btlo lab recommendations based on soc tiers

Regularly over the years I’ve had opportunities to give advice and direction on new or growing cybersecurity folks. I like to point out books, certifications, courses, resources, and most importantly other practical activities to grow knowledge and confidence as we all forge career paths. I’ve recently discovered and been playing on the Blue Team Labs (BTLO) platform which has, as the name suggests, blue team-themed exercises, challenges, and labs. There are nearly 200 labs and standalone challenges on the site, some of which are very difficult while others are relatively simple to solve.

Rather than discuss the platform itself at length, Dimitry Bennett wrote an article about his experience on the BTLO platform that basically says all that needs said on the topic.

But, there is still one thing I thought was daunting about the platform: Where to start when one is pretty new to cybersecurity? And this is the challenge any time I talk to someone else about where they’ve come from and where they want to go. All of us bring to the table different levels of experience, knowledge, and comfort with various technical and even non-technical topics. Some of us are very inexperienced with Linux, or have never written a program or script before, or maybe have done very little Windows system administration, but know Linux like no one’s business. What I wanted was a quick cheat sheet on what to suggest to students who wanted to quickly get their hands into the BTLO labs without immediately hitting walls.

This page is meant to help me prescribe labs and challenges to security analysts I encounter that are looking to build particular skills or experience what common SOC tier expectations exist.

I do want to make clear that the SOC tier expectations and levels of knowledge is just my take on the subject. I’m not going to be correct on all of these, nor will I be correct for how every organization/environment defines the job duties and expectations of each tier. I’ve just given this a best effort in the context of the whole of the labs, since I’ve gone through every single one, and my own experiences over years in the IT and security industry.

I also want to make clear that BTLO does allow students a chance to see what they’re getting into. Every lab has a difficulty level set to it, the date it was released, the general tools expected to be present, and even the number of solves that have been recorded since the lab was released. All of these can also help guide students to maybe avoid things they may find frustrating.

Here is a quick key to some of the columns in my table.

  • Diff(iculty): Difficulty 1-10, 10 being hardest. My personal subjective value of how difficult this exercise is. Usually this is influenced by how much effort and knowledge may be needed to complete.
  • SOC: My gut feel on what SOC analyst tier level I would expect to complete these exercises. Some tasks are pretty normal for tier 1 SOC analysts, whereas some of the more involved analysis may be reserved for higher tiers. I add a “+” if this task kinda overlaps into a higher tier. As an example, analyzing an image of live system memory or a PE executable file is typically reserved for more experienced analysts.
  • Skills: My summary of the tools needed. If you don’t know Wireshark and want to learn more, then look at the easier Wireshark exercises. Of particular note, I make sure to list an OS if knowledge of or comfort using that OS is a huge help in solving the exercise. Adding “administration” to the OS is my way of saying that experience being an administrator of this server would be very helpful.
  • Notes: My very quick reminder about what the main point of this is.

INVESTIGATIONS (by difficulty & SOC level)

NAMEDIFFSOCSKILLSNOTES
Deep Blue11Windows, Event Logs, PowerShellFocused, easy, good lesson (use the tool provided!)
Indicators21Windows, OSINT, PowerShell, exiftool, notepadBasic analysis of a strange file that is likely malicious
PhishyV121Linux, web, emailMostly entry level, and good foundational skills
Bits21Windows, Bits, Event LogsGood lesson, specific Windows tool (bits)
Exposed21+GitFocused on git, a bit offense-like
SOC Alpha 121+ELK, Windows administration/attackELK, logs of common attacker actions on Windows
Miner21+Wireshark, Network Miner, networking, pcapsSome not-beginner concepts using pcaps
Replaced21+Text editor, OSINT, Visual Basic, codeVery straight-forward Visual Basic code analysis
Fingerprint21Wireshark, ja3, Linux (to use ja3)Pcap that requires filter use, external ja3 tool
Eradication21+Yara, Linux, joesandboxRunning yara rules on linux
Mon21Windows, sysmon, IRSysmon and malware IR on Windows
Print21+Wireshark, Windows, sysmon, printersFocus on Windows and printer tricks
RDP21Windows RDPFocus on RDP tricks
Defaced31+ELK, web logs, web attacksELK, but another way to look at web attack
Doctor31+Linux, web logs, web attacksWeb compromise on Linux system
SOC Alpha 231+ELK, Windows administration/attackELK, Windows logs of a network attack/malware actions
Exxtensity31+Windows, browser extensions/settingsGood focus on browser extensions
Joppers31+Javascript, WindowsNo frills Javascript parsing
Browser Bruises31+Linux, dumpzilla (python), browser historyUsing dumpzilla to analyze local firefox artifacts
Defender31Windows DefenderAll about Windows defender logs
Awwdit31+Windows Admin, Audit Policies, Basic PEFocused on audit policies in Windows,  basic PE dynamic analysis
Lintro31+Linux compromiseBasic Linux compromise and PE analysis
Xhell31+Maldoc, olevba, LinuxOld Excel maldoc analysis on Linux, oddball
Venom31+Linux logsAnalyzing linux logs for intrusion
Heaven32Windows, PE static/dynamic analysisGood into to basic and dynamic PE analysis
Stealer32DnSpy, basic dynamic analysisPretty much all dnSpy and basic dynamic analysis
Trash31+Windows terminalWindows and recycle bin tricks
Shortcut31+Windows shortcutsWindows and shortcut tricks
Link31+Windows adminFun with Windows and lnk files
Maldroid31+APK, Java, LinuxIntroductory analysis of an Android APK on Linux
Ducker31+Linux, DockerIntroduction to Docker on Linux
Pie31+Linux, web attacksAnalyzing Linux logs in Linux for web compromise
Backstage41+Linux, Linux logs, wiresharkLinux IR looking at logs and pcap
Crypto41+Linux, Windows admin, wireshark, volatilityGood intro to volatility and IR with various artifacts
SharpAttack42Pdf maldoc, javascript, LinuxPurely a pdf maldoc analysis
Kill42Volatility, Sysinternals, PE basic dynamicGood intro to memory analysis and exe dynamic analysis
First Day42IDA, OSINT, Procmon, pestudioStarting point for PE-based statis analysis, no debugging, OSINT
Logger42Windows, basic dynamic analysis, SysinternalsA few more steps into dynamic analysis
Honey41+Windows admin, RedlineA good first romp into Redline, gotta know Windows, though
Total Recall (R)41+Windows admin, RedlineUsing Redline to investigation a Windows compromise
Ben42Windows admin, filesys image, dynamic analysisSome Windows dynamic analysis tricks for malware
Sam42Linux, Windows memory w/ volatility, wiresharkGood romp into volatility and a Windows compromise
Obfuscated52Linux, PythonRequires some Python work, Lite Linux IR
Peak 252Linux, wireshark, sysmon (linux)Analyze logs in Linux of a Linux compromise
Bot52Linux, OSINT, CTF-likeLinux and some CTF-like challenges
Pandemic52Windows admin, PE dynamic analysisStraight-forward Windows PE dynamic analysis
Dot52Windows admin, wireshark, ProcDOTTricky ProcDOT tool to track an advanced process compromise
anDRE51+APK, Java, LinuxDeeper analysis into an Android APK (static still)
PE51+Linux, ELK, Windows adminMore ELK, a bit tricky with osquery logs
Pretium51+WiresharkTricky wireshark tricks
Invoice (R)51+Linux, ELK, Wireshark, Windows adminKinda easy Windows IR investigation with plenty of artifacts
Sticky Situation52Windows admin, AutopsyAnalyzing artifacts to answer questions about USB usage
Countdown (R)52Windows, Autopsy, IRWindows IR investigation with some tricks
SOC Alpha 351+ELK, Windows administration/attackELK, Windows logs of malware activities, just deeper
Hashish52Windows IR, OffenseIR on a local Windows compromise, requires some red knowledge
Too Late52Windows admin/attack, WiresharkTricky look at Windows malware compromise and artifacts
Test52Linux, Linux filesys imageIntermediate Linux IR and filesystem image handling
Rigged52Windows admin, Wireshark, IRIntermediate IR into a Windows compromise
Peak (R)62Linux, ELK, Linux compromise, linux logsLinux knowledge and using ELK, Linux logs
The Last Jedi62+Wireshark, CFF (PE basic static), RedlineWindows malware infection, lite PE analysis, Redline heavy
Baby62Linux, Linux filesys imageLittle harder than Test, but Linux IR and image handling
Exceltium62+Linux, pdf maldoc, shellcode analysisMore advanced pdf maldoc analysis on Linux, involves shellcode
Gotham62Windows basic PE static analysis, IDA, OSINTBasic static analysis of a malicious executable
LOL (R)62Windows, IDA, Python uncompyle, OSINTMore RE static analysis
Recovery62LinuxLinux IR investigation with linux logs and knowledge
Rekcod62Linux, DockerTricky investigation into Docker again
PhishyV262+Linux, HTML, Phishing, PHP, tiny bit CTFPhish kit analysis, web site analysis, coding
Multi Stages63Linux, wireshark, Windows admin, grepping memoryUsing Linux to investigate Windows pcap, memory of attack
Poor Joe62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Triage62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Hooked62Linux logsAnalyzing Linux logs/host that has been compromised
Eric62+Linux, volatility on Linux memoryA twist on memory analysis with a Linux image
Signal62Windows admin, redline timeline, pcap, basic PEA mix of involved pcap and file timeline analysis, basic PE
Irritate72+Windows admin, dynamic analysisLogs of fighting with dynamic analysis and CTF-like hunt
Pretium v272Wireshark, Packet Whisper, lite CTFAnswering questions based on a pcap
Covert72+Wireshark, PowerShell codingDive into a C2 pcap, powershell coding required
Wargames72+Linux, volatilityMemory analysis of a Windows compromise
Ghosted72+Linux, Wireshark (pcap), suricataInvestigating a web recon and attack mostly with suricata
Evil Maid82+Linux, filesys image, SIFT, Windows attackWindows file system investigation on Linux (SIFT)
The Key82+Windows, file system imageWindows file system forensics (and some offense)
Bad Logic (R)82+Linux, Windows admin, wiresharkLarge artifacts in a Windows attack investigation
Stuck83Windows attack, memory analysisWindows compromise with lots of tricky pieces
Divorce Court93Windows attack, filesys image, IDAAnalyzing Windows compromise, light debugging
Supreme Court93Windows attack, filesys image, IDA, C#/PoSHAnalyzing Windows compromise, debugging
Counter93IDA, debugging/reversingPure debugging/reversing, intermediate dynamic analysis
Multi Stages 2103Linux, volatility, Windows admin, MFT/TimelineHeavy memory analysis and file timelines; very difficult questions

CHALLENGES (by difficulty & SOC level)

NAMEDIFFSOCSKILLSNOTES
D3FEND11Google (D3FEND Framework)Looking up things in the D3FEND material online
ATT&CK11Google (MITRE ATT&CK Framework)Looking up things in the ATT&CK material online
The Report11PDF readerLooking up things in MITRE report (pdf)
Phishing Analysis 221Text editor, ThunderbirdAnalyzing a phishing email
Phishing Analysis21Text editor, ThunderbirdBasic phishing email analysis
Meta21Exiftool, OSINTAnalyzing some basic info from image files
Brute Force31Linux, text editor, grepAnalyzing logs of an RDP brute force attack
The Planet’s Prestige31+Email client, text editorAnalyzing malicious email plus office type attachments
Suspicious USB Stick31+Linux, peepdf, strings, VirusTotal, hex editorBasic analysis of a malicious PDF
Powershell Analysis – Keylogger32Powershell, Text editorAnalysis of a malicious PowerShell script
Log Analysis – Privilege Escalation32Linux, bashIdentifying malicious commands in a bash log
Network Analysis – Malware Compromise42WiresharkAnswering some basic questions based on a pcap
Log Analysis – Sysmon41+Sysmon, Windows, PowershellUsing sysmon logs to answer incident questions
Malware Analysis – Ransomware Script42Text editor, LinuxAnalyzing bash script for ransomware
Log Analysis – compromised WordPress42Linux, Apache logsAnalyzing a web attack from Apache logs on Linux
ILOVEYOU42+Windows, text editor, sysinternal, regshotDynamic non-PE malware analysis
Follina42Windows, OSINT, text editorAnalysis of multi-stage maldoc 0-day
Melissa52+Oledump, text editorNon-PE malware analysis
Shiba Insider52Wireshark, Steghide, Exiftool, LinuxUnwrapping layers of hidden data and common artifacts
Network Analysis – Web Shell52Wireshark, Linux and attacker knowledgeAnalyzing a Linux attack using a pcap
Malicious Powershell Analysis52PowershellParsing a Powershell script and basic obfuscation
Spectrum62Fcrackzip, Photorec, Audacity, efitool, steghideUnwrapping layers of hidden data in less common artifacts
Employee of the Year62Photorec, scalpel, CyberChef, Linux, stringsRecovering and unwrapping various file types
Network Analysis – Ransomware62Wireshark, OSINTAnalyzing and even recovering files using a pcap artifact
Memory Analysis – Ransomware72+Volatility, Windows, OSINTMostly entry level volatility analysis of memory image
Paranoid72LinuxAnalysis of linux logs to answer incident questions
Secure Shell72Linux, text editor, OSINTAnalysis of an SSH log
The Package7CTFOSINT, CTF, Math/PythonDon’t recommend. Clever CTF-Like math riddle.
Reverse Engineering – Another Injection73IDA (Disassembler), Sysinternals, API MonitorPE analysis and debugging, not entry level, but close to it for malware analysis anyway
Barcode World8CTFLinux, PythonDecode flag from 9000+ image files; don’t recommend
Browser Forensics – Cryptominer82+Linux, FTK Imager, Javascript, WindowsAnalyzing image file for browser artifacts
Reverse Engineering – A Classic Injection83IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Injection Series – Part 383IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Squid Game8CTFSteghide, image editorCTF-like image stego; don’t recommend
Injection Series Part 483IDA, GhidraPE analysis using debugger
Secrets8RedPython, JWT, Linux probablyRed team web app attack against weak jwt
Veriarty8CTFHashcat, Veracrypt, Linux, Thunderbird, gpgRecovery and decoding of files; don’t recommend
D-Crypt9CTFBrowserlingsDecoding a string several times with minimal guidance
P2SEC – Minigame9RedWeb App attacking, OSINT, exiftool, PE analysisUnguided multi-stage mostly red team basics; long
Classical City10CTFSanityDecoding ciphers – don’t recommend

Leave a Reply

Your email address will not be published.