Review (Updated): Security Blue Team: BLUE TEAM LEVEL 1 (BTL1)

Security Blue Team Certification

Course Update (2/2022)

Recently, I became a SBT Student Advisor and Security BlueTeam updated their BTL1 exam. This update is about a year after I passed the course.

The exam NO LONGER requires a written report. It moved to a Question and Answer format (20-30 Questions). This change has some resounding changes. First, the questions are a mix of walking you to an answer (use this tool to do this thing) or general questions where there is not lead in. There is a good mix of hard/mid/easy questions. The exam is very similar to SBT's Blue Team Labs Online lab format.

Removing the report, forces test-takers to really understand how to find the infromation for an artifact. This is more inline with junior analysis skillset where more senior analysis will write the actual report. BTL2 and BTL3 will require written reports.

Next, Tom (another SBT SA) also took the exam but wrote about his experience. He lists several related resources. I'll just point out his list from BTLO:

Also, Spunk does have a fundamentals 101 course that you can take. You really need to understand Splunk in the course more so in this new version.

Is it still worth it? Yes, the pratical exam (yes, still practical) has you work thorugh using tools such as Autopsy, Splunk, and others to answer specific questions. If you are looking getting into Blue Teaming or want to join a SOC, then take a look at this exam.

In February, I attempted as passed the SBT Blue Team Level 1 with a score of 93% and scoring a Gold Challenge coin.

BTL1 challenges Blue Teamers across a wide range of disciplines:

  • Phishing Analysis
  • Digital Forensics
  • Threat Intelligence
  • SIEM
  • Incident Reponse

To work though the BTL1, it is a good idea to go through the BTLJA courses (shown below) first.

SBT BTLJA/Intro Courses

BTLJA does not have a formal certification exam. You just need to complete the courses above then send SBT an email to get the certification.

On the other hand, BTL1 requires you perform a practical 24-hour incident response. The exam is open-book, open Internet, and open-notes. You have 12 hours of access to the virtual lab and 12 hours to write the report.

Exam and Preperation

You get four months of access to the materials for BTL1. The material can be completed much earlier then the four months. Also, if you need extra practice, you can SBT's Blue Team Labs Online which convers many of the areas of the exam.

During the first 12 hours, you need to ensure you have proper documentation and screenshots for your report. If you are using Windows, you can use Greenshot to create screenshots. For Greenshot, using Effects > Border and Effects > Invert (on screenshots with dark background) on each image to get a nice border and easier to see and read in the report.

For the report, I ended up using VSCode with the following plugins:

I have other plugins but these are for Markdown. I basically saved all my notes by typing in Markdown then using the Paste Image plugin to paste (and save the image) into VSCode. This allowed me to easily create the report from the documentation.

Personally, I spent about 4 hours writing the report. It is best to grab as much information as possible to document the incident during the first 12 hours. Then, get some sleep and wake up to write the report!

Worth it?

BTL1 is one of the few cheaper alteratives to GIAC certifications and covers a lot of ground between all of its domains. For those wanting to get into security and into working in a SOC, this is a certification to take a look at. It covers all the basics and gives you further study to continue your career path.

Jesse Spangenberger

Jesse Spangenberger