You can read this content also in Spanish Here !
[Certification status: Passed with 93% final score]
How are you all! Today I bring you a new entry about my experience in one of the most challenging certifications I have had to give so far. Direct from Blue Team Labs Online comes Blue Team Level 2, a certification that tests your knowledge in defensive cybersecurity topics, such as Threat Hunting, Incident Response, Digital Forensics and Malware Analysis at an advanced level.
Before starting fully with the hard content of this entry, I want to reaffirm that the opinions expressed in this post are exclusive to the owner of this blog (Me, bruhhh), based on the experience lived throughout the entire course, from the study carried out until the final test was submitted. Taking into account that this has been a process of more than 5 months, I hope to be able to summarize it adequately so that it will be useful to you if at some point you decide to take this certification. Also, due to obvious certification issues, I can't give many spoilers about the test itself, but I think my contribution will still be of great help.
Pre-requierements
The course is designed for people who already have experience in the area of incident responses and with technical knowledge of cyber threats. In addition, the student is expected to have knowledge of Windows and Linux system administration at an intermediate level, since they will not delve into topics related to the functioning of the operating systems themselves or Active Directory at the enterprise level. For all this, I recommend that before giving this certification, you can get involved in the defensive areas of cybersecurity, which are covered in the Blue Team Labs Online platform or the BTL1 certification itself.
Preparation course
The course material is divided into 2 fundamental parts, in which we find theoretical content and practical content (laboratories). The content, in both cases, is divided into Malware Analysis, Threat Hunting, Advanced SIEM, Vulnerability Management and a final section of preparation for the final test.
The material in the theoretical section is quite complete. It has good examples and they are perfect for carrying out practical laboratories. For someone who is just advancing to the intermediate level, it will be good for you to read and take notes on all the detail of the theory sections. However, this section can become quite extensive, as it does not have videos.
Since I have been working as an incident response consultant for several years, I gave myself the freedom to skip several of these sections, as in some ways they felt very basic or I had simply already studied them in the Sans GCFA course.
People who work or have worked in the offensive part of cybersecurity, their knowledge is a huge plus for this certification. Being able to think like a threat actor, in many of the labs, gives you an advantage in terms of knowing the next steps that are normally carried out in an intrusion with the different accesses. This, without a doubt, helps in the Threat Hunting section, where we must constantly trace the movements of the threat actor using the different available artifacts, which often becomes obvious if we manage to think like them.
For example: an attacker who gains access for the first time to a Windows machine connected to an Active Directory network will execute commands to subsequently enumerate the domain or run a tool like Sharphound (not to mention dumping credentials or running some persistence).
Furthermore, the Vulnerability Assessment part becomes quite easy if you already have knowledge of tools like Openvas, Nikto or Nmap.
Since I come from constant training and have real experience in the DFIR part, performing Threat Hunting using some SIEM tools was not something new for me. The biggest challenge in these sections (and especially in the final test) is knowing where to look and when to use the information you have at your disposal. For example, if you want to see connections to a particular domain from the victim machine (Windows in this case), the natural questions would be: What artifacts record this evidence for our analysis? Are there connection logs or is there another way to look at them? If we do not find this information on the machine, then it would be good for us to know if there are perimeter logs in these SIEM solutions.
Based on my knowledge, the most complex section was Malware Analysis. There are many tools for this part of the course that I have not used before. If it weren't for my experience solving CTF challenges, I think this part would have been much more complicated to solve.
Taking into account that I have knowledge of static and dynamic analysis, there are many forms of obfuscation in malicious binaries that make it impossible for you to understand what you are looking at. In this context, I recommend having advanced knowledge of CyberChef to be able to deobfuscate as much information as you find in droppers and malicious binaries. Let's remember that there are many different types of beacons and C2 tools such as CobaltStrike, Covenant or Metasploit that generate them, so knowing how to navigate their respective payloads will save you a lot of time in the future.
Regarding the practical laboratories, I would say that these have an easy-intermediate level versus those you can find on the BTLO website. It is not very complex to deal with them, but some will take you a long time because they require deploying more complex environments or specialized tools that process large amounts of information. Still, of the 120 hrs available for the certification, I had about 85 hrs left over, which is a lot of time to practice new ways of finding evidence or identifying "alternative paths" to solve the questions.
The lab follows the same format as BTLO, so it often lends itself to "brute force" the answers when you don't understand the question. In this sense, I recommend that you stop and double-check all the information you have.
If for some reason you found the correct answer and you do not understand why it is actually "the answer", I suggest you review 'the answer key' that comes in the course guide, since there you could find more details of why or you can also consult the Discord of the course.
Finally, I do not recommend just sticking with the course laboratories to take the test. Using the BTLO page to continue practicing your skills is a good way to gain confidence for the final scenario presented in the exam. Also, I recommend researching further into any type of Windows/Linux artifact and mastering the information they provide. Although in the test you have the freedom to use the Internet, if you have well-structured notes, you will be able to be faster searching for what you need.
Exam
As you know, the exam lasts 72 hours, which includes both the complete investigation of the environment provided and the report that will be delivered to the examiners.
At first glance, 72 hours might seem like enough, as BTL proclaims that in that amount of time you can rest appropriately and even use one of the days to work while taking the exam. However, my experience was very different, as I only used 6 of the 72 hours to sleep. The rest of the time was totally dedicated to the exam, having only small breaks for my basic needs and walking my dogs.
The exam is made to apply all the knowledge gained in the laboratories. However, in my personal experience, I think that what we learned in the practice labs falls somewhat short of what we will really need on the exam. Although I still don't have my exam results at the time of writing this post, I think my experience working on real incident response cases helped me a lot in putting together the final story.
Why do I think laboratories are not enough? The answer comes in the form of an example. Let's think that we are bricklayers who want to build a building. Day by day we are taught to use the tools we have at our disposal to build the building. After learning to use all these tools, they ask you to build a building... doesn't that seem a bit hasty? Similar to this example, an intrusion by threat actors has different phases and evidence that interconnect to tell a story and while the BTL2 course provided us with the tools to investigate endpoints correctly, I think there was a missing thread between all these factors to allow us to learn how to build a robust story in a complex environment.
The latter does not mean in any way that the course is not good, but it seems to me that the content still has opportunities to improve, which would allow the experience to be more pleasant and complete, especially if you are not someone who works in the area of incident response consulting.
It must be taken into account that a large part of the world of cybersecurity is ruled by knowing how to search in the correct sources of information, since it is not always possible to fully know everything that is happening in an environment (especially if we are faced with threats designed by BTL's own staff).
In my first two days of the exam, I dedicated myself completely to the technical research ahead. I used the old trusty Cherrytree to document each of my findings and evidence related to the attacker's movements. It is very important not to miss any screenshots. Even if you infer that something is not right in one of the systems you are looking at and it seems suspicious, it is recommended that you write it down and take a photo of it, since there is a high probability that it is something malicious. On many occasions I found clues of artifacts that seemed out of place or seemed totally suspicious to me, but I ignored them and it wasn't until several hours later that I was able to make all of these things fit.
If you have good documentation (whether in Cherrytree, Obsidian or even in the report itself), I assure you that you will be able to overcome several information gaps that appear along the way, so this is a key point of the exam. Those people who do not take evidence in a timely manner and do not take note of their "suspicions" will end up distorting much of the story without realizing it, in order to make it fit with its little evidence.
On my last day of the exam I felt totally destroyed by the psychological exhaustion of not sleeping and having reviewed my evidence dozens of times. Up to that point, I had much of the story, but I had certain information gaps that I didn't know if it was possible to fill, due to the visibility I had of the exam environment. On my last day of the exam I felt totally destroyed by the psychological exhaustion of not sleeping and having reviewed my evidence dozens of times. Up to that point, I had much of the story, but I had certain gaps in information that I didn't know if it was possible to fill, due to the visibility I had of the exam environment. Even so, I began to complete the sections of the report (template that BTL2 provides) and at the same time I investigated those things that were not completely clear in the history of the different endpoints.
Writing the report took me approximately 24 hours, during which time I could not sleep because I was progressing very slowly in the report due to the great exhaustion that the exam had generated in me.Fortunately, I managed to complete the report with the requested sections, but with the uncertainty of not knowing if the story I told had all the minimum details that the certification required to pass.
As a final note of this section, I must mention that the laboratory gave me some problems when I was away for a certain number of hours, so it was necessary to restart the work environment and on several occasions losing all the progress made within the environment ( configurations made, preparation of environments for malware analysis, etc.). These misfortunes took away valuable time from the exam. This problem has already been reported by me and other people, so I hope that in the following versions of the exam, they have been able to fix this problem.
Tips and Recommendations
Below, I give you a list of recommendations and TIPS that may be useful to you when taking the exam for this certification:
Read the Discord the week before your exam, there you can find opinions about the exam and the course, as well as experiences with some tools that you should use.
Review the notes on the side panel of the exam, In that place you will find guidelines that will be useful to successfully adapt to the environment. Write it down as part of the first things you must do in the exam.
Review the template document before starting your research! Many people overlook this detail and then have to work twice as hard.
Familiarize yourself with the work environment. You need to practice and practice before taking the exam, so follow the advice to the letter in the final chapter of the certification.
Practice on the BTLO platform. There you can find numerous exercises to overcome exam anxiety.
Document all the laboratories you do in the course and document those TIPS that are presented in each section.
Review all the course solutions after solving each laboratory yourself, there you will find new ways to solve the problems.
Document everything you think is suspicious, including any possible hypotheses you have related to the actions of the threat actor. Then rule them out one by one based on the artifacts and evidence you have.
Strengthen your weaknesses. If you have a particular topic that you did not understand before the exam, review again the tools and methodology of use for that particular topic.
Think like a threat actor. What are your motivations? What would be your next move in order to get control?? What critical information does the compromised system have? How could you get to it?
Make sure you have a comfortable environment to survive the next 72 hours. If you have back problems, it's time to buy a new chair.
Prepare well the food you will need, take breaks and hydrate as much as you can. At the end of the period, If you end the term writing a report when you are fatigued and exhausted, your writing may not be as fluid as usual.
Try to get as much sleep as possible before the exam day. You never know if you'll have to endure non-stop challenges during those 72 hours. Also, aim to relax and have a pleasant, stress-free day before
I trust that this information will prove beneficial as you prepare for your exam. If you've found it valuable, please consider sharing it with others who may benefit. Without any further delay, I bid farewell to this extensive post.
Yes, I use chatgpt for these last 3 lines.
Greetings and good luck