joost/website-zola
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
04e9f434fa
website-zola/content/posts/passed-BTL2.md
Joost Agterhoek 04e9f434fa added some forgotten posts
2025-03-18 10:44:09 +01:00

4.2 KiB
Raw Blame History

+++ title = 'Passed Blue Team Level 2 certification' date = "2025-02-06" updated = 2025-02-06 [taxonomies] tags = ['BTL2', 'Security Blue Team', 'exam', 'certification'] +++

So glad we made it

I'm ecstatic: I passed the Security BLue Team Level 2 certification exam! This was quite a lot of work.In this blog post, I want to share my journey through the content material, the labs and the exams.

Disclaimer: this is not an exhaustive overview of BTL2, only my experiences with them. I took a lot of notes, but not a lot of screenshots, so this is all from recollection (which is why there isn't so much detail about the course, I don't want to give out wrong information).

The course material

After passing BTL1 in May 2023 and getting the gold coin (first attempt at least 90%), I quickly followed up by studying the course material for BTL2. Instead of the 7 domains of BTL1, you go deeper into less domains in BTL2, namely threat vulnerability management, malware analysis, malware analysis, advanced SIEM and threat hunting.

Because my personal interests have developed into malware analysis, malware development and programming, I leaned heavily into the malware analysis domain first. The course and the labs let you work with some familiar tools like PEstudio, Procmon, Regshot and new document analysis tools like peepdf and oledump.py. The labs related to portable executable analysis, which interests me the most, were relatively basic: open an exe in PEstudio, look at the strings, compilation date, used compiler. Other domains I put a lot of time into were Linux system and log hunts (using commands like journalctl, find, crontab, ps auxf and lsof -p).

Relatively new domains for me were Advanced SIEM, (some parts of) Threat Hunting and Vulnerability Management. The main lessons for me from these domains are the following:

  • Threat hunting with a clear goal and model in mind (following the MITRE ATT&CK for example)
  • Adversary emulation in SIEM development and maintenance
  • Threat hunting in Windows and Linux services/jobs, files and internet connections (Event IDs relating to services like 7045, 4697, tools like capa, chainsaw, searching SIEM logs for new users, failed (RDP) logons, cronjobs, modified files during incident)
  • The importance of what logs to use when (from initial access to establishing persistence, lateral movement, exfiltration,command and control)

I approached the content material and the labs as follows: if the content and the lab was clear to me, I would only take essential notes (names of tools, important file locations, commands). If I did not recognize something or got stuck in a lab, I noted what the issue was and how to solve it (different ways to use tools, command line syntax, places I overlooked).

The exam

My experiences with the BTL2 certification exam were, unfortunately, not as positive as with the course material. Basically, it was really hard! At least, it felt like it was really hard.

Without going into details, what I would have advised myself was:

  • Keep thinking the incident through: what are places of potential first access, what is the timeline, what are ways an attacker can establish persistence, do lateral movement, what is the impact (ransomware, data exfiltration, defacement, etc.)
  • Rabbit holes: don't get stuck in a scenario that doesn't add up, but instead take a step back and identify evidence that you were in fact able to corroborate
  • Don't overlook the obvious: a 'normal' file (or extension) in a strange place could be quite suspicious

What got me through

So, how did I overcome my earlier attempts and pass BTL2 finally? Basically, I really took the advice in the course material to heart.

  • Do the labs, get to know the tools (I learned some features of Procmon and PEstudio I cannot go without now)
  • If you want to get more practice, do the recommended Blue Team Labs Online investigations and challenges (I sincerely believe these are what got me over the finish line!)

What's next?

Because my work is slowly focusing more on cloud environments, I will continue to get my Azure certifications (already have AZ 900):

  • AZ-104:
  • SC-200:
  • SC-400: