July 25

Blue Team Field Manual

Blue Team Field Manual Feature Image

The maxim ‘use it or lose it’ applies as much to the array of operating system commands, scripting languages and toolset peculiarities as it does to the language classes many of us try to recall on vacation each year. If you forget your scan commands as quickly as your Spanish the Blue Team Field Manual (BTFM) may be able to assist.

As a lightweight (134 page) reference the BTFM acts as a technical aide memoire structured around the five key functions of the NIST (National Institute of Standards and Technology) cybersecurity framework: Identify, Protect, Detect, Respond and Recover. Each section of the manual provides a systematic breakdown of common defensive steps that would be undertaken to ‘blue team’ (internally analyse and defend) a network or system.

Lets look at what’s covered in some more detail.


The NIST framework provides a set of activities designed to achieve cyber security outcomes  and the Identify function is all about gaining an understanding of the security risks facing an organisation’s people, systems and data assets.

To that end, chapter 1 of the BTFM is concerned with scoping your IT infrastructure to work out what needs to be protected. You’ll therefore find sections on network mapping tools like NMAP, proven vulnerability scanners such as Nessus and the Microsoft Baseline Security Analyser (MBSA). Key commands for these toolsets are included; for example, NMAP commands to scan an IP range for specific listening ports that could be vulnerable.


With cyber security risks to systems identified, the Protect function of NIST is somewhat unsurprisingly concerned with applying safeguards to systems.

Chapter 2 of the BTFM has sections on configuring firewalls and disabling unnecessary processes that could be exploited by an attacker. Commands are included for both Windows and Linux systems.


With safeguards in place the Detect function of the framework is about continuous monitoring for threats and detecting events or anomalies that could indicate an attack is underway.

The third chapter therefore contains sections associated with packet capture (PCAP) and command line driven network monitoring tools such as TCPDUMP.


When the time comes that a potentially malicious event is detected we need to be ready to respond – fast – which includes determining how and where systems are being  impacted. Chapter 4 of the BTFM is replete with notes on identification of malware and carrying out live ‘triage’ of Windows and Linux-based systems to help determine what needs to be blocked or isolated to save the proverbial patient.


Following this initial response, recovery steps need to be taken to restore normal system functionality and prevent similar incidents happening again. Under the NIST framework the Recover stage includes planning and communications, but from a technical standpoint it will invariably involve killing malicious processes, restoring affected systems to a safe state, recovering files and patching vulnerabilities. Once again the BTFM lays out common commands for many of these activities.

As well as covering the NIST process, the book also includes handy sections on ‘tactics’ – including operating system tips and tricks – and an Incident Management checklist.

For the cyber security professional carrying out an incident response or consulting role, this lightweight reference will provide a useful handrail. Frankly, pulling a copy of the BFTM out of a laptop bag also looks a bit more professional than peeling back the cobwebs on an old textbook or surreptitiously consulting google with a client nearby.


Did you find this post useful? Consider following @DS_Watch on twitter or download our free Android App.