My Blue Team Level 1 Experience

KerwinKerwin
8 min read

TLDR

What I did right:
- Took detailed notes for each tool relevant for the exam
- Used additional resources for practice which included Blue Team Labs Online and TryHackMe
- To prepare for my second attempt, I heavily focused on honing my Splunk skills.
- Created a timeline of events based on details provided from the start of the exam and updated it as more information was gathered.
- When struggling with a question or particular section associated with a tool like Splunk, I moved onto another area which used a different type of tool such as Autopsy.
- When in doubt with an answer, as time permitted, I attempted to use different tools or work backwards from the answer to confirm it was the correct one.
- When applicable, I would focus on using Splunk, Powershell and Email analysis at work to reinforce those skills for the exam.

Some of these resources include: Coursework from Blue Team Level One, TryHackMe, Blue Team Labs Online

What I did wrong:
- During my first attempt, my approach to answering questions was not efficient.
- I did not use as many alternate methods to answer questions
- I did not put enough time into refining my Splunk skills.
- Despite doing over questions and the course work twice, additional practice for all tools such as Wireshark and Autopsy would have definitely helped with passing on the first attempt.
- For my first attempt, I studied for approximately 2 months. An extra month for my skill level with additional resources would have been beneficial.

How I would do it over:
-Go all in on Splunk from the beginning. This involves using additional resources like BTLO, Youtube tutorials and building projects associated with Splunk. I believe with a strong foundation in Splunk, One should be able to pass the exam comfortably.
- Do additional labs from BTLO and TryHackMe.
- Continue to do these labs until you are able to answer at least 60-70% of questions on your own. In my opinion, using hints can be beneficial but using Google or Youtube from the start will do nothing for you.

Reason for pursuing this cert

As a current Security Analyst, I enjoy investigating alerts, threat hunting, assisting the business and everything that comes in between. To hone these skills, I wanted to get hands on experience while at the same time working towards a certification. I looked at a few other certifications such as CDSA and PJSA but decided on the Blue Team level 1 based on the reviews regarding their exam and support staff along with the accessibility to the coursework and to the exam. I knew that an exam like this would challenge me and help me grow as a security analyst. This exam and its coursework did exactly just that. From learning about MISP from the world of threat intelligence to learning more about digital forensics and becoming adept in tools like Autopsy, my knowledge as a security analyst definitely increased. I definitely enjoyed the course and the challenge that came with the exam.

Length Of Time To Prepare

Thankfully, the exam came with a retake so I was able to do a second attempt without an additional cost. I will say though, that having the second attempt did give me peace of mind so I felt comfortable with trying the first attempt solely with the coursework from the exam. With the coursework alone, I almost did pass the exam , barring changing one or two answers at the end. I got a score of 60%. With that being said, the coursework is enough to pass but for me, I needed additional practice in the form of BTLO and THM. On my 2nd attempt, I got 90%.

For my first attempt, I mainly used the coursework provided and did the labs and quizzes associated with it twice. I also looked at youtube videos regarding some BTLO labs and I did a few free labs on BTLO. For my 2nd attempt, I took a break after I failed and began doing passive intermittent studying in February. I became more consistent in March and passed on the 16th of March.

With this in mind, I would say the sweet spot is 2-3 months with 1-2 hours a day. If one has more time to study in the day, then of course this exam could be done in 1- 2 months. For professionals that have a solid foundation in Splunk and other tools, you can definitely take this exam with little to no preparation and pass.

Preparation

The journey began with coursework from the exam provider. The content was great and easy to follow. It hit different facets of blue team from Email analysis to Forensics. Definitely gave me a better idea of different areas within Blue Team and what tools and methodologies are used. Specifically for the exam, the areas of focus were Splunk, Wireshark, Autopsy, DeepBlueCLI and Phishing Analysis. For me, the coursework was good but I did feel the exam was a bit more difficult than the labs provided in the coursework. Like I said earlier, the coursework in my opinion, is enough to pass the exam. Before the exam, it is very important to create your own notes for each tool. You will need this. Creating a timeline from the start of the exam is important as well. Using alternate methods/tools to answer difficult questions was important as well. The difference maker in passing and failing, in my opinion, is identifying areas you’re weak in after going through the coursework and working on improving those areas as much as you can. Whether at work or using additional labs that you may have to pay for, improving those areas are really important. For me, Splunk was the area I was weakest in. After failing, I used both TryHackMe and BTLO in tandem for practice since my access to the coursework expired. For my journey, I needed additional resources such as TryHackMe and BTLO. With those labs, I tried my best to get close to answering 60-70% for each lab before using help. If I was unable to get close to that range, I would simply do the lab over and over until I was able to hit that percentage range. In the end, running through the coursework twice and practicing labs with THM and BTLO had your boy feeling prepared.

Below are the labs/areas from each platform that I used and would recommend to pass the exam.

TryHackMe:
-Splunk Basics
-Investigating with Splunk
-Splunk 2
-Splunk 3
-Wireshark The Basics
-Wireshark 101
-Wireshark Packet Operations
-Autopsy
-Phishing Analysis Fundamentals

Blue Team Labs Online:
-Drilldown
-Sukuna
-Countdown
-Sticky Situation
-Winter Stew
-DeepBlue
-Phishing Analysis 1 & 2
-Dommainance
-ATT&CK

Exam Day

1st attempt

I woke up around 5am on a Sunday, drank some water and got right to it. I woke up early enough to get enough of the 24 hours period as I could. I started the exam with the intention of writing out a timeline. I began reading through the emails noting anything that I felt could be of use in answering the exam questions. Maybe it was nerves but for the first 4-5 hours, I felt lost. I hardly answered any questions even though I had a decent timeline written out regarding emails. I was stuck mainly with Splunk. I even let the discord chat know how difficult of a time I was having. I was stressed.

I ain’t gonna lie I’m gettin cooked

I took a break to eat, came back an was able to answer some questions. As I started answering, my confidence grew and I picked up some momentum. I utilized my notes heavily and took breaks in between. By the end of the day, around 8pm, I hit submit but did not get the passing grade. Enter the 2nd attempt.

2nd attempt

I woke up around 6:30am , had something to eat and began my exam. I already felt the difference in confidence on this second attempt as I was able to quickly piece together a timeline and answer questions in areas I felt confident. I left a majority of the Splunk questions for last. I meticulously went through them, looked back at my notes and used tools/platforms like Virus Total, Email Checker, Whois, MxTools to assist me. In this section, I also heavily relied on using EventID, tabling data and ensuring that I was using the right source type for the question. I was basically done around 11:50 am but took a break and came back to look over my work before submitting around 2pm.

Closing Thoughts

This was the most difficult cybersecurity certification I have taken to date. No multiple choice, just get in this environment, read these instructions, use these tools and answer these questions. I relished the challenge, lost the battle with the first attempt but won the war with the second attempt. The nature of the exam and preparation for it has given me additional skills which will help me in my career. I am a better security analyst after taking this exam and that was my goal. For what comes next, I want to strengthen foundational areas which are Programming, Networking, Linux and knowledge of systems. I plan to do this through using different resources and hopefully building projects. As for the next cert, time will tell but Security Blue Team has given me a great first impression on practical certifications. I highly recommend those that can afford it to look into practical certifications such as the Blue Team Level One. Go forth and conquer, until then, Triminator out!

Special Thanks:

Leadership at Carnival for investing in me by sponsoring this exam.

Discord Group of BTL1 consisting of members like Malik and Manganaccio.

Tijan for providing inspiration on not giving up and providing resources to use to pass the exam.

Hammazah for also providing resources and his exam experience.

DayCyberWox for first introducing this exam to me via his channel.

OxBera for providing resources along with tips for the exam.

KillAndy for providing youtube content based around some tricky BTLO labs.

Motasem Hamdan for providing youtube content for THM labs, particularly Splunk.

Resources:

https://berardinellidaniele.com/blog/btl1-certification

https://medium.com/@topcyberdawg/security-blue-team-blue-team-level-1-certification-exam-experience-45f7b1a13282

https://tryhackme.com/dashboard

https://www.securityblue.team/certifications/blue-team-level-1

https://blueteamlabs.online/

https://medium.com/@hammazahmed40/conquering-the-blue-team-level-1-exam-strategies-tips-and-exam-day-insights-3209824afbfd

https://www.youtube.com/@killandy01/videos

https://www.youtube.com/watch?v=3FwH033NJxg&pp=ygUNZGVlcGJsdWUgYnRsbw%3D%3D

https://www.youtube.com/@MotasemHamdan/videos

0
Subscribe to my newsletter

Read articles from Kerwin directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kerwin
Kerwin

Cybersecurity Professional | Writer | Frontend Developer