In a world where technology permeates every aspect of our lives, cybersecurity has become more than just a protective measure; it is a form of autonomy. From everyday actions like safeguarding our passwords to defending digital activism against sophisticated attacks, the digital landscape poses increasingly complex challenges. We are currently at a critical juncture marked by the expansion of the surveillance technology industry, the proliferation of spyware programs, and other invasive tools. These tools are increasingly in demand by state and non-state actors. Civil society organizations, given their crucial role in promoting and protecting human rights, are particularly vulnerable. These organizations face significant challenges due to the sensitive nature of their work and the resistance they encounter from governments.
Cybersecurity has thus emerged as a vital element in protecting the digital assets of organizations in our era. Blue Team Tools (BTTs), specialized in defending these assets, play an essential role in this area. The term “Blue Team” originates from military jargon, where “Red Team” and “Blue Team” are used to differentiate between teams that attack and those that defend in tactical combat exercises. Similarly, in cybersecurity, these terms describe teams of experts tasked with attacking and defending computer systems. Blue Team Tools, or BTTs, are designed to enable specialists to monitor and prepare for cybersecurity threats within organizations, while “Red Teams” focus on offensive security tasks.
At TEDIC, we participated in the INSIGHTFUL project by Internews, which aims to analyze open-source tools designed to address digital threats. These tools, known as Blue Team Tools, focus on defense and risk assessment in digital environments. BTTs range from simple software for individual use to advanced, scalable solutions for large teams. Specifically, we analyzed and tested two tools: PiRogue Tool Suite (PTS) and Wazuh.
In this blog post, we introduce two Blue Team Tools (BTTs) and their main features. These tools stand out for their ability to help technical teams dynamically detect threats. Among their advantages are:
- Agile response: Teams are prepared to act on detected errors or collaborate on improvements.
- Free software licensing: This allows for community auditing, as the algorithms are publicly available for anyone interested and capable of analyzing them.
- Economic accessibility: They do not require high licensing costs, making them more accessible, especially for teams with limited resources.
- Ease of implementation: All that’s needed is a cybersecurity team that can learn to install and use them.
PiRogue Tool Suite
PiRogue Tool Suite is designed to analyze internet traffic and conduct detailed investigations on mobile devices. It can be installed on a Raspberry Pi, a small and affordable computer commonly used for browsing the internet, watching videos, programming, or gaming. Alternatively, it can be installed on a virtual machine or a remote server, depending on your needs.
If you choose to use a Raspberry Pi, you can place it next to your router to create an exclusive wireless network. On this network, you can connect one or two mobile devices to analyze data traffic, identify connection points, track the countries involved in connections, and monitor potential threats. Additionally, the tool includes a threat alert system called Suricata, which notifies you of detected risks. During our tests, we identified areas for improvement in the installation process and documentation. We shared our findings with the PTS team, who were very receptive to our suggestions for future updates.
Wazuh
The second tool we tested was Wazuh, a system that connects various computers to a central server to detect and prevent digital threats. This server, which can be installed on a computer or a virtual machine, offers a range of valuable functions, including configuration analysis, malware detection, file integrity monitoring, threat hunting, and vulnerability detection.
There are several ways to install the server, but at TEDIC, we used a straightforward method with Docker-based containers, which worked very well. It’s worth noting, however, that the server is resource-intensive due to the many tools it operates simultaneously. To ensure Wazuh functions properly, we also installed an “agent” program on the computers we wanted to monitor. These agents send all necessary information to the server, which analyzes it in real-time.
The result is a dashboard accessible from the server, showing a list of all connected devices. This dashboard displays the threat levels for each device and allows users to explore other features. One of the practical aspects of Wazuh is that its agents can be installed on computers running Windows, Linux, or Mac, making it highly versatile for any organization seeking active device protection.
What’s Next? Protecting Ourselves Is a Collective Responsibility
Cybersecurity is not just about defending against threats. It is a means of empowerment, a way to take control of our tools and defend our rights in the digital environment. At TEDIC, we believe this responsibility is collective, and we extend our gratitude to all the individuals and organizations that joined this project.
With Blue Team Tools, we strengthen the resilience of civil society organizations against cyber threats. Beyond their defensive role, these tools significantly impact an organization’s security culture. By educating activists on best security practices and fostering a security-focused mindset at all levels, they contribute to creating a safer environment.
At TEDIC, we are committed to continuing this collective work to build a digital future where privacy and security are rights accessible to everyone.