Cert Tracks for Red and Blue Teams

jallen2020

I've recently been tasked with coming up for a standard certification track for both Red and Blue teams for our organization. I'll start by saying that I am not a technical expert, and on the management/executive side. I've polled our analysts, done some research, and have some preliminary lists together. Would love some feedback on the below, or if anyone else has additions or a different order, would love to hear it. Keep in mind we are a small SOC (7 people), so don't really have any differentiation between Blue team and an IR team per say. We are a Windows (mainly) environment.

Red Team:
Linux+
GSEC
eJPT
eCPPT
GPYC
OSCP
OSCE
Specializations: OSEE and/or OSWE

Blue Team:
Security+
CSA+
GCIA
GCWN
SEC599 class (Test coming? This is still in beta)
GCFE
GCFA
GREM

yoba222

LFCS instead of Linux+ and move the Linux cert to blue team as it really focuses more on best practice/ proper configuration rather than offensive things.
https://training.linuxfoundation.org/certification/lfcs

I suggest GCIH for blue team too.

stryder144

Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).

E Double U

yoba222 wrote: »

I suggest GCIH for blue team too.

Agreed!

Also, GPEN for red team.

jallen2020

E Double U wrote: »

Agreed!

Also, GPEN for red team.

Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.

Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult.

xxxkaliboyxxx

https://cybersecurity.isaca.org/csx-certifications/csx-practitioner-certification

CSX Practitoner for blue team.

Also I would assume the OSCP is more difficult strictly based on their scoring system for a pass. Also there have been mention on this forum between the two courses. Maybe someone could chime in.

JasminLandry

I would add GXPN and GWAPT as well to red team.

jallen2020

JasminLandry wrote: »

I would add GXPN and GWAPT as well to red team.

GXPN harder or easier than OSCP?

JasminLandry

I think so since the GXPN material is more similar to the OSCE, probably even more advanced. The difference is mainly the exam. We all know the OSCE is a lab while the GXPN is a multiple choice questions.

https://www.giac.org/certification/exploit-researcher-advanced-penetration-tester-gxpn
https://www.offensive-security.com/documentation/cracking-the-perimiter-syllabus.pdf

jallen2020

stryder144 wrote: »

Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).

I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not? I do like Cisco because of the thoroughness of their exams, forcing better knowledge of the material, however I'm shooting for a more vendor agnostic approach. If the CCNA:CO is more agnostic, I would consider it. Thoughts?

stryder144

While the exams do touch on Cisco products, it is more from the perspective of "you need a firewall, such as a Cisco ASA". More sales pitch exampling than how to configure. I would say that it is as close to vendor neutral as a vendor is going to get.

TechGuru80

Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.

GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies.

jallen2020

TechGuru80 wrote: »

Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.

GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies.

I actually want to have a balanced amount of certs from different bodies; I feel that forces people out of their comfort zone as they have to learn the systems and methods for each, so that's my thoughts as to why Security+ and CSA+ vs. GSEC.

Wow, this is turning into a really great conversation, thank you so much everyone. TechGuru80, I had a question on the GCIH that maybe you had some insight on:

I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.

TechGuru80

That makes sense on having variety...the nice thing with GSEC is the Windows and Linux security sections, unlike the Security+ that gives conceptual information...it probably depends on what experience level you bring people in at though.

The curriculum is definitely weighted towards hacking techniques but covers a lot of tools that can be utilized and things to be aware of...it's the whole knowing your enemy saying. Having your Red team side balanced with blue team knowledge isn't as important as having your blue team having some red team knowledge and especially since you don't really have any mix on blue I would have it in there on that basis alone.

E Double U

jallen2020 wrote: »

Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.

Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult.

GCIH teaches about hacking techniques and the defenses against them.

I have colleagues with both and based on their feedback I would say OSCP is more difficult. GPEN is a multiple choice exam and OSCP is hands on.

trojin

jallen2020 wrote: »

I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not?

Yes, and not in same time. I prefer CCNA COPS as cover more stuff. Similarity is in tools. CSA+ has more questions with logs, Cisco more questions related to processes. IMO they are complimentary

higherho

OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.

TechGuru80

higherho wrote: »

OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.

Idk if you realize it but the GIAC GSE has a written and hands on lab and covers GSEC/GCIH/GCIA...unlike the OSCP/OSCE which only cover pentesting (a subset of security).

yoba222

Sounds like you may have seen it before and SANS puts out info on which certs it recommends for red and blue teams:
https://www.sans.org/cyber-guardian

higherho

TechGuru80 wrote: »

Idk if you realize it but the GIAC GSE has a written and hands on lab and covers GSEC/GCIH/GCIA...unlike the OSCP/OSCE which only cover pentesting (a subset of security).

I'm strictly talking about pen testing (hence the reference to GPEN and OSCP /E). A LOT of people are horrible at Pen Testing and simply use tools and hit run. These SAN courses feed you too much without putting you through some hard ass hands on exam. I'm not too knowledgeable about the GSE so I won't commit on that. The lab sounds difficult as hell!

Nor am I saying "only get this" cert. I understand that Red and blue Teams in the terms of Cyber Security need to know their **** in a lot of areas. I still think some of the best Red Team or Blue team individuals come from a Engineering position (Software, Systems, Or Networking) instead of jumping right into the field like some people do with high level security certs (example, CISSP).

jallen2020

I like the idea of GSEC, GCIH, GCIA, and then GSE.

Has anyone done this track? How difficult is the GSE? I come from a routing and switching background, and have passed the written CCIE, still trying to get good enough to do the lab test.

My question is, would the GSE be comparable to the CCIE as far as skills and difficulty in each respective field?

I'm just trying to structure this program in a way that it progresses in a somewhat logical and linear fashion for someone trying to up their skills in our organization.