Scribd
Upload
2K views14 pages

Course Syllabus: Blue Team Level 1

Uploaded by

Fernando Muñoz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views14 pages

Course Syllabus: Blue Team Level 1

Uploaded by

Fernando Muñoz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Blue Team Level 1

Course Syllabus
Table of 
Contents

Introduction   3

Domain 1: 4
Security Fundamentals

Domain 2: 5-6
Phishing Analysis

Domain 3: 7-8
Threat Intelligence

Domain 4: 9-10
Digital Forensics

Domain 5: 11
SIEM

Domain 6: 12
Incident Response
Introduction

Why did we make BTL1?

At the time of release (June 2020) there was a huge imbalance of


training content, heavily favouring red team (offensive) over blue
team (defensive). We wanted to create a modern, practical, and
realistic blue team certification to advance the skills of aspiring or
established defenders around the world.

Copyright Notice

This syllabus has been designed by Security Blue Team (Security


Team Training Ltd, UK), and any replication is an infringement of
our intellectual property and copyright rights. Any unauthorised
use will result in legal action to claim for damages.

Access Terms and Conditions

During the checkout process students must agree to the Refunds


Policy and BTL1 Terms and Conditions before they are able to
purchase the course. These terms are also reiterated at the start of
the course. These protect the intellectual property of Security Team
Training Ltd and prohibit students from sharing training material
with non-students. Any form of piracy, account sharing, or
otherwise disclosing private course materials will result in
permanent account termination with no refund, and potentially
legal action to claim for damages. Please respect our hard work.
Domain 1: Security Fundamentals

Introduction Introduction to Security


Fundamentals
Blue Team Roles

Soft Skills Section Introduction, Soft Skills


Communication
Teamwork
Problem Solving
Time Management
Motivation
Mental Health

Security Section Introduction, Security Controls


Physical Security
Controls Network Security
Endpoint Security
Email Security
Activity) End of Section Review

Networking Section Introduction, Networking 101


Network Fundamentals
101 The OSI Model
Network Devices
Network Tools
Ports and Services
Activity) Conducting a Port Scan With Nmap
Activity) End of Section Review

Management Section Introduction, Management Principles


Risk
Principles Policies and Procedures
Compliance & Frameworks
Domain 2: Phishing Analysis (1/2)

PA1) Introduction PA2) Types of Phishing Emails


Section Introduction, Phishing Emails
Section Introduction, Emails and Phishing
Reconnaissance
How Electronic Mail Works
Spam
Anatomy of an Email
False Positives
What is Phishing?
Credential Harvester
Impact of Phishing
Social Engineering
Further Reading Material
Vishing and Smishing
Phishing Analysis Glossary
Whaling
Activity) End of Section Review
Malicious Files
Video) Types of Phishing Attacks
Activity) Categorising Phishing Emails
Activity) End of Section Review

PA3) Tactics and Techniques PA4) Investigating Emails


Section Introduction, Tactics and Techniques Section Introduction, Investigating Emails
Spear Phishing Artifacts we Need to Collect
Impersonation Manual Collection - Email Artifacts
Typosquatting and Homographs Manual Collection - Web Artifacts
Sender Spoofing Manual Collection - File Artifacts
HTML Styling Video) Collecting Artifacts - Manual
Attachments Automated Collection With PhishTool
Hyperlinks Video) Collecting Artifacts - Automated
URL Shortening Activity) Manual Artifact Extraction
Use of Legitimate Services Activity) End of Section Review
Business Email Compromise
Video) Tactics and Techniques
Activity) Reporting on Tactics Used
Activity) End of Section Review
Domain 2: Phishing Analysis (2/2)

PA5) Analyzing Artifacts PA6) Taking Defensive Actions


Section Introduction, Defensive Measures
Section Introduction, Analyzing Artifacts
Preventative: Marking External Emails
Visualization Tools
Preventative: Email Security Technology
URL Reputation Tools
Preventative: Spam Filter
File Reputation Tools
Preventative: Attachment Filtering
Malware Sandboxing
Preventative: Attachment Sandboxing
Video) Manual Artifact Analysis
Preventative: Security Awareness Training
Artifact Analysis with PhishTool
Reactive: Immediate Response Process
Video) Artifact Analysis with PhishTool
Reactive: Blocking Email Artifacts
Activity) End of Section Review
Reactive: Blocking Web Artifacts
Reactive: Blocking File Artifacts
Reactive: Informing Threat Intelligence
Activity) End of Section Review

PA8) Lessons Learned


PA7) Report Writing Section Introduction, Lessons Learned
Identifying New Tactics
Section Introduction, Report Writing Response Improvements
Email Header, Artifacts, Body Content
Analysis Process, Tools, Results
Defensive Measures Taken PA9) Phishing Challenge
Activity) Report Writing
Activity) Report Writing Contd. Section Introduction, Phishing Response
Activity) End of Section Review Video) Phishing Response Walkthrough
Phishing Response Brief
Activity) Phishing Response
Domain 3: Threat Intelligence (1/2)

TI1) Introduction TI2) Threat Actors and APTs


Section Introduction, Actors
Section Introduction, Threat Intelligence
Common Threat Agents
Threat Intelligence Explained
Motivations
Why Threat Intelligence can be Valuable
Actor Naming Conventions
Types of intelligence
What are APTs?
The Future of Threat Intelligence
Tools, Techniques, Procedures
Further Reading
Activity) Threat Actor Research
Threat Intelligence Glossary
Activity) End of Section Review

TI3) Operational Intelligence TI4) Tactical Intelligence


Section Introduction, Operational Intelligence Section Introduction, Tactical Intelligence
Precursors Explained Threat Exposure Checks Explained
Indicators of Compromise Explained Watchlists/IOC Monitoring
MITRE ATT&CK Framework Public Exposure Checks Explained
Lockheed Martin Cyber Kill Chain Threat Intelligence Platforms
Attribution and its Limitations Malware Information Sharing Platform
Pyramid of Pain Activity) Deploying MISP
Activity) End of Section Review Activity) End of Section Review
Domain 3: Threat Intelligence (2/2)

TI5) Strategic Intelligence


Section Introduction, Strategic Intelligence
Intelligence Sharing and Partnerships
IOC/TTP Gathering and Distribution
OSINT vs Paid-For Sources
Traffic Light Protocol (TLP)
Activity) End of Section Review

TI6) Global Malware Campaigns


Section Introduction, Global Campaigns
Malware Used by Threat Actors
Global Campaign: Trickbot
Global Campaign: Sodinokibi
Global Campaign: Magecart
Global Campaign: Emotet
Activity) End of Section Review
Domain 4: Digital Forensics (1/2)

DF1) Introduction DF2) Forensics Fundamentals


Section Introduction, Forensics Fundamentals
Section Introduction, Digital Forensics
Introduction to Data Representation
What is Digital Forensics?
Activity) Data Representation
Digital Forensics Process
Hard Disk Drive Basics
Further Reading
SSD Drive Basics
Threat Intelligence Glossary
File Systems
Activity Download List
Activity) File Systems
Digital Evidence and Handling
Order of Volatility
Metadata and File Carving
Activity) Metadata and File Carving
Memory, Pagefile and Hibernation File
Hashing and Integrity
Activity) Hashing and Integrity
Activity) End of Section Review

DF3) Digital Evidence DF4) Windows Forensics


Section Introduction, Evidence Collection Section Introduction, Windows Investigations
Equipment Windows Artifacts - Programs
ACPO Principles of Evidence and Preservation Activity) Windows Investigation 1
Chain of Custody Windows Artifacts - Browsers
Disk Imaging: FTK Imager Activity) Windows Investigation 2
Live Forensics Activity) End of Section Review
Live Acquisition: KAPE
Evidence Destruction
Activity) End of Section Review
Domain 4: Digital Forensics (2/2)

DF5) Linux Forensics


Section Introduction, Linux Investigations
Linux Artifacts - Shadow and Passwd
Activity) Password Cracking
Linux Artifacts - /Var/Lib and /Var/Log
Linux Artifacts - User Files
Activity) End of Section Review

DF6) Volatility
Section Introduction, Volatility
What is Volatility?
Volatility Walkthrough
Activity) Volatility Exercise

DF7) Autopsy
Section Introduction, Autopsy
What is Autopsy?
Installing Autopsy
Autopsy Walkthrough
Activity) Autopsy Exercise
Domain 5: Security Information and
Event Management

SI1) Introduction SI2) Logging


Section Introduction, Logging
Section Introduction, SIEM
What is Logging?
Security Information Management (SIM)
Syslog
Security Event Management (SEM)
Windows Event Logs
What is a SIEM?
Sysmon
SIEM Platforms
Other Logs
Further Reading
Activity) Windows Event Log Analysis
SIEM Glossary
Activity) End of Section Review
Activity) End of Section Review

SI3) Aggregation SI4) Correlation


Section Introduction, Aggregation Section Introduction, Correlation
Log Aggregation Explained Normalization and Processing
Activity) End of Section Review SIEM Rules
Sigma Rules
Regex
Activity) Writing Sigma Rules
Activity) End of Section Review

SI5) Using Splunk

Section Introduction, Splunk Splunk Crash Course - Search Queries


Activity) Installing Splunk Splunk Crash Course - Creating Alerts
Activity) Installing BOTSv1 DatasetActivity) Splunk Crash Course - Creating Dashboards
Splunk Crash Course - Users and Roles Activity) Splunk Scenario One
Splunk Crash Course - Navigation Activity) Splunk Scenario Two
Domain 6: Incident Response (1/2)

IR1) Introduction SI2) Preparation Phase


Section Introduction, Preparation
Section Introduction, Incident Response
Preparation: Incident Response Plan
What is Incident Response?
Preparation: Incident Response Teams
Why is incident Response Needed?
Preparation: Asset Inventory and Risk Assessments
Security Events vs Security Incidents
Prevention: DMZ
Incident Response Lifecycle
Prevention: Host Defences
CSIRT and CERT Explained
Prevention: Network Defences
Further Reading
Activity) Setting up a Firewall
Incident Response Glossary
Prevention: Email Defences
Activity) End of Section Review
Prevention: Physical Defences
Prevention: Human Defences
Prevention: Snort
IR3) Detection & Analysis Activity) Deploying Snort
Activity) End of Section Review
Section Introduction, Detection and Analysis
Common Events and Incidents
Using Baselines and Behavioural Profiles IR4) Containment,
Introduction to Wireshark (GUI)
Introduction to Wireshark (Analysis) Eradication, Recovery
Activity) PCAP 1
Activity) PCAP 2 Section Introduction, C.E.R
Activity) PCAP 3 Incident Containment
YARA Rules for Detection Taking Forensic Images
Activity) Hunting With YARA Identifying and Removing Malicious Artifacts
CMD and PowerShell For Incident Response Identifying Root Cause and Recovery
Activity) End of Section Review Activity) End of Section Review
Domain 6: Incident Response (2/2)

IR5) Lessons Learned


IR6) MITRE ATT&CK
& Reporting
Section Introduction, Lessons Learned Section Introduction, ATT&CK
What Went Well? Initial Access
What can be Improved? Execution
Important of Documentation Persistence
Incident Response Metrics Privilege Escalation
Reporting Format Defense Evasion
Report Considerations Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Activity) ATT&CK Navigator
Activity) End of Section Review
Blue Team Level 1
Thank You!
We hope you have enjoyed reading our course View BTL1 Info Page
syllabus, and we hope to see you in BTL1 soon!
If you have any questions, please email us at
[email protected].

You might also like