Cert Tracks for Red and Blue Teams
jallen2020
Member Posts: 6 ■■■□□□□□□□
I've recently been tasked with coming up for a standard certification track for both Red and Blue teams for our organization. I'll start by saying that I am not a technical expert, and on the management/executive side. I've polled our analysts, done some research, and have some preliminary lists together. Would love some feedback on the below, or if anyone else has additions or a different order, would love to hear it. Keep in mind we are a small SOC (7 people), so don't really have any differentiation between Blue team and an IR team per say. We are a Windows (mainly) environment.
Red Team:
Linux+
GSEC
eJPT
eCPPT
GPYC
OSCP
OSCE
Specializations: OSEE and/or OSWE
Blue Team:
Security+
CSA+
GCIA
GCWN
SEC599 class (Test coming? This is still in beta)
GCFE
GCFA
GREM
Red Team:
Linux+
GSEC
eJPT
eCPPT
GPYC
OSCP
OSCE
Specializations: OSEE and/or OSWE
Blue Team:
Security+
CSA+
GCIA
GCWN
SEC599 class (Test coming? This is still in beta)
GCFE
GCFA
GREM
Comments
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□LFCS instead of Linux+ and move the Linux cert to blue team as it really focuses more on best practice/ proper configuration rather than offensive things.
https://training.linuxfoundation.org/certification/lfcs
I suggest GCIH for blue team too.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
stryder144 Member Posts: 1,684 ■■■■■■■■□□Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia
Connect With Me || My Blog Site || Follow Me -
E Double U Member Posts: 2,233 ■■■■■■■■■■Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
-
jallen2020 Member Posts: 6 ■■■□□□□□□□E Double U wrote: »Agreed!
Also, GPEN for red team.
Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.
Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult. -
xxxkaliboyxxx Member Posts: 466https://cybersecurity.isaca.org/csx-certifications/csx-practitioner-certification
CSX Practitoner for blue team.
Also I would assume the OSCP is more difficult strictly based on their scoring system for a pass. Also there have been mention on this forum between the two courses. Maybe someone could chime in.Studying: GPEN
Reading: SANS SEC560
Upcoming Exam: GPEN -
jallen2020 Member Posts: 6 ■■■□□□□□□□JasminLandry wrote: »I would add GXPN and GWAPT as well to red team.
GXPN harder or easier than OSCP? -
JasminLandry Member Posts: 601 ■■■□□□□□□□I think so since the GXPN material is more similar to the OSCE, probably even more advanced. The difference is mainly the exam. We all know the OSCE is a lab while the GXPN is a multiple choice questions.
https://www.giac.org/certification/exploit-researcher-advanced-penetration-tester-gxpn
https://www.offensive-security.com/documentation/cracking-the-perimiter-syllabus.pdf -
jallen2020 Member Posts: 6 ■■■□□□□□□□stryder144 wrote: »Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).
I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not? I do like Cisco because of the thoroughness of their exams, forcing better knowledge of the material, however I'm shooting for a more vendor agnostic approach. If the CCNA:CO is more agnostic, I would consider it. Thoughts? -
stryder144 Member Posts: 1,684 ■■■■■■■■□□While the exams do touch on Cisco products, it is more from the perspective of "you need a firewall, such as a Cisco ASA". More sales pitch exampling than how to configure. I would say that it is as close to vendor neutral as a vendor is going to get.The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia
Connect With Me || My Blog Site || Follow Me -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.
GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies. -
jallen2020 Member Posts: 6 ■■■□□□□□□□TechGuru80 wrote: »Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.
GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies.
I actually want to have a balanced amount of certs from different bodies; I feel that forces people out of their comfort zone as they have to learn the systems and methods for each, so that's my thoughts as to why Security+ and CSA+ vs. GSEC.
Wow, this is turning into a really great conversation, thank you so much everyone. TechGuru80, I had a question on the GCIH that maybe you had some insight on:
I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves. -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□That makes sense on having variety...the nice thing with GSEC is the Windows and Linux security sections, unlike the Security+ that gives conceptual information...it probably depends on what experience level you bring people in at though.
The curriculum is definitely weighted towards hacking techniques but covers a lot of tools that can be utilized and things to be aware of...it's the whole knowing your enemy saying. Having your Red team side balanced with blue team knowledge isn't as important as having your blue team having some red team knowledge and especially since you don't really have any mix on blue I would have it in there on that basis alone. -
E Double U Member Posts: 2,233 ■■■■■■■■■■jallen2020 wrote: »Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.
Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult.
GCIH teaches about hacking techniques and the defenses against them.
I have colleagues with both and based on their feedback I would say OSCP is more difficult. GPEN is a multiple choice exam and OSCP is hands on.Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS -
trojin Member Posts: 275 ■■■■□□□□□□jallen2020 wrote: »I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not?
Yes, and not in same time. I prefer CCNA COPS as cover more stuff. Similarity is in tools. CSA+ has more questions with logs, Cisco more questions related to processes. IMO they are complimentaryI'm just doing my job, nothing personal, sorry
xx+ certs...and I'm not counting anymore -
higherho Member Posts: 882OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□Sounds like you may have seen it before and SANS puts out info on which certs it recommends for red and blue teams:
https://www.sans.org/cyber-guardianA+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
higherho Member Posts: 882TechGuru80 wrote: »Idk if you realize it but the GIAC GSE has a written and hands on lab and covers GSEC/GCIH/GCIA...unlike the OSCP/OSCE which only cover pentesting (a subset of security).
I'm strictly talking about pen testing (hence the reference to GPEN and OSCP /E). A LOT of people are horrible at Pen Testing and simply use tools and hit run. These SAN courses feed you too much without putting you through some hard ass hands on exam. I'm not too knowledgeable about the GSE so I won't commit on that. The lab sounds difficult as hell!
Nor am I saying "only get this" cert. I understand that Red and blue Teams in the terms of Cyber Security need to know their **** in a lot of areas. I still think some of the best Red Team or Blue team individuals come from a Engineering position (Software, Systems, Or Networking) instead of jumping right into the field like some people do with high level security certs (example, CISSP). -
jallen2020 Member Posts: 6 ■■■□□□□□□□I like the idea of GSEC, GCIH, GCIA, and then GSE.
Has anyone done this track? How difficult is the GSE? I come from a routing and switching background, and have passed the written CCIE, still trying to get good enough to do the lab test.
My question is, would the GSE be comparable to the CCIE as far as skills and difficulty in each respective field?
I'm just trying to structure this program in a way that it progresses in a somewhat logical and linear fashion for someone trying to up their skills in our organization.