Copyright © Security Blue Team 2020

Security Blue Team

Blue Team Level 1 Certification Syllabus v1

Contact Information: certified@securityblue.team

Course Description:

Develop your blue team skills with our practical defensive security certification, the perfect
training for any security professional, including security analysts, consultants, incident
responders, and everyone in between. You’ll learn how to defend organizations from cyber-
attacks, analyze and respond to incidents, and develop network defences.

Training Course:

We provide students with a complete training course that covers everything they need to pass our
practical assessment. Students will have 24/7 access to the online lessons via our learning
management system. This includes training content, video demonstrations, and the ability to
download practical elements. We expect the training to consist of approximately 300 lessons,
videos, tests, and practical activities. The course is comprised of 6 domains;

1. Security Fundamentals
2. Phishing Analysis
3. Threat Intelligence
4. Digital Forensics
5. Security Information and Event Management
6. Incident Response

Course Structure:

We are currently finalizing the content for three domains; digital forensics, SIEM, and incident
response. However, we want to share the existing lessons for the first three domains; security
fundamentals, phishing analysis, and threat intelligence. Please note the following syllabus does
not yet include videos, knowledge tests, and practical activities. Under some lessons we have
briefly listed some of the content. This should NOT be treated as a complete overview of that
lesson.

Information in this document is subject to change.








Copyright © Security Blue Team 2020
Copyright © Security Blue Team 2020

Security Fundamentals Domain

1) Introduction to Security Fundamentals

2) Soft Skills
1. Communication
2. Teamwork
3. Problem Solving
4. Analytical
5. Time Management
6. Problem Solving
7. Motivated

3) Networking 101
1. Network Fundamentals
2. Network Devices
3. Ports and Services

4) Basic Security Controls
1. Physical Security
2. Network Security
3. Endpoint Security
4. Email Security

5) Management Principles
1. Risk
2. Policies and Procedures
3. Compliance

Phishing Analysis Domain

1) Introduction to Emails and Phishing

1. Section Introduction
2. How Electronic Mail Works
Infrastructure, protocols, and clients
3. Anatomy of an Email
Header, body content
4. What is Phishing?
Definition of phishing in regard to unsolicited and malicious emails
5. Impact of Phishing
Figures and statistics about phishing on a global scale

2) Types of Phishing Emails
1. Section Introduction
2. Recon
Email walkthrough + example for local analysis (safe)
3. Spam
Email walkthrough + example for local analysis (safe)
4. False Positive
Email walkthrough + example for local analysis (safe)
5. Credential Harvester
Email walkthrough + example for local analysis (safe)
6. Drive-by Download
Email walkthrough + example for local analysis (safe)
7. Malicious Site
Email walkthrough + example for local analysis (safe)
Copyright © Security Blue Team 2020
Copyright © Security Blue Team 2020

8. Social Engineering
Recon email walkthrough + example for local analysis (safe)
9. Vishing, Smishing
Example of Smishing, example audio-clip of Vishing
10. Whaling
Email walkthrough + example for local analysis (safe)

3) Tactics and Techniques Used
1. Section Introduction
2. Spear Phishing
3. Impersonation
4. Typo squatting and Homographs
5. Sender Spoofing
6. HTML Styling
7. Attachments
8. Hyperlinks
9. URL-Shortening Services
10. Use of Legitimate Services
11. Business Email Compromise

4) Investigating a Phishing Email
1. Section Introduction
2. Artefacts we Need to Collect
Sending address, sending IP + reverse DNS, recipients, subject, URLs/attachments
3. Manual Collection Techniques
Text Editor + mail client to retrieve artefacts
4. Analysis Toolkits
PhishTool
5. Scoping (Recipient Identification)
Identifying recipients using multiple methods

5) Analyzing URLs, Attachments, and Artefacts
1. Section Introduction
2. Visualization Tools
URL2PNG, Virtual Machines, URLScan
3. Artefact Reputation Tools
AbuseIPDB, IPVoid, VirusTotal, IBM X-Force Exchange
4. Interaction Tools
Virtual Machines, Online Sandboxes

6) Taking Defensive Actions
1. Section Introduction
2. Preventative Measures: Marking External Emails
Appending subject lines or email bodies with warning messages
3. Preventative Measures: Email Security Technology
SPF, DKIM, DMARC
4. Preventative Measures: Spam Filter
Blocking emails based on threat feeds and blacklists
5. Preventative Measures: Attachment Filtering
Filtering extensions such as .exe, .iso, .dll
6. Preventative Measures: Attachment Sandboxing
7. Reactive Measures: Pulling or Deleting Emails
Deleting known-bad emails from inboxes or retrieving for analysis
8. Reactive Measures: Immediate Response Process
Complete start-to-finish phishing investigation
9. Reactive Measures: Blocking Web-Based Artefacts
Web proxy blocks (URL, Domain, IP)
10. Reactive Measures: Blocking Email-Based Artefacts
Email gateway blocks (Sender, Subject, Sending Server IP, Sending Domain)
11. Reactive Measures: Blocking File-Based Artefacts
EDR/AV blocks (MD5/SHA1 hash, filename)
12. Reactive Measures: Informing Threat Intelligence Team
Tracking campaigns/actors, sharing IOCs

Copyright © Security Blue Team 2020

Copyright © Security Blue Team 2020

7) Report Writing
1. Section Introduction
2. Email Header, Artefacts, and Body Content
Appropriately describe the email and provide the necessary artefacts
3. Users Affected and Actions Taken to Notify
Who was contacted, how, and when?
4. Analysis Process, Tools, and Results
What tools were used to investigate artefacts? What were the results? URL2PNG, virtual machine,
WannaBrowser, IPVoid, AbuseIPDB, WHOis
5. Defensive Measures Taken
What actions were taken, or requested to be taken? Email, Web, and File artefact blocking
6. Lessons Learned
Any knowledge that was taken away from this specific attack

8) Lessons Learned
1. Section Introduction
2. Reflect on the Observed Phishing Campaign
3. Identifying New Tactics (Work with Threat Intel)
Collecting intelligence on new tactics and sharing with appropriate industry or government partners through
ISACs
4. Response Improvements
How could the response have been better? Runbooks, procedures, training, new tooling

9) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.

Threat Intelligence Domain

1) Introduction to Threat Intelligence

1. Section Introduction
2. Threat Intelligence Explained
What is TI, why is it used
3. Why Threat Intelligence can be Valuable
Situational awareness, investigation enrichment, reducing attack surface
4. Criticisms/Limitations of Threat Intelligence
Attribution issues, reactive nature, old IOCs, false positive IOCs
5. The Future of Threat Intelligence
Tenable Predictive Prioritization (mixing threat intel with vulnerability management data to calculate dynamic
risk scores)
6. Types of Intelligence
SIGINT, OSINT, HUMINT, GEOINT

2) Threat Actors
1. Common Threat Agents
Cyber criminals, hacktivists, insider threats, nation-states
2. Motivations
Financial, social, political, other
3. Skill Levels/Technical Ability
Script Kiddies, Hackers, APTs
4. Actor Naming Conventions
Animals, APT numbers, other conventions
5. Common Targets
Industries, governments, organizations

3) Advanced Persistent Threats
1. What are APTs?
What makes an APT, real-world examples of APTs + their operations
2. Motivations for Cyber Operations
Why APTs do what they do (financial, political, social)
3. Tools, Techniques, Tactics
What do APTs actually do when conducting operations
Copyright © Security Blue Team 2020
Copyright © Security Blue Team 2020

4. Custom Malware/Tools
Exploring custom tools used by APTs, why they’re used
5. Living-off-the-land Techniques
What LOTL is, why it’s used, why it can be effective

4) Operational Intelligence
1. Indicators of Compromise Explained & Examples
What IOCs are, how they’re generated and shared, using IOCs to feed defences
2. Precursors Explained & Examples
What precursors are, how they’re different from IOCs, how we monitor them
3. TTPs Explained & Examples
What TTPs are, why they’re important, using to maintain defences (preventative)
4. MITRE ATT&CK Framework
Framework explained and how we map cyber-attacks, real-world example
5. Lockheed Martin Cyber Kill Chain
Framework explained and how we map cyber-attacks, real-world example
6. Attribution and its Limitations
Why attribution is hard, impersonation, sharing infrastructure, copy-cat attacks
7. Pyramid of Pain
You’ll wish we didn’t teach you this. It’s called the Pyramid of Pain for a reason.

5) Tactical Threat Intelligence
1. Threat Exposure Checks Explained
What TECs are, how to check your environment for presence of bad IOCs
2. Watchlists/IOC Monitoring
What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
3. Public Exposure Assessments
What PEAs are, how to conduct them, google dorks, harvester, social media
4. Open-Web Information Collection
How OSINT data is scraped, why it’s useful
5. Dark-Web Information Collection
How intel companies scrape dark web intel, why it’s useful, databreach dumps, malicious actors on underground
forums, commodity malware for sale
6. Malware Information Sharing Platform (MISP)
What is MISP, why is it used, how to implement MISP

6) Strategic Threat Intelligence
1. Intelligence Sharing and Partnerships
Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
2. IOC/TTP Gathering and Distribution
3. Campaign Tracking & Situational Awareness
Why we track actors, why keeping the team updated is important
4. Trialing New Intelligence Platforms/Toolkits
Undertaking proof-of-value demos to assess the feasibility of new tooling
5. OSINT vs Paid-for Sources
Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter

7) Malware and Global Campaigns
1. Types of Malware Used by Threat Actors
Trojans, RATs, Ransomware, Backdoors, Logic Bombs
2. Globally recognized Malware Campaigns
Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot

8) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.

Incident Response Domain

1) Introduction to Incident Response

1. What is Incident Response?
2. Why is IR Needed?
Copyright © Security Blue Team 2020
Copyright © Security Blue Team 2020

3. Security Events vs Security Incidents

4. Incident Response Lifecycle – NIST SP 800 61r2
What is it, why is it used
5. Lockheed Martin Cyber Kill Chain
What is it, why is it used
6. MITRE ATT&CK Framework
What is it, why is it used

2) Preparation
1. Incident Response Plans, Policies, and Procedures
2. The Need for an IR Team
3. Asset Inventory and Risk Assessment to Identify High-Value Assets
4. DMZ and Honeypots
5. Host Defences
HIDS, NIDS, Antivirus, EDR, Local Firewall, User Accounts, GPO
6. Network Defences
NIDS, NIPS, Proxy, Firewalls, NAC
7. Email Defences
Spam Filter, Attachment Filter, Attachment Sandboxing, Email Tagging
8. Physical Defences
Deterrents, Access Controls, Monitoring Controls
9. Human Defences
Security Awareness Training, Security Policies, Incentives


3) Detection and Analysis
1. Common Events and Incidents
2. Establishing Baselines and Behavior Profiles
3. Central Logging (SIEM Aggregation)
4. Analysis (SIEM Correlation)

4) Containment, Eradication, Recovery
1. CSIRT and CERT Explained
What are they, and why are they useful?
2. Containment Measures
Network Isolation, Single VLAN, Powering System(s) Down, Honeypot Lure
3. Taking Forensic Images of Affected Hosts
Linking Back to Digital Forensics Domain
4. Identifying and Removing Malicious Artefacts
Memory and disk analysis to identify artefacts and securely remove them
5. Identifying Root Cause and Recovery Measures

5) Lessons Learned
1. What Went Well?
Highlights from the Incident Response
2. What Could be Improved?
Issues from the Incident Response, and How These Can be Addressed
3. Important of Documentation
Creating Runbooks for Future Similar Incidents, Audit Trail
4. Metrics and Reporting
Presenting Data in Metric Form

6) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.

Digital Forensics Domain

1) Introduction to Incident Response

1. Section Introduction
1. What is Digital Forensics?
Collecting evidence typically related to cybercrime
Copyright © Security Blue Team 2020
Copyright © Security Blue Team 2020

2. Digital Subject Access Requests

3. Computer Forensics Process
identification, preservation, collection, examination, analysis, reporting
4. Working with Law Enforcement
The difference between an internal security issue, and one that requires external assistance

2) Forensics Fundamentals
2. Section Introduction
3. Introduction to Data Representation
hexadecimal, octal, binary files vs txt files, timestamp formats: UNIX epoch, MAC, Chrome, Windows, FILETIME
4. Hard Drive Basics
Platters, sectors, clusters, slack space
5. SSD Drive Basics
garbage, collection, TRIM, wear levelling
6. File Systems
FAT16, FAT32, NTFS, EXT3/EXT4, HFS+/APFS
7. Metadata & File Carving
8. Memory, Page File, and Hibernation File
9. Order of Volatility

3) Artefact Forms
1. Section Introduction
2. Volatile Artefacts
Memory RAM, Cache, Registers content, Routing tables, ARP cache, process table, kernel statistics, temporary file
system/swap space
3. Disk Artefacts
Data on Hard Disk or SSD
4. Network Artefacts
Remotely Logged Data, Network Connections/netflow, PCAPs, Proxy logs
5. Web & Cloud Artefacts
Cloud storage/backups, chat rooms, forums, social-media posts, blog posts
6. Evidence Forms
Laptops, desktops, phones, hard drives, tablets, digital cameras, smart watches, GPS

4) Chain of Custody
1. Section Introduction
2. What is the Chain of Custody?
3. Why is it Important?
In regard to evidence integrity, and examiner authenticity
4. Guide for Following the Chain of Custody
evidence collection, reporting/documentation, evidence hashing, write-blockers, working on copy of original
evidence

5) Windows Investigations
1. Section Introduction
2. Artefacts
Registry, Event Logs, Prefetch, .LNK files, DLLs, services, drivers, common malicious locations, schedules tasks,
startup files
3. Limitations
4. Example Investigations

6) *nix Investigations
1. Section Introduction
2. Artefacts
3. Limitations
4. Example Investigations

7) Artefact Collection
1. Section Introduction
2. Equipment
non-static bags, faraday cage, labels, clean hard drives, forensic workstations, Disk imagers, hardware write-
blockers, cabling, blank media, photographs
3. Tools
Wireshark, NetworkMiner, Moloch, and others

Copyright © Security Blue Team 2020

Copyright © Security Blue Team 2020

4. ACPO Principles
5. Live Forensics
Fast acquisition of key files
6. How to Collect Evidence
Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social-media posts, chat rooms
7. Types of Hard Drive Copies
visible data, bit for bit, slackspace

8) Live Forensics
1. Section Introduction
2. Live Acquisition
What is live acquisition/live forensics? Why is it beneficial?
3. Products
Carbon Black, Encase, memory analysis with agents, Custom Scripts
4. Potential Consequences
Damaging or modifying evidence making it invalid

9) Post-Investigation
1. Section Introduction
2. Report Writing
3. Evidence Retention
Legal retention periods, internal retention periods
4. Evidence Destruction
Overwriting, degaussing, shredding, wiping

10) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.





If you are interested in Blue Team Level 1, register now to be notified when we launch, and
receive a £100 (20%) discount!

Organizations, if you believe BTL1 could benefit your team, new-hires, graduates, or anyone
else, please get in touch as we are offering discounts and free vouchers for bulk licenses.


https://securityblue.team/why-btl1/

Copyright © Security Blue Team 2020