Best blue team certs to have?

Elegyx · June 2017

Title says it all. There's a ton of offensive certs but what are some of the best defensive certs to have?

PC509 · June 2017

CISSP is the big one. It goes over the managerial stuff. Policies, procedures, etc. from a business/manager standpoint.

CCNA:Security (and others in that line) are good if you're a Cisco shop. Configuring firewalls and such.

Maybe a MCSA/MCSE if you're Microsoft. Throw some SCCM/Intune in there, too. Patching is huge (saved many from the recent massive media hyped WannaCrypt).

CompTIA CASP/CSA+ are good, too. From what I hear they are more technical than the CISSP. I haven't taken those yet.

I feel knowing the offensive side is huge if you're wanting to be on the blue team. Knowing how things are attacked, what attack vectors they use, etc. really help in knowing how to defend a business.

TechGromit · June 2017

From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.

Elegyx · June 2017

PC509 wrote: »

CISSP is the big one. It goes over the managerial stuff. Policies, procedures, etc. from a business/manager standpoint.

CCNA:Security (and others in that line) are good if you're a Cisco shop. Configuring firewalls and such.

Maybe a MCSA/MCSE if you're Microsoft. Throw some SCCM/Intune in there, too. Patching is huge (saved many from the recent massive media hyped WannaCrypt).

CompTIA CASP/CSA+ are good, too. From what I hear they are more technical than the CISSP. I haven't taken those yet.

I feel knowing the offensive side is huge if you're wanting to be on the blue team. Knowing how things are attacked, what attack vectors they use, etc. really help in knowing how to defend a business.

Appreciate the thoughts. I'm about to take my CEH in a week and think I might hit the CASP right after.

UnixGuy · June 2017

TechGromit wrote: »

From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.

I would add GCFA and GCFE as well.

OP,

Apart from SANS, know your perimeter (Firewalls, IDS, Proxies, DLP, Group policy). Learn how to use Splunk and Nessus, ... know your cloud setup very well.

renacido · June 2017

Forget about certs for specific tools/vendors/products for this, because the tools you use will depend almost 100% on the company or client you work for. Also, the tool is just the tool, the fundamental skills are the same regardless of the box or software you get to use. "A fool with a tool is still a fool."

Blue team skills and corresponding certs:

- Basic security knowledge: Security+, SSCP, GSEC, CEH
- Intrusion analysis: ECSA, Analyst+, GCIA, GCIH, GCWN, GCUX
- Defendable network/system architecture: GCFW, CASP, GPPA, GMON, CISSP, CISSP-ISSAP
- Application security: GWEB, CSSLP
- Continuous security monitoring: GPPA, GCIH, GMON
- Digital forensics: CHFI, GCFA, GCFE

There are certs for SCADA/ICS/PDC security as well that fall under the "blue team" flag as well.

Hope this helps.

Elegyx · June 2017

renacido wrote: »

Forget about certs for specific tools/vendors/products for this, because the tools you use will depend almost 100% on the company or client you work for. Also, the tool is just the tool, the fundamental skills are the same regardless of the box or software you get to use. "A fool with a tool is still a fool."

Blue team skills and corresponding certs:

- Basic security knowledge: Security+, SSCP, GSEC, CEH
- Intrusion analysis: ECSA, Analyst+, GCIA, GCIH, GCWN, GCUX
- Defendable network/system architecture: GCFW, CASP, GPPA, GMON, CISSP, CISSP-ISSAP
- Application security: GWEB, CSSLP
- Continuous security monitoring: GPPA, GCIH, GMON
- Digital forensics: CHFI, GCFA, GCFE

There are certs for SCADA/ICS/PDC security as well that fall under the "blue team" flag as well.

Hope this helps.

Thank you for the insight. What are your thoughts on the cert below from ec-council?

https://www.eccouncil.org/programs/certified-network-defender-cnd/

Also, is Analyst+ just the CSA+ from CompTia?

E Double U · June 2017

GCIH is great for a blue teamer.

Remedymp · June 2017

ISACA CSX-P is a actually dedicated to BT role.

nebula105 · June 2017

Elegyx wrote: »

Title says it all. There's a ton of offensive certs but what are some of the best defensive certs to have?

If you're focusing purely on certs, there is of course the GCIH and etc.

You'll learn how to use tools and perhaps write reports, but I must emphasize focusing more on the organization first.

Analyze your organization's tools, culture and processes.

What tools/controls/devices are readily available? (Firewall, IPS, IDS, SIEM, WAF, User Account Management tools, Proxy, imaging software). Are you familiar with those tools? Do you instead, want to attend courses on them to learn how to use them properly?

What is the organization's stand on purchasing new tools/controls/devices? Is it a massive pain to justify getting new tools or devices? Does your organization want to outsource the responsibility of the "blue team" instead, leaving you more time to focus on other things? Do you think you'll end up frustrated with having a "blue team" cert, but lack the skill or opportunity in utilizing the knowledge to the best of your ability?

What is the current incident handling process in your environment? Is there even a process? Do you think you want to attend a course or two about business continuity instead? Perhaps you'd like to fine tune your vision and look to courses that might aid you in creating, testing and implementing an incident handling process?

Just some food for thought

renacido · June 2017

Elegyx wrote: »

Thank you for the insight. What are your thoughts on the cert below from ec-council?

https://www.eccouncil.org/programs/certified-network-defender-cnd/

Also, is Analyst+ just the CSA+ from CompTia?

Yes, I was referring to the new sec analyst cert from CompTIA, CSA+.

I don't know much about the CND but seems decent for blue teamers especially those in the DoD.

McxRisley · June 2017

The best blue team cert to have would be OSCP, because in order to defend a network, you need to understand the attacks and how the attacker thinks. This is actually why the course was created, not just to be a pen tester but so people on the defensive side could better understand their adversary.

markulous · June 2017

TechGromit wrote: »

From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.

That's the route to go if your company will pay for it. That's almost 30k for those

SteveLavoie · June 2017

markulous wrote: »

That's the route to go if your company will pay for it. That's almost 30k for those

Yeah, and you don't take not into account expense(hotel, plane...)

Dr. Fluxx · June 2017

You sure?
While I am diligently working toward the deeply coveted OSCP, I thought, strictly from a blue team perspective, the CISSP would be the big one to have.

Of course...I do see JUST having a CISSP is a false sense of security when there's the OSCP out there...

McxRisley · June 2017

Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors? CISSP is a manager level cert and will teach nothing useful about defending a network.

TechGromit · June 2017

McxRisley wrote: »

Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors?

While I agree having a GPEN or OSCP would be beneficial certifications to have, if your looking for a Blue Team job, Blue team certifications are more important to have than a Red team certifications. They are great compliments, but if funding is a concern, concentrate on Blue team certs first, before red team certs.

thegoodbye · June 2017

McxRisley wrote: »

Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors? CISSP is a manager level cert and will teach nothing useful about defending a network.

I disagree. Understanding the mindset of an attacker, while important, is just one piece of knowledge for a blue teamer. The OSCP, generally speaking, covers only the niche of Vulnerability Assessments and Penetration Testing. The CISSP on the other hand covers numerous areas, but doesn't go into great detail in these areas. This is why the CISSP is often considered to be a mile wide and an inch deep. Many of the topics covered are essential for a well rounded information security professional to understand, even if only at a high level. Further, most of the areas covered are outside the scope of the OSCP (e.g. physical security, incident response, disaster recovery, access control, patch/vulnerability management, etc).

Here's another way to put it.

How many of the CIS Top 20 Security controls are covered by the CISSP? How many by the OSCP?

http://www.isaca.org/Groups/Professional-English/it-audit-tools-and-techniques/GroupDocuments/critical-controls-poster-2016(1).pdf

dkorzhevin · August 2017

Agree with thegoodbye. OSCP simply teaching you to CRACK and get inside (to be honest - you teach this yourself, not with OSCP shitty PDF and stupid videos). Nothing more.

LonerVamp · August 2017

Asking the question(s) posed on this thread is personal, and depends on what you're wanting to do. Are you hoping the cert process will teach you something? Are you hoping the cert will give you a certain cachet and resume value? If you're learning something from it, the OSCP process can absolutely help you gain some perspective to your blue team endeavors. Knowing how to think like an attacker will help in various aspect of your blue team posture. Is the CISSP going to teach you anything actionable? It didn't for me (and I took it 8 years ago). But let's face it, the CISSP is part of the necessary route that blue team members basically are expected to take.

McxRisley · August 2017

I think you're missing the point though. In order to "CRACK" into systems as you mention, you need to understand the how and why behind it. This involves understanding the networking devices/protocols and the inner workings of whatever it is you are enumerating/attempting to break into. Also none of the blue teamers I have met in the DoD realm have had primarily defensive certs, in fact very few of them had a full blown defensive cert. This is because the concept of network defense is built-in to all of the offensive certs. While I'm not disagreeing that the GCIH and a few others certs are worth your time, I'm just saying that according to the industry and from what I've seen first hand, employers favor offensive certs over defensive certs for both roles.

Dr. Fluxx · August 2017

I see your point..but id have to disagree and say, from what ive researched CISSP.
From a strict defensive point of view id go with the CISSP.
The OSCP is all fire and rage!
I know that eventually ill be going for a CISSP AFTER i get the OSCP.
I do a bit of blue team stuff where im at now and id bores the hell out of me.

All in all, you wont really know the other side of the coin as the CISSP does sort of give you a false sense of security..if that makes any sense.

Best blue team certs to have?

Comments