Blue Team Level 1 - Review
Updated: Mar 3
In this blog post I will briefly go over my experiencing preparing and sitting the BTL1 exam. BTL1 is a practical defensive certification created by the team at Security Blue Team. https://securityblue.team/
Firstly, why BTL1?
BTL1 offered something that many other defensive certifications at the time did not, which was a practical exam that was completely hands-on.
The exam places you in a compromised environment with access to security tools, logs, a few machines, and forensic data. One has to leverage all that one has learned across the six domains of the certifications to map out the attacker's steps from the initial attack to detection/remediation.
The six domains are super relevant to any defensive Security Analyst role which is what motivated me to take the exam in the first place. It covers the following domains:
Security Information and Event Management
In addition to the cert being completely hands-on, I believe that the labs, through very well-simulated security investigations, give test takers experience using SIEMs, forensics tools, and other open-source security tools. If you do these labs enough, they'll give you multiple talking points in interviews. For example, when asked in interviews about my experience with SIEMs, I have been able to share in detail various investigations that I had completed using Splunk. Some skills I learned in the labs and training materials included building dashboards, leveraging fields in my search, and plotting out the steps of an attacker through investigations.
What was my exam experience like?
I used approximately 16 hours of the allotted time. For the first 3 hours, I felt like a fish out of water. However, staying calm and not overthinking is the name of the game. Also, building a timeline of the security events will help you put the pieces of the incident together. It helps to be familiar with the MITRE ATT&CK framework and to also listen to cybersecurity news. What this does is that it begins to train your mind to think like an analyst. You begin to have a general feel of how most attacks play out and therefore learn what to look for.
I also believe that like a puzzle or with any security investigation, as the pieces come together, you will begin to get the picture and the same applies to BTL1. So if you have a slow start during the exam do not get stressed out because the momentum will build.
Is the training material enough?
So to close this blog post, I figured I would answer the question that I once asked and the answer is yes. I got a gold coin using the training material and only like 50 of the 100 hours available for lab time. However, everyone is different so just commit to knowing the information well and understanding how to investigate. Get comfortable knowing what to look for, when to look for it and why. Spend more time in the Incident response domain and the respective labs. Also, the final prep lesson in training material has really good advice so apply it and you should be good.