s crowd noise, makes it harder for the Blue Team;
- There is no limit to the number of balls during the match and only the Black Hats have them. It is common to see Black Hat players (alone or in groups) with its own ball executing rehearsed plays;
- The Black Hats are very good at the art of deceiving, hence, it is not uncommon seeing them convincing Blue Team players or its crowd to score against;
- Unlike a normal match, it doesn’t end after 90 minutes. It may last for several days, weeks, months… And due to the limited number of players on the Blue Team, the whole team cannot protect the goal at all times. The Black Hats, in the other hand, can attack anytime;
- The Blue Team always plays sitting behind the ball, on defense. The Black Hats do not have this limitation. They play freely throughout the whole field looking for good goal opportunities;
- The match results are also different. They may end only in a draw or victory for the Black Hats. We should consider a victory for the Blue Team when and if it avoids taking goals. Unfortunately this is hardly any prestigious. As a side effect, “blues” generally have much smaller crowds;
- There is no referee in the field. Despite that, the “Blue Team” is forced into playing fair. Also, goals are acknowledged (or not) by the Blue Team’s technical committee. If a goal is “perceived” and accepted too late, it is doubled.
Let’s consider that it’s enough explanation for our metaphor and update the field image.
Quite unfair, right? Let’s try to balance things a little. Here are some tips for the blues:
- Blue Team players should carefully study all Black Hat game strategies and rehearsed plays in order to perceive and react against it as fast as possible. This “intelligence” must be munched into defensive strategies spread and absorbed through lots of training;
- To be sure the Blue Team training paid off and spot some unnoticed weaknesses, hire talented attackers to practice with them from time to time;
- Continually study different ways opponents could score against you. Beside training the goalkeeper, also install sensors in the crossbar to automatically detect when a ball is near;
- Employ innovative technology to improve the Blue Team’s visibility. The number of Black Hat players and balls leaves the Blue Team at great disadvantage. Install and monitor motion sensors in strategic field places to detect the players moves. Beware of false alarms to do not waste your team’s precious energy;
- Due to the long match period (usually endless), prepare enough reserves to have a complete team in the field at all times, regardless of the time or day;
- The Black Hats are very anxious. Try to use this against them! Install false goals into the field and monitor them. They will be useful to distract and detect the opponent moves. This will be a very helpful source of knowledge new defense strategies;
- Make sure the whole team is not focused into defending against the same play. With many players and balls into the field, there are many attack possibilities starting from different locations;
- Go beyond defensive posture. Make the Blue Team play more advanced trying to disarm the opponents on its own own side of the field;
- Record all the game from different angles and whenever you concede a goal, review the cameras and study where were the failures. Use this apprenticeship in the next training;
Now, with these improvements, let’s see the field again.
This way, chances are the Blue Team will start making beautiful defenses to the point of getting fans and sponsors attention as if they were scoring goals!
About the Author:
Renato Marinho
Director at Morphus Segurança da Informação
[adrotate banner=”9″]
Edited by Pierluigi Paganini
(Security Affairs – Black hats, Blue Team)
[adrotate banner=”13″]