Home Blue Team Level 1 Review
Post
Cancel

Blue Team Level 1 Review

Intro

You may question as to why an offensive security analyst (as in a Red Team member, though I do have my moments) decided to take a Blue Team course.

“Don’t judge someone until you’ve walked a mile in their shoes” well it’s the shortest summary I could come up. To be honest I was really intrigued to what being a Blue Team member was truly about as I thought their sole purpose was to chase tails and resolve issues. Having spent 18 years doing that in IT Support I had no interest in following that path! I figured this course would help me develop a better rapport and respect for the “opposition” teams that as a Red Teamer I try to assist in securing the platforms that they’re responsible for.

Anyone that works on the defensive front, I tip my hat to you! 🤠 You are true unsung heroes in the IT/Cyber Security world, keep up the good work, it’s a tough job!

Desktop View

Course

I’m unable to show the presentation (however you can sign up for the free trial for a gander) but I got to say it felt beautifully smooth!

The only thing that did annoy me and have found it on many sites that offer Dark Mode is that hyperlinks are of a colour that cannot be visibly read! You have to highlight the text to read what you’re clicking!

Details

Cost: £399

Labs: 19

Access Period: 4 Months

Est. Study Time: 30+ hours

Link: Blue Team Level 1

Content

The content itself was very well written, I would almost say that if you do not work in an IT setting already you could start the course and not struggle with the learning process (if you’re at least IT literate). On the other hand if you have a number of years experience it does not come across condescending either, though you may skim across sections here and there.

Each Domain is broken into a number of sections which are made up of associated topics. The topics are appropriately sized and do not drag on to a zzz. I’ve seen to much courseware which contains word salad in an attempt to pad out their content instead of focusing on the quality of the work. At the end of each section there is a short quiz to test the absorption of the information.

There are a number of extra curricular activities that are not essential material but are very beneficial. These include setting up a Pfsense firewall and writing Sigma Rules for SIEM systems.

Domains Covered

The course is broken up into six domains:

Desktop View

Course Syllabus

Below is a link to the syllabus of the course (correct at the time of posting Oct ‘22)

Not going to copy/paste it all but it’s good to check out if you’re interested in the course.

Tracking Progress

As I said before I really loved the UX of this course and ability to track my progress is part of that. Each time I checked how much I had covered it gave me that motivation to hit that next milestone, to invest that extra half hour here and there.

Desktop View

Desktop View

Favourite Domain

My favourite knowledge domain has to be Digital Forensics. I had a strong interesting in DF from a young age, even meeting investigators due my connections in the security industry however attempts to break into it was futile.

Anyway this was great as I got to dissect hard drive images using tools such as Autopsy. I wished there were more labs to this but from more of a personal enjoyment than a lack of material.

Additional Material

Once I completed the course material and the labs that were available at the time I nowhere felt confident in regards to tackling the exam. So I signed up to Security Blue Team’s equivalent to hackthebox, Blue Team Labs.

It is recommended to do the following investigations to get an idea of what the exam will be like. The only gripe I have is that even though some of the labs are shy of being 1 year old they were not “retired” so if you become stuck there were no community write-ups to guide you through the learning process. However those that were the write-ups were really well written, they included why you should do X and links to research instead of screenshots of the answers.

  • Deep Blue
  • Countdown
  • Pretium
  • Sticky Situation
  • Ben
  • Multi Stages

Exam

The exam represents a 24-hour incident response where you’ll use the knowledge learnt in the course to answer 20 random task-based questions that require you to complete different actions and submit evidence. You can edit the answers as many times as you like until you submit them. Oh if you don’t hit submit before time is up well….free resit 😬

Even though you’ll learn a number of tools along the way, it is advised that you have confidence in using the following:

  • Splunk
  • Autopsy
  • Wireshark
  • DeepBlueCLI
  • Email Analysis

Key Info

The following are key details of the exam that get asked in the Discord server etc.

Time: 24 hours

Questions: 20

Pass Mark: 70% ( 14/20 )

Gold Challenge Mark: 90% ( 18/20 )

Report: No

Results: Instant

Feedback: Yes

Cool Off Period: 10 days

Resit Attempt: Free

Additional Resit: £100

My Results

Time Taken: 12 hours (with lunch, snack breaks etc)

Pass Mark: 18/20 (means I get the Gold Coin 🥇)

Desktop View

Main Gripe

The only negative I can say to the course is that I feel like there could be more labs. As I stated previously my confidence was lacking before taking the exam. Even if you repeated the included labs it would not instil enough to click that start button.

I personally would like to see at least 1 or 2 “mini investigations” included within the course. I feel like I had no option but to sign up for a months membership to the Blue Team Labs to shore up the newly learnt skills. Even if the course included 1 or 2 of these I think it would greatly aid the learner as well as work as an advertisement for that platform.

TL;DR

  • Great value for money.
  • Amazing short and concise material.
  • 10/10 would recommend to both Blue and Red teams.
  • Passed with 18/10.
  • Would be tempted to do BTL 2 if not for the cost.
This post is licensed under CC BY 4.0 by the author.