¡My Security Blue Team Level One Exam Experience!
Source: https://securityblue.team/why-btl1/
I want to begin by stating that this course and exam are of great significance to me. After failing the OSCP and PNPT, feelings of discouragement and thoughts of quitting quickly sprouted. Feeding into the negativity is simple especially after the amount of time, money and energy spent learning. However, a common theme that never fails to be mentioned is the persistence needed in order to learn, become an asset and succeed in this field. Prior to taking this exam I passed the Splunk Core Certified User and had experience with some of the tools used in the course. Thank you 🇬🇧 Josh Beaman for the great course and great thanks to my mentors and friends that help encourage me. With that being said, I will now transition into discussing what resources I used for the exam, what was my studying experience like, and overall, what value did passing this certification bring to me, hope you enjoy!
BTL1 Overview
Regarding the structure of the certification, it covers six domains which are:
- Domain 1 – Security Fundamentals
- Domain 2 – Phishing Analysis
- Domain 3 – Threat Intelligence
- Domain 4 – Digital Forensics
- Domain 5 – SIEM
- Domain 6 – Incident Response
And some of the tools that are covered in the course are:
- Autopsy,
- Browser History Capturer,
- Browser History Viewer,
- DeepBlueCLI,
- DomainTools,
- Event Viewer,
- FTK Imager,
- JumpList Explorer,
- KAPE,
- MISP,
- OpenCTI,
- PECmd,
- PhishTool,
- ProcDump,
- Sigma,
- Snort,
- Splunk,
- Suricata, TheHive5, VirusTotal, Volatility, WannaBrowser, Windows File Analyzer, Wireshark and much more.
Additionally, the exam is structured so that the students are able to start their practical 24-hour incident response exam immediately from the BTL1 course within 12 months of purchase. Most importantly, students will have access to a cloud based lab via an in-browser session for up to 24 hours and must complete and answer twenty task-based questions. In regards to passing, once the student has answered all the questions, they are able to submit the exam to receive immediate grading, feedback, and:
- “Seventy percent is required to pass and earn the silver challenge coin.”
- “While 90% (on the first attempt) is required for the gold challenge coin and below are images of the coin.”
For in depth information visit their website at https://securityblue.team/why-btl1/.
Exam Experience
I began the exam in the afternoon with some fresh iced coffee, 100 open tabs, “Backwards” by The Rare Occasions playing, and a dream! Structure your time however you see fit, you have 24 hours in order to complete the exam. Building a timeline was the most useful to me, noting down the time, date and description of all events aided in maintaining the investigation organized and structured. With prior experience using certain tools and the notes available I found myself answering a couple questions the first hour or 2. I would recommend disecting the questions and truly understanding what youre being asked to look for. The amount of fun I had whilst progressing through the investigation is immeasurable, there will come a time where you find yourself answering a question early and coming back later to review and edit it. For the most part, everything needed to pass the exam can be found directly in the course so having an open tab with the course open will be of great value. At the 5 hour mark I was done for the most part, in retorspect, I wish I utilized an extra hour in order to guarantee that gold coin. About 6 hours in, I submitted my exam and got my passing grade.
Final Tips
- Familiarize yourself and practice with the tools that will be used (the course mentions the main tools that will be used during the exam).
- BTL1 is an open-book, open-internet exam so any cheatsheets, notes, videos, etc that you believe will be of assisstance maybe be used during the exam. Google, google, google :).
- Take your time and have fun. The course has fully prepared you to succeed, it won’t be long until you fully immerse yourself in the exam.
Resources
Moving on, the resources recommended to prepare for the certification along with the browser labs and content that were provided by Security Blue Team are Tryhackme, more specifically their SOC Level 1 and their Cyber Defense paths. The exam is openbook so I highly reccomend googling if you’re confused about a certain tools functionality, forming queries, etc. Now regarding the learning paths, there are five areas of interest that a friend created a repository for, so shoutout to my friend for creating that, they are listed below in addition to his Github repository:
Repository
Phishing
- Phishing Module: This module contains five rooms (2 free, three paid/VIP) that walk you through analysis of phishing emails, tools you can use to analyze phishing emails, and phishing prevention techniques.
- Phishing Analysis Fundamentals
- Phishing Emails in Action
- Phishing Analysis Tools
- Phishing Prevention
- The Greenholt Phish
Threat Intelligence
Digital Forensics
- Intro to Digital Forensics
- DFIR: An Introduction
- Windows Forensics 1
- Windows Forensics 2
- Linux Forensics
- KAPE
- Autopsy
SIEM
Incident Response
Community Discord Servers
It is crucially important to build up your social network as it can open doors to opportunities. I recommend joining Discord servers that align with your interests. Specifically, the following ones have really aided in preparing for this exam. Please note that this is not an exhaustive list, so I encourage you to explore and join other Discord servers that are best suited for you:
Socials
Closing out, I want to express my gratitude to Joshua Speshock for contributing to a great extent on this blog. I highly recommend following him on LinkedIn or Discord. You can also connect with me:
- LinkedIn: Joshua Speshock
-
Discord: josh_cyberlibrary_man
- LinkedIn: Richard Castro