Blue Team Playbook

BLUE TEAM

Blue Team Playbook

Aligned to SOC 2, ISO/IEC 27001, and CMMC 2.0

Purpose. A practitioner-ready playbook that gives a security team concrete procedures, control objectives, and audit-ready artifacts that satisfy SOC 2, ISO/IEC 27001, and CMMC simultaneously.
Scope. Modern enterprise environments (on‑prem, cloud/SaaS, endpoints, identity). Adapt the staffing levels/RACI to your organization’s size and risk profile.

Table of Contents

How to Use This Playbook

  • Implement the controls and procedures chapter by chapter.
  • Collect evidence as you operate (tickets, logs, reports) so audits and assessments are straightforward.
  • Continuously improve via detection engineering, tabletop exercises, and post‑incident reviews.
  • Standards guardrails (authoritative context):
    • SOC 2 uses the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
    • ISO/IEC 27001:2022 defines ISMS requirements; ISO/IEC 27002:2022 provides control implementation guidance.
    • CMMC is codified by DoD rulemaking (32 CFR 170) and DFARS; Level 2 is assessed against NIST SP 800‑171, with Level 3 adding selected NIST SP 800‑172 safeguards.

Common Roles & RACI

RoleKey responsibilities
CISO / Security LeadApproves policies; owns risk acceptance & exceptions.
SOC ManagerRuns monitoring, detection engineering, 24×7 triage.
IR LeadOwns incident lifecycle, forensics, evidence handling, notifications.
IT / Cloud / Platform LeadsHardening, identity, network, backups; DR exercises.
Compliance LeadMaps evidence to SOC 2 criteria, ISO controls, CMMC objectives.
GRC EngineeringControl automation, metrics pipelines, dashboards, POA&M tracking.

1 - Security Monitoring

Control Objective

Continuously detect anomalous or malicious activity across identity, endpoints, networks, cloud, apps, and data; triage and escalate efficiently; feed improvements back into hardening and IR.

Standards Alignment (Why This Satisfies)

  • SOC 2: Ongoing monitoring and system operations underpin the Security & Availability categories.
  • ISO/IEC 27001/27002: Logging and monitoring controls and operational guidance are core.
  • CMMC: Monitoring supports Audit & Accountability and System & Information Integrity families (L2 baseline), and enables L3 enhancements.

Ground Rules

  • Build a formal Information Security Continuous Monitoring (ISCM) program (NIST SP 800‑137/137A): define metrics, log sources, automated collection, and program assessments.
  • Consider OMB M‑21‑31 event logging tiers (EL0–EL3) as a maturity guide for coverage/quality.
  • Map detections to MITRE ATT&CK (Enterprise) to keep coverage threat‑informed and portable.

Log Source Priority (Minimum → Target)

  • Tier 0 (Immediate): IdP/SSO auth logs; EDR/AV; Windows Event Forwarding (auth/process/PowerShell); Linux auditd; VPN/ZTNA; email security; public cloud audit (AWS CloudTrail/Azure Activity Log/GCP Admin Activity); firewall; DNS; key SaaS admin/audit logs.
  • Tier 1 (Near‑term): MDM, PAM, web proxy/SWG, CASB, WAF, DB audit, DLP, Kubernetes audit, CI/CD, secret managers, data platform logs.
  • Tier 2 (Depth): OT/ICS telemetry, eBPF network sensors, data lake access logs, SaaS UBA.

Tip: For regulated environments, map “critical categories” to EL1/EL2 expectations (centralized access, integrity, and retention) and set SIEM ingestion SLAs accordingly.

Detection Engineering Workflow

  1. Use‑case intake (risk register, threat intel, red‑team, audit findings).
  2. Technique mapping to ATT&CK; define required telemetry and false‑positive hypotheses.
  3. Rule/procedure build (SIEM correlation, EDR analytics, identity analytics).
  4. Test with atomic behaviors; quality gate on precision, recall, and SNR.
  5. Deploy with severity/ownership; add auto‑enrichment (asset, user, geo, cloud context).
  6. Measure & tune: MTTD, alert fidelity, handling time; retire or merge low‑value rules.

Cadence

  • Daily: Triage queues; review high‑severity rules; pipeline health; spot‑check false positives.
  • Weekly: “Top noisy” rules; backlog grooming; ATT&CK coverage heatmap; % critical assets with Tier 0 logs.
  • Monthly: Detections retro with IR; gap‑to‑goal by ATT&CK tactic; micro‑tabletops for top risks.

Artifacts & Evidence: Monitoring policy; ISCM plan; log source inventory with owners/retention; ATT&CK coverage map; tuning notes; KPI dashboards.

2 - Layered Defense (Defense‑in‑Depth & Zero Trust)

Control Objective

Reduce breach likelihood and blast radius through layered preventive, detective, and recovery controls across identity, device, network, application, and data planes.

Standards Alignment

  • ISO/IEC 27001/27002: The 2022 control set spans organizational → technological layers (access, network, configuration, supplier, development, backup).
  • CMMC: Level 2/3 requirements span AC, CM, SC, SI, IA, MP, etc., forming a layered baseline.
  • SOC 2: Trust Services Criteria expect comprehensive, layered controls over security & availability.

Architectural Backbone

  • Adopt NIST Zero Trust Architecture (SP 800‑207) (continuous verification, least privilege, strong policy enforcement).
  • For DoD/DIB, consult the DoD Zero Trust Reference Architecture for reference patterns.

Layer‑by‑Layer Essentials (Examples)

  • Identity: Phishing‑resistant MFA for admins; JIT privileged access; conditional access; continuous risk scoring.
  • Endpoint: EDR with prevention; device posture for access; kernel/process telemetry; allow‑listing for sensitive servers.
  • Network: Macro/micro‑segmentation; egress filtering; east‑west visibility; encrypted traffic analytics.
  • Application & CI/CD: SAST/DAST/SCA; secrets management; signed releases; runtime protection; robust audit trails.
  • Data: Classification; least‑privilege access; strong key management; backup/immutability; DLP for exfil channels.

Design References

  • Control tailoring: NIST SP 800‑53 Rev.5 (depth and mappings to 800‑171).
  • Defensive technique vocabulary: MITRE D3FEND.
  • Cross‑sector baselines: CISA Cross‑Sector Cybersecurity Performance Goals (CPGs).

3 - SIEM Tooling (Log Management, Analytics, Case Management)

Control Objective

Collect, normalize, analyze, and retain security‑relevant telemetry at scale to support investigations, compliance evidence, and continuous improvement.

Standards Alignment

  • ISO/IEC 27001/27002 & SOC 2: Centralized logging/monitoring, change/audit trails, and operations evidence are recurring expectations.
  • CMMC: SIEM/logging underpins Audit & Accountability and System & Information Integrity families (L2).

Authoritative Practices

  • NIST SP 800‑92 (Log Management) and Rev. 1 planning guidance for program structure, roles, retention, and improvements.
  • NIST ISCM (SP 800‑137) for metrics‑driven monitoring.
  • OMB M‑21‑31 for logging tiers, central access, integrity protections, time synchronization.

Reference Architecture (Tool‑Agnostic)

  1. Ingest: Agents/forwarders (syslog, WEF, cloud native collectors, API polling).
  2. Normalize & Enrich: Common schema; hostname/user/asset tags; GeoIP; cloud account/resource metadata.
  3. Detect: Rules, statistical baselines, UEBA, entity risk scoring, ATT&CK‑mapped playbooks.
  4. Case Management: Auto‑ticketing, SOAR enrichment/containment, evidence vault with chain‑of‑custody.
  5. Dashboards & KPIs: Coverage, MTTD/MTTR, alert SNR, incident volume by tactic.
  6. Retention Tiers: Hot (30–90 days), warm (3–6 months), cold archive (≥1 year—tailor to risk/regulatory needs).

Example Detection Starter Set (Map Each to ATT&CK)

  • Impossible travel + bypassed MFA
  • Privileged role changes outside change windows
  • Rare service principal consent to high‑risk OAuth scopes
  • New persistence (Run Keys/Startup items, systemd services)
  • Lateral movement via SMB/WinRM with admin shares
  • Suspicious DNS (DGA/cryptomining patterns)
  • Cloud control plane tampering (logging disabled, key rotation halted)
  • Mass downloads from sensitive repositories

Evidence: Data source registry, parsing/normalization specs, correlation rule list with test results, SOAR runbooks, case records, retention & integrity controls, KPI exports.

4 - Incident Response Planning

Control Objective

Prepare, detect, analyze, contain, eradicate, and recover from incidents efficiently; capture lessons and improve controls.

Authoritative Baseline

  • NIST SP 800‑61 Rev. 3 (Computer Security Incident Handling Guide) aligns with NIST CSF 2.0, emphasizing readiness and continuous learning.
  • ISO/IEC 27001/27002: Incident management planning, assessment/decision, response, learning, evidence collection.
  • CMMC: Level 2 requires monitoring/response capabilities; Level 3 expects stronger, validated processes.

IR Lifecycle (Implement This)

  • Prepare: IR policy; severity matrix; playbooks (ransomware, BEC, data exfil, insider, cloud takeover); comms trees; legal/regulatory notification matrix; evidence handling & chain‑of‑custody.
  • Identify/Analyze: Clear triage criteria; standardized artifacts (timeline, indicators, affected assets/users, ATT&CK techniques).
  • Contain: Playbooked actions for identity disablement, network isolation, EDR containment, cloud account lockdown; decision guide balancing business impact.
  • Eradicate/Recover: Golden image rebuilds, key rotations, control hardening; track POA&Ms; validate with adversary emulation.
  • Post‑Incident: Root cause, control failures, cost, dwell time, and lessons learned that update detections and hardening baselines.

Ransomware‑Specific Quick Play

  • Maintain offline/immutable backups and tested restore paths.
  • Follow the joint #StopRansomware response checklist for investigation, containment, and post‑incident actions.

Evidence: Approved IR policy; annual training; tabletop agendas & minutes; incident tickets/case reports; notification proofs; lessons‑learned & change tracking.

5 - Disaster Recovery Planning

Control Objective

Restore critical services and data to meet business RTO/RPO objectives after cyber events or other disruptions; prove readiness through testing.

Authoritative Baseline

  • NIST SP 800‑184: Cybersecurity event recovery (planning, playbooks, testing, metrics).
  • ISO 22301:2019: Business Continuity Management System (BCMS); treat DR as a core BCMS capability.
  • ISO/IEC 27031: ICT readiness for business continuity.
  • ISO/IEC 27001/27002: Controls for security during disruption and ICT readiness for continuity.

DR Program Essentials

  1. Business Impact Analysis (BIA) to set RTO/RPO and prioritize systems.
  2. Recovery Strategies: Tiered backups (on‑platform snapshots + cross‑account immutable copies), alternate regions, warm/hot standby for crown jewels, mapped third‑party dependencies.
  3. Backup Controls: Encryption, integrity checks, offline/immutable copies, periodic restore drills; ensure logging survives the outage (separate log archive path).
  4. Runbooks per System: Who does what, in what order; recovery validation tests; data reconciliation steps.
  5. Exercises: Quarterly technical restore tests; annual crisis‑management exercise with executives; measure time‑to‑restore, data loss, and communications effectiveness.

Ransomware Readiness

  • Keep a clean‑room environment and documented bare‑metal/cloud rebuild procedures to avoid restoring malware; rely on joint #StopRansomware guidance for response & recovery details.

Evidence: BIA records; approved DR plan; asset‑to‑RTO/RPO mapping; backup & restore logs; exercise reports; improvement actions.

Appendix A — Minimal Standards Crosswalk

Use this as a speaking map with auditors/assessors; this is not a full clause‑by‑clause mapping.

ChapterSOC 2 (Trust Services Criteria)ISO/IEC 27001/27002 (examples)CMMC (assessment basis)
Security MonitoringSecurity & Availability criteria—monitoring, system ops, change mgmt, risk responseLogging/monitoring controls and operational guidance (27002:2022)NIST SP 800‑171 (L2): Audit & Accountability, System & Information Integrity; L3 adds 800‑172 enhancements
Layered DefenseSecurity criteria across access, change mgmt, system opsBroad control set across access, network, config, supplier, backupCross‑family coverage (AC/CM/IA/SC/SI/MP, etc.) within 800‑171 L2; 800‑172 adds enhancements
SIEM ToolingEvidence for operations, change, monitoringLogging/monitoring implementation guidance (27002:2022)800‑171 L2: Audit & Accountability + integrity monitoring; logging provides core evidence
Incident ResponseSecurity & Availability (incident handling)Incident mgmt planning/response/learning; evidence collection800‑171 L2 monitoring/response; maturity expected; L3 oversight by DIBCAC
Disaster RecoveryAvailability (resilience & recovery)ISO 22301 BCMS; 27031 ICT readiness; continuity controls in 27001/27002Supports L2/L3 resilience and DFARS continuity obligations

Appendix B — Metrics That Drive Improvement

  • Coverage: % of crown‑jewel assets with Tier 0 log sources; % of ATT&CK techniques with ≥1 detection.
  • Effectiveness: MTTD/MTTR; alert precision/recall; containment time; reinfection rate.
  • Resilience: Mean time to clean rebuild; restore success rate; RTO/RPO attainment; drill pass rate.
  • Program health: % control automations with continuous evidence; % findings closed on time; POA&M burndown (CMMC).

Appendix C — Evidence Checklist (Audit‑Friendly)

  • Governance: Policies (monitoring, IR, DR), ISMS scope, risk assessments, asset inventories, supplier lists.
  • Operations: SIEM data source register; retention & integrity controls; detection catalog mapped to ATT&CK; SOAR playbooks.
  • IR: Training rosters; tabletop minutes; incident case files; notification proofs; lessons‑learned and changes.
  • DR/BC: DR plan; BIA; backup/restore logs; exercise reports; RTO/RPO dashboards.
  • CMMC: Current status in SPRS (if applicable), assessment artifacts/affirmations; POA&Ms tracked to closure per rule timelines.

References — Official Sources

Note: These are the authoritative documents this playbook aligns to. Obtain the latest versions from the publishing bodies.

  • AICPA — SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
  • ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
  • ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls (implementation guidance).
  • DoD CMMC — Program rule (32 CFR part 170) and DFARS rule; Level 2 based on NIST SP 800‑171; Level 3 adds selected NIST SP 800‑172 safeguards.
  • NIST SP 800‑61 Rev. 3 — Computer Security Incident Handling Guide.
  • NIST SP 800‑184 — Guide for Cybersecurity Event Recovery.
  • NIST SP 800‑137 / 800‑137A — Information Security Continuous Monitoring (ISCM) & ISCM Program Assessment.
  • NIST SP 800‑92 (and Rev. 1 Planning Guidance) — Guide to Computer Security Log Management.
  • NIST SP 800‑207 — Zero Trust Architecture.
  • NIST SP 800‑53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations.
  • MITRE ATT&CK® — Adversary tactics, techniques, and procedures knowledge base.
  • MITRE D3FEND™ — Defensive countermeasures knowledge graph.
  • CISA Cross‑Sector Cybersecurity Performance Goals (CPGs) — Baseline outcome‑based goals for critical infrastructure.
  • OMB M‑21‑31 — Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.
  • ISO 22301:2019 — Security and resilience — Business continuity management systems — Requirements.
  • ISO/IEC 27031 — Guidelines for ICT readiness for business continuity.

You might also like

Blue Team

Blue Team Leader: 5 Do’s and 5 Don’ts

Blue Team