Gather Documents

Introduction

There are several documents that need to be gathered to assist blue team operations. Most of these documents will be collected from the mission owner and then integrated with documents or intelligence provided by the intelligence community in order to help you gain a better understanding of how to assist in the defense of the network.

Network Diagrams

The network diagram will give you an idea of what the network looks like and enable you to develop a sensor placement strategy to maximize your network traffic.

Equipment and Applications List

Equipment and applications lists will help you baseline the network and gain a better understanding of what kind of traffic you will be seeing. For example, if the network is supposed to have all Windows Operating Systems (OS) and you are seeing Linux logs, this might be an indication of unauthorized access to your network.

Vulnerability Scan Results

Vulnerability scans are generally scans conducted to identify outdated or vulnerable software within the network. The systems administrators will usually have conducted a vulnerability scan prior to the exercise being conducted. Ensure you receive a copy of these scans in order to gain a better understanding of the gaps in your defensive posture. This will let you know what systems are more vulnerable to attack and develop a strategy to defend those systems.

Security Technical Implementation Guide (STIG) Compliance

STIGs are a list of industry configuration best practices. Unlike vulnerability scans, STIG scans are conducted to identify weaknesses within the configuration of a system. An example of a STIG would be to apply a setting to force passwords to be a minimum of 16 characters. The results of these scans can be used to help you identify gaps in your defensive posture and possible avenues of attack for an adversary. There is a STIG checklist for just about every OS and piece of software on your typical Marine Corps network.

Approved Administrator List

Acquiring a list of approved administrators with their appropriate permissions is necessary because adversaries will often alter permissions or escalate privileges in order to conduct unauthorized actions. With this list, you can generate a script to query Active Directory (AD) administrators and audit unauthorized accounts. Depending on the number of users on the network, it may be beneficial to get an authorized user list in conjunction with an authorized administrators list because an adversary could create an unauthorized user account to maintain persistence in the network.

Indicators of Compromise (IOC)

Indicators of Compromise (IOC) are pieces of forensic data, such as data found in a system log entry or file, that identify potentially malicious activity on a system or network. Sometimes, these IOCs are specific to an APT and can be provided by intelligence reporting. If a specific APT is not identified, websites such as CrowdStrike generate thousands of generic IOCs a week that could be injected into sensor dashboards in order to ease the analyst’s ability to search quickly and effectively. It is important to understand that an IOC hit on a dashboard does not automatically indicate malicious activity.