+ Reply to Thread
Results 1 to 21 of 21
  1. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #1

    Default Cert Tracks for Red and Blue Teams

    I've recently been tasked with coming up for a standard certification track for both Red and Blue teams for our organization. I'll start by saying that I am not a technical expert, and on the management/executive side. I've polled our analysts, done some research, and have some preliminary lists together. Would love some feedback on the below, or if anyone else has additions or a different order, would love to hear it. Keep in mind we are a small SOC (7 people), so don't really have any differentiation between Blue team and an IR team per say. We are a Windows (mainly) environment.

    Red Team:
    Linux+
    GSEC
    eJPT
    eCPPT
    GPYC
    OSCP
    OSCE
    Specializations: OSEE and/or OSWE

    Blue Team:
    Security+
    CSA+
    GCIA
    GCWN
    SEC599 class (Test coming? This is still in beta)
    GCFE
    GCFA
    GREM
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member yoba222's Avatar
    Join Date
    Jun 2013
    Posts
    399

    Certifications
    LFCS, GCIH, eJPT, CCNA, CAPM, Sec+, Net+, A+
    #2
    LFCS instead of Linux+ and move the Linux cert to blue team as it really focuses more on best practice/ proper configuration rather than offensive things.
    https://training.linuxfoundation.org/certification/lfcs

    I suggest GCIH for blue team too.
    Reply With Quote Quote  

  4. Senior Member stryder144's Avatar
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,278

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #3
    Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    Reply With Quote Quote  

  5. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,156

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #4
    Quote Originally Posted by yoba222 View Post
    I suggest GCIH for blue team too.
    Agreed!

    Also, GPEN for red team.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #5
    Quote Originally Posted by E Double U View Post
    Agreed!

    Also, GPEN for red team.
    Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.

    Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult.
    Reply With Quote Quote  

  7. Senior Member xxxkaliboyxxx's Avatar
    Join Date
    Dec 2013
    Location
    Austin, Texas
    Posts
    422

    Certifications
    GCIH, C|EH, Sec+, eJPT, SCCC
    #6
    https://cybersecurity.isaca.org/csx-...-certification

    CSX Practitoner for blue team.

    Also I would assume the OSCP is more difficult strictly based on their scoring system for a pass. Also there have been mention on this forum between the two courses. Maybe someone could chime in.
    Studying: LFCS
    Reading
    : Python Crash Course
    Upcoming Exam: GWAPT

    https://realworlditsecurity.wordpress.com
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Nov 2012
    Location
    Montreal
    Posts
    589

    Certifications
    OSCP, CEH, SSCP, EJPT, CCNA:Security, CCNA:R&S, MCSA:W2K8, Linux+, LPIC-1, SCLA
    #7
    I would add GXPN and GWAPT as well to red team.
    Reply With Quote Quote  

  9. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #8
    Quote Originally Posted by JasminLandry View Post
    I would add GXPN and GWAPT as well to red team.
    GXPN harder or easier than OSCP?
    Last edited by jallen2020; 09-14-2017 at 04:01 PM.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Nov 2012
    Location
    Montreal
    Posts
    589

    Certifications
    OSCP, CEH, SSCP, EJPT, CCNA:Security, CCNA:R&S, MCSA:W2K8, Linux+, LPIC-1, SCLA
    #9
    I think so since the GXPN material is more similar to the OSCE, probably even more advanced. The difference is mainly the exam. We all know the OSCE is a lab while the GXPN is a multiple choice questions.

    https://www.giac.org/certification/e...on-tester-gxpn
    https://www.offensive-security.com/d...r-syllabus.pdf
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #10
    Quote Originally Posted by stryder144 View Post
    Under Blue Team I would also place the CCNA: Cyber Ops and Security certs plus Logical Operations Cybersec First Responder (admittedly not much market share for this one but has some pretty good information).
    I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not? I do like Cisco because of the thoroughness of their exams, forcing better knowledge of the material, however I'm shooting for a more vendor agnostic approach. If the CCNA:CO is more agnostic, I would consider it. Thoughts?
    Reply With Quote Quote  

  12. Senior Member stryder144's Avatar
    Join Date
    Nov 2012
    Location
    Denver, CO
    Posts
    1,278

    Certifications
    CompTIA A+, Network+, Security+, Server+, Linux+ and CSA+; MCSA: Windows 7, ITIL Foundations
    #11
    While the exams do touch on Cisco products, it is more from the perspective of "you need a firewall, such as a Cisco ASA". More sales pitch exampling than how to configure. I would say that it is as close to vendor neutral as a vendor is going to get.
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    May 2013
    Posts
    1,190

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #12
    Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.

    GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies.
    Reply With Quote Quote  

  14. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #13
    Quote Originally Posted by TechGuru80 View Post
    Honestly if you are going to have a lot of GIAC certs...I would put GSEC in there. The core GIAC certs are GSEC, GCIH, and GCIA...so for blue team all three should be there.

    GCWN probably can be an optional, unless you are engineering your environment and not using like CIS group policies.
    I actually want to have a balanced amount of certs from different bodies; I feel that forces people out of their comfort zone as they have to learn the systems and methods for each, so that's my thoughts as to why Security+ and CSA+ vs. GSEC.

    Wow, this is turning into a really great conversation, thank you so much everyone. TechGuru80, I had a question on the GCIH that maybe you had some insight on:

    I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    May 2013
    Posts
    1,190

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #14
    That makes sense on having variety...the nice thing with GSEC is the Windows and Linux security sections, unlike the Security+ that gives conceptual information...it probably depends on what experience level you bring people in at though.

    The curriculum is definitely weighted towards hacking techniques but covers a lot of tools that can be utilized and things to be aware of...it's the whole knowing your enemy saying. Having your Red team side balanced with blue team knowledge isn't as important as having your blue team having some red team knowledge and especially since you don't really have any mix on blue I would have it in there on that basis alone.
    Reply With Quote Quote  

  16. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,156

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #15
    Quote Originally Posted by jallen2020 View Post
    Hmmm...I was going back and forth on the GCIH for the Blue Team, but seems it only has a small section on incident handling, and mainly is a Ethical Hacking intro...is this not the case? I feel like we can train incident handling ourselves.

    Also, which is more difficult, the GPEN or the OSCP? I'm trying to have a logical progression from easiest-ish to most difficult.
    GCIH teaches about hacking techniques and the defenses against them.

    I have colleagues with both and based on their feedback I would say OSCP is more difficult. GPEN is a multiple choice exam and OSCP is hands on.
    Last edited by E Double U; 09-15-2017 at 07:37 AM.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  17. Tecnomancer trojin's Avatar
    Join Date
    May 2013
    Location
    Ireland
    Posts
    107

    Certifications
    A+,S/S/S+,N+, CASP,CSA+,CCNA R/S & Sec & Cyber OPS, SSCP,EMC NetWorker Spec,SNIA SCSE,Prince 2,EITCA-IS,F5 BIG-IP CA/CTS-ASM, Intel Sec NSP
    #16
    Quote Originally Posted by jallen2020 View Post
    I've heard the CSA+ and CCNA: Cyber Ops Material is pretty similar in knowledge level at least...is it not?
    Yes, and not in same time. I prefer CCNA COPS as cover more stuff. Similarity is in tools. CSA+ has more questions with logs, Cisco more questions related to processes. IMO they are complimentary
    Good horse is expensive... A Trojan horse even more
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #17
    OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    May 2013
    Posts
    1,190

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #18
    Quote Originally Posted by higherho View Post
    OSCP is more difficult than GPEN because it's a Practical certification were GPEN is more of the same "here is questions and give us answers" type exam. It doesn't test you the same way OSCP does. Which is one reason why I respect OSCP and OSCE a lot more than any other certification for this type of work. You know those people know what they are doing or at least have a higher confidence level that they should. It's the CCIE of security certifications.
    Idk if you realize it but the GIAC GSE has a written and hands on lab and covers GSEC/GCIH/GCIA...unlike the OSCP/OSCE which only cover pentesting (a subset of security).
    Reply With Quote Quote  

  20. Senior Member yoba222's Avatar
    Join Date
    Jun 2013
    Posts
    399

    Certifications
    LFCS, GCIH, eJPT, CCNA, CAPM, Sec+, Net+, A+
    #19
    Sounds like you may have seen it before and SANS puts out info on which certs it recommends for red and blue teams:
    https://www.sans.org/cyber-guardian
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Oct 2010
    Posts
    861

    Certifications
    CISSP, CEH
    #20
    Quote Originally Posted by TechGuru80 View Post
    Idk if you realize it but the GIAC GSE has a written and hands on lab and covers GSEC/GCIH/GCIA...unlike the OSCP/OSCE which only cover pentesting (a subset of security).
    I'm strictly talking about pen testing (hence the reference to GPEN and OSCP /E). A LOT of people are horrible at Pen Testing and simply use tools and hit run. These SAN courses feed you too much without putting you through some hard ass hands on exam. I'm not too knowledgeable about the GSE so I won't commit on that. The lab sounds difficult as hell!

    Nor am I saying "only get this" cert. I understand that Red and blue Teams in the terms of Cyber Security need to know their **** in a lot of areas. I still think some of the best Red Team or Blue team individuals come from a Engineering position (Software, Systems, Or Networking) instead of jumping right into the field like some people do with high level security certs (example, CISSP).
    Last edited by higherho; 09-15-2017 at 09:09 PM.
    Reply With Quote Quote  

  22. Junior Member
    Join Date
    Mar 2009
    Posts
    6
    #21
    I like the idea of GSEC, GCIH, GCIA, and then GSE.

    Has anyone done this track? How difficult is the GSE? I come from a routing and switching background, and have passed the written CCIE, still trying to get good enough to do the lab test.

    My question is, would the GSE be comparable to the CCIE as far as skills and difficulty in each respective field?

    I'm just trying to structure this program in a way that it progresses in a somewhat logical and linear fashion for someone trying to up their skills in our organization.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks