Hey Cyber Warriors!!! Hope everyone is doing and keeping well. This article explains my journey for this Blue Team Level 1, which is provided by Security Blue Team
Blue Team Level 1 is a 24-hour incident response exam that is completed with 20 task-based/CTF-like questions via a cloud environment.
Why did I choose this BTL1 certification?
Initially, I chose this entry-level one to be the Blue Team certification journey primarily because it was a good deal on Black Friday and involved various domains. These domains can help us polish comprehensive skills in each domain, and it is a good certification to open a door to a blue team defensive field.
The below two videos elaborate on this BTL1 what is it and who benefits from pursuing this.
Let’s probe into each one of the domains that BLT1 certification covers:
- Security Fundamentals: The essential knowledge about how to solve problems in a secure matter, and some general networking knowledge that should be acknowledged in this BTL1 certification.
- Phishing Analysis/Email Analysis: The highest chance for attackers to get into an organization is by means of email according to this Trend Micro report. In this domain, we can learn how to analyze email header/body, URL and email attachments in an isolated environment. Apart from this, we have to document afterwards how we analyze mail and what technologies we use for sharing with the Threat Intel team.
- Threat Intelligence: Explain what attacker’s movements and techniques are typically used, what is the process of sharing information, the difficulty of collecting attack vectors (Pyramid of Pain), what is the common MITRE ATT&CK framework about and how to apply that to the attacker actors.
- Digital Forensics: If we need to know what the attacker did to this endpoint, forensics investigation comes to be a key player. Taking benefit from various digital tools that cross memory, network, file, and system in order to build a timeline of how attackers compromise the endpoint.
- SIEM Solutions: In the Security Operation Center (SOC) domain, SIEM solution is a vital component to help the team conduct and collect log data from security devices for analyzing purposes. The process of collecting data to analyzing it is from logging, aggregation and correlation.
- Incident Response: With security incidents happening frequently, we have to know what is the process of incident response in order to minimize risk, then document everything for future times when the security incident happens.
How did I prepare for this certification?
We have to know which part is our weakness, SIEM Solution (Splunk) and Digital Forensics play a big part in this BTL1 exam so undoubtedly I had focused on these two fields.
SIEM Splunk provides free training courses where we can upgrade our skills in using Splunk.
As for Digital Forensics, I spent some time investigating compromised systems through Autopsy and Volatility tools.
The Best Way is PRACTICE!!!!!
The resources I took benefit from this lab's recommendation, I picked some difficulty level 1 skills that involve Networking and the Windows field. Personally, I highly suggest doing SOC Alpha 1 and SOC Alpha 2.
Secondly, this Cyberdefenders platform is my favourite one. Again, I highly suggest doing BOSSv1 and BOSSv2.
Other than PRACTICING, the way to track what we have found is through documenting!!!!!
Prepare our own note representing which level of understanding and knowledge we approach in the field
What am I looking for after getting this certification?
The certification opens room for me to pave the Digital Forensics and Incident Response (DFIR) journey.
I look forward to getting into Digital Forensics files because this field helps me get more comprehensive with analyzing and mindset skills. Meanwhile, the one of professional blue team certifications I took is Certified CyberDefender (CCD) which covers cross Incident Response, Forensics Collection, Disk Forensics, Memory Forensics, Network Forensics and Threat Hunting domains.
The most important thing is that CCD certification involves more than 25 practical-based labs and Windows Forensics, Network Forensics and Threat Hunting are the golden values!!!
Other certifications I might be looking for are Certified Incident Responder (eCIR), Certified Digital Forensics Professional (eCDFP) and Certified Threat Hunting Professional (eCTHPv2) provided by eLearnSecurity
Besides this, there is a collection training course from 13Cube which contains in-depth Windows, Memory, Digital Forensics, and Malware Analysis. This could help us get a full picture of how to collect artifacts in Digital Forensics.
What did I learn from this certification?
Remember, this BTL1 is not an easy exam, the way to pass this certification is to take each part of the training course and make our own notes with a smart mindset.
During the 24-hour exam, I was looking back and forth between what I had found, and finding clues to justify what I had found. Even though this exam needs to analyze the information, I learned that THINK SMARTER NOT HARDER is the key in this 24-hour marathon of exams.
A mindset like what we look for, and how to approach that is really important in defending incidents happens.
