Team Blue is a refference for IT security professionals who dedicated their efforts to protect an environment from malicious hackers. Sometimes, they are called also “Ethical hackers”.
I have collected various datasets, then I used very punctual algorithm to anonymize all the data so sensitive information never actually left the secure premises.
Without disclosing any confidentiality we are still able to dive deep into the network graphs and read the information.
This is only brief overview, each use case will be described more in detail on this web.
- Every big company has its own list of approved software, connected to configuration DB and Windows SCCM. Picture below shows proportional map of vendors, applications and in certain cases also the version and available patches of the software. Certain color belongs to Microsoft, other belongs to Oracle, SAP, Unix based applications, Adobe.. and so on. Small communities may pose the custom made applications or versions / patches available.
- Once we have collection of the software, it might be interesting to see the vulnerabilities, listed in various Threat intelligence systems for each item. One color -one major vendor of application. The outer circle stands for highly serious issues which would occur, if the system was not patched. Well, here you go:
- Using different visualization, this picture summarizes the CVSS score linked to each class of software. Guess which group/ vendor poses the highest risk 🙂
- Once we got the idea of attack surface as screened by malicious hackers, lets see how it went from there. Each edge = one case. By case it is meant blocked attack, virus, identified misconfiguration, Communities are composed using internal threat classification model (not disclosed) Note the threat was blocked always, so there was not any actual breach. Good work, team Blue!
- As if that was not enough, horde of malicious content was blocked by spam filters, proxies and other security appliances. Picture below shows Spam – handling. Note that action taken were both reactive and proactive. On this analysis I used only reactive actions for better illustration. Each node stands for single malicious email address identified and blocked. Red – attack attempt, Blue – defense :
- This is a hint, how would look the security incident documentation system from inside, if all the threats were actually (successful) breaches. Note various pathways, symbolized by edges close to each other. This stands for various remediation procedures. Big nodes stands for functions as defined by ITIL, taking care of particular class of the incident:
- Well, it is a lot of information, right? Every Blue team uses some sort of SIEM tool to handle such flood of data. In example below, I had to loose several dimensions of data. It is structure of data stripped from every information, only the skeleton of the relations was preserved.
- There is detail of picture above. As you can see, even by zooming in the view is still very complex – and fascinating!
And structured, after a dimension reductions: