Week 1: Blue Team Operations & Packet Sniffing

🔑 Key Topics Covered

This week, we kicked off CodePath’s Intermediate Cybersecurity course with a deep dive into Blue Team operations, laying the foundation for our journey into cybersecurity defense.

• What is a Blue Team?
  Blue Teams are the defenders of an organization’s IT infrastructure, tasked with maintaining and improving the security posture against attackers. They operate within Security Operations Centers (SOCs), monitoring, analyzing, and remediating security events.

• Key Blue Team Activities:

  • Digital footprint analysis

  • DNS audits

  • Installing and configuring firewalls

  • Monitoring network activity

  • Using least-privilege access

  • SIEM (Security Information and Event Management)

• Blue Team Skills:

  • Risk Assessment

  • Threat Intelligence

  • Hardening Techniques

  • Monitoring and Detection Systems (e.g. Wireshark, IDS/IPS)

• SOC vs. Cyber Fusion Center:

  • SOC: Detects, identifies, investigates, and responds to incidents.

  • Cyber Fusion Center: Integrates different teams to provide a more unified and proactive approach to threat management.

---

🛠️ Tools Practiced

• Wireshark: Used extensively in our lab to analyze network traffic and inspect SMTP packets.

• DHCP logs & Security logs: Correlated IP addresses to devices and users.

• Basic usage of text editors: To analyze logs and security data.

---

💻 Lab Activity — It Wasn't Me

In our first lab exercise, we assumed the role of a Blue Team analyst at Boring Office. Here’s what we did:

1️⃣ Analyzed a .pcap file in Wireshark to find a suspicious SMTP packet containing a user’s sensitive email. By applying filters (smtp and smtp contains "FROM"), I pinpointed the source IP address: 10.10.1.4.

2️⃣ Correlated the IP address to a host device by examining the DHCP logs, focusing on events leading up to the suspicious activity (12:50 PM). I found that 10.10.1.4 was assigned to USER2 at 12:11:27 PM.

3️⃣ Analyzed the Security Log to see who was logged in on USER2. The logs revealed that John Doe was logged in during the email-sending window — confirming him as the rogue user.

✅ Outcome: Successfully identified the suspicious user, linking the network traffic to a specific host and user account — a key Blue Team skill!

---

🚀 Weekly Project — Catch Me if You Can!

For our individual project, we explored Business Email Compromise (BEC) — a costly cyber threat that exploits email-based social engineering to defraud companies.

🔎 Tasks Completed:

• Downloaded .pcap files and used Wireshark to extract email content.

• Applied SMTP filters and examined packets for suspicious email patterns.

• Identified phishing emails based on suspicious subjects and sender details.

• Confirmed the malicious actor’s IP address by correlating packet details.

📝 Deliverables:

• Malicious actor’s IP address

• Three subject lines of phishing emails

• Detailed explanation of the analysis process

Optional stretch: Exported .eml files of the phishing emails and viewed using Mail

---

💡 Key Takeaways

• Wireshark is an essential Blue Team tool for packet analysis, email inspection, and correlating network activity to users and devices.

• Layered analysis — combining .pcap analysis, DHCP logs, and Security logs — is critical to fully investigate and attribute suspicious activity.

• Team collaboration (even in breakout rooms) is invaluable for solving real-world cybersecurity challenges.

---

🤔 Reflection

Week 1 was both challenging and exciting. It reinforced the importance of thoroughness in analyzing logs and packets, as well as understanding how different cybersecurity layers connect — from Blue Team concepts to hands-on investigation.

I’m looking forward to Week 2 and diving deeper into advanced topics!

---

📢 Next week: Diving into Host Intrusion Detection Systems (HIDS), event log analysis, and detecting malicious activity on endpoints. Stay tuned!