Blue Team Level 1 — The Golden Standard for Defensive Cyber Training
Blue Team Level 1 offers candidates a competitive foundational knowledge and actionable cybersecurity skillset
Overview — The Sparknotes on BTL1
Disclaimer: I’m in no way sponsored by Security Blue Team. These are my thoughts and opinions on the Blue Team Level 1 certification. I still have much to learn and nothing I say is meant to, in the words of John Hammond, “start the holy wars”. Evaluate with your best judgment.
What is BTL1?
Security Blue Team’s Blue Team Level 1 is a hands-on defensive security certification that offers candidates a rounded foundational knowledge and actionable skillset similar to that of a junior cybersecurity analyst.
Deviating from the approach of traditional multiple choice exams, BTL1 offers candidates a chance to put what they’ve learned to practice by completing online practice labs throughout the course, and completing a 24-hour incident response assessment to validate competence with the skills and tools learned.
Blue Team Level 1 provides a solid and structured learning path to teach some of the core skills a security operations specialist needs to successfully execute their role.
Security Blue Team provides affordable, practical, and high-quality defensive cybersecurity training, certifications, and community events
Note: Although highly recommended, it isn’t mandatory that you complete 100% of the course material. Once purchased, you can take the exam at any time of your choosing.
Skills Learned
The course is structured around 6 key domains: Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM, and Incident Response.
Security Fundamentals
You’ll learn networking fundamentals, the importance of soft skills, security controls, and management principles. You’ll also be introduced to different blue team roles and problem solving strategies.
Phishing Analysis
Do you know how to tell if an email is malicious, benign, or just a flat-out annoyance? Understanding how to parse through email headers, gather artifacts and make an informed decision about whether to look past an email or dig deeper is one of the skills you’ll learn from this section. Phishing emails account for a very large number of initial attacks. Knowing how to protect against this attack vector and how to properly mitigate these attacks can be vital to the overall security posture of organizations.
Threat Intelligence
What is cyber threat intelligence, anyways? CTI provides insights into the tactics, techniques, and procedures (TTPs) used by threat actors which can inform an organization’s security team of things to watch out for and help prevent attacks. You’ll learn where to find reputable sources of threat intelligence and how to leverage these sources to make sound decisions about the threats in your environment.
Digital Forensics
Knowing how to find artifacts in places you didn’t even know existed can make you feel like a wizard at times. Through the use of tools like FTK Imager, Autopsy, and Volatility, you’ll learn how to collect and analyze data from digital devices including hard drives and memory for identifying potential indicators of compromise.
SIEM
Understanding and being proficient with a Security Information and Event Management (SIEM) system is a critical skill for effective threat detection and response, and it’s in high demand. A SIEM collects and presents security data from multiple sources to identify potential security incidents and alert analysts of threats. You’ll learn how to use Splunk as the SIEM tool of choice and how to effectively analyze a large amount of security data.
Incident Response
Incident response is the process of investigating and responding to cyber incidents. You’ll learn how to use Wireshark to investigate captured network traffic, as well as understand the importance of the MITRE ATT&CK framework in the incident response lifecycle. By mapping observed Tactics, Techniques, and Procedures (TTPs) to the MITRE ATT&CK framework, you’ll be able to identify potential threats and take proactive measures to improve your organization’s security.
Practicality
The BTL1 course is a primarily text-based course with a mixture of videos, labs, and multiple-choice quizzes.
In order to pass and become BTL1 certified, you don’t take a 60–90 question multiple choice exam. You actively perform an incident response investigation within a compromised environment. This is not only an engaging exam, it also validates that you actually understand what you’ve learned and allows you to demonstrate an actionable skillset that most other certifications simply can’t offer.
This is a welcome deviation from the traditional exam format usually seen in other certifications through strictly multiple-choice questions. In the cybersecurity industry specifically, having experience performing the task(s) is considered higher value than simply possessing a certification.
Certifications more so complement and validate the experience gained as you progress through your career.
Affordability
$500 is quite a chunk of cash. However if you look at other certifications in the cybersecurity space, the price is quite competitive. Especially considering you get a free retake if you don’t pass it the first time. Security Blue Team doesn’t profit from your failures.
Free Demo and Alternate Learning Path
BTL1 offers a free demo of the course and also offers an alternate learning path that results in obtaining the Blue Team Junior Analyst certificate.
The courses needed to achieve the Blue Team Junior Analyst certificate are:
- Introduction to Threat Hunting
- Introduction to Darkweb Operations
- An Introduction to Vulnerability Management
- An Introduction to Digital Forensics
- An Introduction to Network Analysis
- An Introduction to Open-Source Intelligence
While this isn’t a certification, it does provide a good introduction on the 6 topics covered in the learning path, and shows you’re taking initiative for continued learning.
What Problems Does BTL1 Solve?
Information Overload for Beginners
Structured learning is one of the biggest benefits for junior practitioners.
When you first start learning cybersecurity, it can seem like an endless amount of information to consume. It’s beneficial to stick with one topic or area and learn all you can about that one thing. Prioritize and take inventory of what you need to know for the role or objective you’re trying to achieve.
The general consensus, although not the only path, is to start your cybersecurity journey by becoming a cybersecurity specialist or cybersecurity analyst. Even after narrowing it down to a specific area, if you’re just starting out you still might not know what questions to even ask, or what skills you need to learn.
While it’s important to do your own research, it can also be hugely beneficial early on to have a well-packaged learning track so that you can make more efficient use of your time.
This is one problem BTL1 solves.
Structured learning is an area where BTL1 shines. You’ll receive both a high-level overview of where your value will be evaluated as a junior in the field, and precisely how to satisfy these expectations from a low-level, hands-on-the-keyboard approach. BTL1 lets you filter through the noise and focus on key skills you’ll need to know starting out in cybersecurity.
Needing Experience Without Having Experience and The Skills Gap
Should I go to college? Should I take x or y certification? Should I attend this or that boot camp? Should I take this learning path or do that lab?
These are some of the most common approaches people take when looking to break into cybersecurity. Depending on your desired sub-field and your personal goals, the answer will be different from person to person.
If you’re aiming to become an entry-level analyst, you’ll be hard-pressed to find a higher value add certification than Blue Team Level 1.
BTL1 satisfies in-demand skill requirements employers are looking for and aligns candidates to meet the actual skills shortage of today’s market. Being composed by an Academic Advisory Board of seasoned cybersecurity professionals with a combined total of over 100 years of experience, they know better than anyone what’s needed from industry talent.
Not only do you get access to their course and the ability to perform a true-to-life incident response investigation, you’ll also be able to use this as a talking point with future employers to show your level of understanding in the domains it covers. BTL1 provides solid foundational knowledge that you will expand on later in your career.
Learning How to Learn
Tinker. Break things. Fix things. Learn things. There are a lot of different ways you can learn cybersecurity. We’ve touched on a few of those paths in the previous section. All of them offer some level of value and no single pathway should be completely counted out.
I’m not here to say which one you should or shouldn’t aim for. I will say that it is incredibly important to understand how you learn. Is it by showing up to class? Taking notes while you read through a certification book? Collaborating with others on projects? Studying for and taking certification exams? Testing your mettle through online labs? Watching concepts be explained through a video? Building out your home lab?
It wouldn’t be a bad idea to delve into a few of these to test the waters and better understand your learning style. Whatever style that is, the faster you can understand what it is, the quicker you can take that and apply it to more effectively meet your goals and objectives.
Understanding your own learning style and developing strategies for effective studying and retention of what you learn will make you an independent and confident learner capable of tackling challenging tasks that demand critical thinking.
If you’re not sure what your learning style is, that’s perfectly okay. What’s not okay is doing nothing.
Instead, start by taking advantage of the opportunities you immediately have at your disposal. Google is your best friend. You’ll find out pretty quickly what is and what isn’t for you.
Trial and error is a valuable process to get comfortable with in this career space.
How I Prepared for the Exam
Toward the end of 2022, I made BTL1 my first goal of the new year. I started the BTL1 course on January 1st and passed the exam on February 12th. Just about 6 weeks total prep time. For roughly the first 3 weeks I worked through the course content an average of 4 hours a day on weekdays and around 6–8 hours on weekends. For the next 2 weeks I tapered off slightly and averaged around 2–3 hours on weekdays while maintaining the same amount of study time on weekends. The last week before the exam, I did a few challenges and investigations on Blue Team Labs Online that were recommended at the end of the course as good exam prep to increase confidence on exam day.
The BTL1 course provides everything you need to know in order to pass the exam.
Doing relevant blue team rooms on the TryHackMe platform, working through the Bandit path from overthewire.org, and having passed CompTIA’s Security+ helped with understanding some of the concepts and tools in the course.
While the BTL1 course provides everything you need to know in order to pass, I wanted to feel extra confident going into the exam, as I was aiming for the gold coin — a reward granted for receiving a 90% or higher on the first attempt of the exam, which I was thankfully able to achieve.
(Optional) BTLO
Blue Team Labs Online is Security Blue Team’s online training platform geared towards cyber defenders. Think of it like a “Hack the Box for blue teamers.” There is a lot of great content that will help you become more confident sitting your exam. Whether you have zero years of experience or have been in the field for a while, the platform provides a good level of variety between experience levels.
If you’d like to learn more about the benefits of training using this platform, I’d highly recommend reading this article I came across, authored by Dimitri Bennet. It’s a phenomenal read and well worth your time.
BTLO offers free challenges for a good preview into whether it’s something you’d like to invest in, (if you’re a blue teamer, chances are it is) and a paid tier starting at ~$18/mo for a monthly subscription.
(Optional) TryHackMe
TryHackMe makes the short list of one of the largest and most well-known cybersecurity training platforms in the world. Prior to starting the BTL1 course I completed the Introduction to Cybersecurity and Pre Security learning paths and was actively working through the SOC Level 1, Cyber Defense, and Complete Beginner pathways. Although not necessary, it’s beneficial to cover the basics these rooms have to offer for a deeper understanding of the content.
The way I’ve found most efficient when learning new concepts is to read, watch, and work through content from multiple (reputable) sources looking for similarities in the way they teach information about the same topic. I find that it helps in digesting some of the more complex topics and also helps to get a more concrete understanding of some of the more fundamental areas.
TryHackMe has both free and paid content, with the paid tier starting at ~$8/mo for monthly subscriptions.
(Optional) overthewire.org
I worked through the majority of the Bandit wargames on overthewire.org before taking the BTL1 exam. It’s one of the most effective ways I’ve found in learning and becoming proficient with the basics of the Linux command line. It’s one thing to know a list of commands. Knowing when and where to use them provides the real value.
These challenges are completely free.
My Experience Taking the Exam
BTL1 is an open-book, open-note exam, with no need to record yourself via a webcam. You can Google things and look back at the course as needed. The exam took me about 10 hours to complete. I started it just after 12 noon and finished just before 10 pm the same day. I worked through the first half of the exam with little difficulty, but started slowing down about halfway through.
I took a 30-minute break to eat and take a mental break about halfway through, and then again about an hour before I hit the submit button.
The last break was absolutely crucial in achieving my gold coin goal. I’d spent a collective ~2 hours searching for the answer to two questions that were getting the best of me. I started to feel like cutting my losses and moving on. I stepped away from the keyboard and tried to look at the bigger picture from a bird’s eye view.
I’ve noticed a weakness I have when diving deep into investigations is oftentimes succumbing to ‘tunnel vision’ and not seeing all the pieces as they are. Taking a step back and changing the approach to finding solutions helps to have a more well-rounded perspective instead of hyper-focusing on specific areas. After thinking things through for about half an hour, I had a flash of inspiration and was able to locate the correct information I needed.
I also struggled with the specific functionality of a particular tool during the exam. I remember learning about it in a TryHackMe room but was just drawing a blank in the moment. I was able to pull up the module I worked through prior, reference the material, and pull through with minimal downtime.
I’d like to reiterate that the BTL1 course includes all the necessary information for you to be able to pass the exam.
If you are struggling, take a break, step away from the keyboard, look at the bigger picture, re-evaluate, and re-assess. If you can’t find any helpful information in your notes, go back through the course content and see if you can find anything useful on whatever it is you’re stuck on.
As confident as I was in my notes, there was a thing or two I had to revisit the course content for that I missed when note-taking.
Closing Thoughts
Get Comfortable with the Process of Trial and Error
As I mentioned before, trial and error is a valuable process to get comfortable with in this career space. As an IT or cyber professional, you’re going to go through a lot of trial and error. Embrace it.
You just spent 2 hours trying to work with a tool in an online lab? Cool. Now you know how to use that tool twice as well as if you’d solved it in 5 minutes. Change your perspective on struggle. It’s not always a bad thing and teaches patience, drive, and tenacity in the face of setbacks; three of the most important traits you absolutely have to possess or develop in order to be successful in this field.
John Strand, regarded as one of the leading experts in the cybersecurity field and a now-retired SANS Institute instructor, said this during one of his classes:
I have a really hard time teaching people just to keep digging. If you get stuck, just keep going. As a SANS instructor for years, we’re always trying to inspire people… to get fired up and excited about doing their job. You have to have that ‘fire in your belly’ to be able to go and actually do this stuff, and to do it well.
Work on developing patience, drive, and tenacity.
The Life of a Cybersecurity Professional is the Pursuit of Continuous Knowledge
Nobody knows it all.
Impostor syndrome is a common feeling among many cybersecurity professionals, especially those starting out in their careers. It’s a feeling of self-doubt and a fear of being exposed as a fraud despite having the necessary skills and knowledge. It’s okay to have these feelings.
Numerous successful professionals experience them. Having impostor syndrome can actually be a driving force for improvement. The pursuit of continuous learning and knowledge is essential for staying ahead of the 21st-century threat actor and staying relevant in a field that feels like it changes daily.
It’s important to embrace the feeling of being uncomfortable and use it as motivation to keep learning and growing.
It’s also important to recognize that it’s okay to take a step back every once in a while. Understand everybody needs a break every now and again. Feeling overwhelmed? Go play that new game that just released for a few hours this weekend instead of beating your head on the keyboard trying to figure out some complex crypto puzzle. Go outside. Go on a hike. Spend quality time with loved ones. Take your mind off things.
The owner of TCM Security Heath Adams, aka The Cyber Mentor, touches on impostor syndrome in one of his videos.
John Hammond, a well-known cybersecurity researcher, presented virtually at a conference explaining some of the unexpected realities of being in the cybersecurity industry.
You’re not alone.
Failure
Life is hard and breaking into the industry isn’t an easy task. Fail forward. If you’re going to fail, and everybody will, make sure you’re using that failure to become better. If you fail backward, you fall backward. The failure that was meant to be a benefit becomes a detriment. Rather than getting discouraged, track and understand what went right and what went wrong so you can adjust your strategies and try again smarter.
The definition of insanity is doing the same thing over and over and expecting different results.
As long as you’re failing forward, you’re actually not ‘failing’ at all. You’re trailblazing your own path according to the abilities, opportunities, and resources you’ve been afforded.
Thomas Edison is the man credited for inventing the lightbulb. As an inventor, Edison made 1,000 unsuccessful attempts at inventing the light bulb. When a reporter asked, “How did it feel to fail 1,000 times?” Edison replied:
“I have not failed 1,000 times. I have successfully discovered 1,000 ways to NOT make a light bulb.”
Patience. Drive. Tenacity in the face of setbacks.
