“I define a blue team as the group that defends an organization from both real attackers and red teams by employing adversarial empathy.”

Twitter: @danielmiessler • Website: danielmiessler.com and www.linkedin.com/in/danielmiessler

Daniel Miessler is an experienced security practitioner and virtual CISO with more than 20 years in information security. His areas of interest and focus are web application security, IoT security, OSINT/recon, and security program design.

How do you define a blue team?

I define a blue team as the group that defends an organization from both real attackers and red teams by employing adversarial empathy. Adversarial empathy is the ability to not just use similar TTPs to the enemy but to successfully think like they do.

What are two core capabilities that a blue team should have?

Deep visibility into the environments being attacked through widely deployed, detailed, and centralized logging/alerting, and a deep understanding of normal that can help the blue team when something is amiss.

What are some of the key strengths of an incident response program?

• Adoption of an attacker mindset as a culture
• The use of metrics to objectively understand current-state and future-team performance goals
• The capture of every step of the response process so that continuous improvements can be made
• Formalized improvement based on lessons learned from ...