A Review of Security Blue Team BTL1
About a month ago, I passed my Blue Team Level 1 (BTL1) exam from Security Blue Team (SBT). I would like to share a little bit of my experience with the training itself.
The Blue Team Level 1(BTL1) certificate is one of the few blue teams training out there aimed to equip you with the practical skills to work as a SOC analyst. The BTL1 covers the following domains:
- Phishing Analysis
- Threat Hunting
- Digital Forensics
- SIEM (Splunk in this case)
- Incident Response
Each of the domain covers quite a good amount of techniques and tools would aid you in a real-world DFIR and Threat Hunting.
The phishing analysis section taught me how to analyze the phishing email both manually and with tools (ex: Phishtool), as well as the proper recommendation to triage the issue. In addition, this domain really teaches you how to write a good report and communicate your findings in a professional way! That’s what I really like and I think it will be an important asset for you to have as an analyst.
The threat hunting domain mainly covers the TTP (Tactics, Techniques, and Procedures). It gives you a great idea of how to hunt for the techniques and tools the attackers used, as well as shows you several malware examples still relevant these days. In addition, you will have the chance to learn MISP and set it up in your lab environment.
The digital forensics section covers the forensics techniques used in uncover attackers’ tracks in both Windows and Linux. Also, you will have the chance to play Volatility and Autopsy in your lab.
The SIEM section is one of my favorite sections. Yes, I love Splunk. This section teaches you how to set up the Splunk in your lab and some basic commands on how to use the Splunk. You will also have the chance to put your skill in test on Boss of The SOC version 1(bots1), which I think is an amazing blue team CTF and I am still playing it now after my BTL1. Overall, this section really gives you a good foundation for Splunk.
The last section, incidence response, covers the NIST Incident Response Process. The most meat and my favorite part about this section are the introductions of the Mitre Attack Framework, which is such a nice tool I think should be covered in any good blue team course. Also, you will have the chance to play around PFsense, Snort at your lab for a bit.
My favorite part about BTL1 comes with its exam. I can’t say much about the exam here since the legal agreement but I can assure you is one of the most fun yet challenging DFIR exams out there really test your ability to uncover what the attacker did in your environment. I would recommend you to not underestimate the difficulty of the exam, be prepared, take lots of screenshots, and take small breaks in between. It is a long exam that reflects a real-world situation!
Some resources could potentially help you:
- Take good notes while you take the course, do all the exercises and labs in the course, and really understand every piece of it.
- Play the bots1 at CyberDefenders a bit to get your hands dirty with the Splunk.
- Takes breaks during the exam
- Take lots of screenshots, and have a good writing report :) you know this is important in every case :)
The course apparently costs £499. I think it is a fair price for the amount of material they offer compares to some other blue team training on the market right now.
Lastly, I hope you will enjoy the BTL1 if you decide to take the training, and seriously, enjoy it and have some fun! And go get that golden coins :)