Blue Team Level 1 — An essential certification for Security Professionals. Why?
Recently I passed the Blue Team Level 1 (BTL-1) certification and found it extremely important to my development as a security professional. This article as a whole, is for newcomers to the realm of Cybersecurity as well as the intermediate-level professional desiring a more “senior” skillset working in the SOC or a similar outfit.
What is Blue Team Level 1?
Security Blue Team defines the certification as a “practical cybersecurity certification focused on defensive tactics/practices, investigations, and incident handling covering analyzing and responding to phishing attacks, performing forensics investigations to collect and analyze digital evidence”. Other topics are covered including threat actor research, using a SIEM, and logging network traffic.
In total, there are 330 lessons, videos, and quizzes, with 23 labs (21 used in the exam material, 2 currently WIP) included in the environment to practice on (which are constantly being updated with new material to accurately reflect SOC/DFIR life).
The domains covered range from Security Fundamentals to more in-depth training such as Digital Forensics & Incident Response. My favorite module was Digital Forensics, as it helped me to see how important it is for communication between the SOC & DFIR to be flawless during a potential compromise, or identifying key risks within an environment.
Along with the modules presented in the study material, there are a variety of tools provided that you can experiment with in labs and on your local machine. Some tools demonstrated in the material:
Autopsy
DeepBlueCLI (Powershell)
DomainTools
Event Viewer
FTK Imager
KAPE
Snort
Splunk
Suricata
Volatility
Wireshark
Coming from a SOC analyst background, most of the tools used in the material are very accurate to what is used in the day-to-day investigation and threat detection outside of company-specific analytics and aggregation tools.
Taking notes on the study content is highly encouraged, as it is imperative with the amount of information given that you can recall the majority as it will be tested on the exam. Don’t be afraid to take your time on the study content, it is more important that the concepts stick with you than it is to speedrun the study content for the exam. For example, the Digital Forensics module took the longest to finish, as I wanted to make sure I understood each topic the best I could. Work at your own pace! By doing this, you can create a thorough process in which you can repeatedly create scenarios starting from initial attack vectors and providing solutions to patch those potential weak spots. Your note-taking skills will be tested! The study material is open for 4 months after starting your access, and if you need more time the option to purchase additional time is always there, but I do think it is a solid amount of time to understand the material especially if you have prior cybersecurity knowledge.
As stated, the content presented within the units is definitely enough to pass the exam, however, it would be great to continue your study application outside of the Exam to continue to allow the topics to stick. Resources like Mandiant and BleepingComputer help to associate common attack vectors to APTs, while staying up to date on new vulnerabilities.
Exam Experience — Labs
With the labs, you are given 120 hours in total for lab use, most labs usually take about maybe an hour or two depending on your familiarity with the topic.
- GO BACK AND PRACTICE — The Labs are given to you with unlimited usage within 120 hours, so take advantage of that time to practice and get familiar with some of the tools that you may not be able to access on a personal basis outside of labs without an additional charge.
Labs included such as Splunk, Powershell, and Wireshark are all used within SOC environments and can be likened to a “test your strength” scenario: if you are familiar with the tools, these exercises will be no problem. Some tools such as DeepBlueCLI require a bit more setup if you were to use them outside of the environment, so it is highly suggested to make good use of the labs as much as you can, as they reflect the exam in many ways.
Exam Experience — Practical Exam
Here are my 3 main takeaways from the exam:
24 Hour Practical Exam:
The exam takes place over a continuous 24-hour period, meaning the clock continues to run if you leave the environment. I completed the exam in 14 hours, including lunch, naps, and a few walks to come back with a fresh mind. If you ever need to leave the house or a slight hiccup happens with your exam experience, do not worry as 24 hours is more than enough time to complete the exam, giving you a fresh start if you decide to complete a portion of the exam over the following day. If you decide to do that, this leads to our second point: “Creating an Incident Timeline.”
Creating an Incident Timeline
Creating an incident timeline is very vital to your success in the exam, without one you will fail. You will need to keep track of domain names, IP addresses, and filenames, just like you would when ticketing an incident. For me, this was a great way to be able to practice my ticketing skills without the “impending doom” of an actual threat. Taking screenshots and keeping good timestamps will help you as some questions will ask for a specific time in which an incident occurred. Using a good notetaking app will assist you significantly! I used Obsidian, but you can use something like Notepad or Notion.
Check Your Answers
Double-check your answers! The passing score for the exam is 70%, with the gold challenge coin rewarded to test takers passing with 90%. Questions are graded after the exam with personalized feedback, and if you do fail, you can retake for free as your voucher includes a free retake for the exam.
Final Review:
The BTL1 exam is a great choice for those who would like to take their practical skills to the next level, or for Jr. SOC Analysts who want to progress to a senior level skillset. Becoming confident in your analysis process is key to becoming a successful security professional, and this exam does just that.
Additional Resources Used:
- BTLO (Blue Team Labs Online — “Peak”, “Phishy”, “Countdown”.)
- TryHackMe (Excellent choice to get hands-on with Splunk)
- Youtube / Medium