+ Reply to Thread
Results 1 to 22 of 22
  1. Member
    Join Date
    Dec 2011
    Posts
    57

    Certifications
    Project+, A+ CE, Net+ CE, Sec+ CE, C|EH
    #1

    Default Best blue team certs to have?

    Title says it all. There's a ton of offensive certs but what are some of the best defensive certs to have?
    Reply With Quote Quote  

  2. SS -->
  3. Passion For IT
    Join Date
    Mar 2008
    Posts
    569

    Certifications
    MCTS, MCITP, MCP, A+, Server+, Security+, Project+, CCENT, CCNA-Sec, CEH, CHFI
    #2
    CISSP is the big one. It goes over the managerial stuff. Policies, procedures, etc. from a business/manager standpoint.

    CCNA:Security (and others in that line) are good if you're a Cisco shop. Configuring firewalls and such.

    Maybe a MCSA/MCSE if you're Microsoft. Throw some SCCM/Intune in there, too. Patching is huge (saved many from the recent massive media hyped WannaCrypt).

    CompTIA CASP/CSA+ are good, too. From what I hear they are more technical than the CISSP. I haven't taken those yet.

    I feel knowing the offensive side is huge if you're wanting to be on the blue team. Knowing how things are attacked, what attack vectors they use, etc. really help in knowing how to defend a business.
    A few certs here and there and everywhere...
    AAS: Computer Security
    BS: Information Technology - Security (WGU)
    MS: Information Security & Assurance (WGU)
    Reply With Quote Quote  

  4. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Galloway, NJ
    Posts
    1,271

    Certifications
    A+, Network +, GSEC, GCIH, Lunatic+
    #3
    From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  5. Member
    Join Date
    Dec 2011
    Posts
    57

    Certifications
    Project+, A+ CE, Net+ CE, Sec+ CE, C|EH
    #4
    Quote Originally Posted by PC509 View Post
    CISSP is the big one. It goes over the managerial stuff. Policies, procedures, etc. from a business/manager standpoint.

    CCNA:Security (and others in that line) are good if you're a Cisco shop. Configuring firewalls and such.

    Maybe a MCSA/MCSE if you're Microsoft. Throw some SCCM/Intune in there, too. Patching is huge (saved many from the recent massive media hyped WannaCrypt).

    CompTIA CASP/CSA+ are good, too. From what I hear they are more technical than the CISSP. I haven't taken those yet.

    I feel knowing the offensive side is huge if you're wanting to be on the blue team. Knowing how things are attacked, what attack vectors they use, etc. really help in knowing how to defend a business.
    Appreciate the thoughts. I'm about to take my CEH in a week and think I might hit the CASP right after.
    Reply With Quote Quote  

  6. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,323

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #5
    Quote Originally Posted by TechGromit View Post
    From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.
    I would add GCFA and GCFE as well.


    OP,

    Apart from SANS, know your perimeter (Firewalls, IDS, Proxies, DLP, Group policy). Learn how to use Splunk and Nessus, ... know your cloud setup very well.
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #6
    Forget about certs for specific tools/vendors/products for this, because the tools you use will depend almost 100% on the company or client you work for. Also, the tool is just the tool, the fundamental skills are the same regardless of the box or software you get to use. "A fool with a tool is still a fool."

    Blue team skills and corresponding certs:

    - Basic security knowledge: Security+, SSCP, GSEC, CEH
    - Intrusion analysis: ECSA, Analyst+, GCIA, GCIH, GCWN, GCUX
    - Defendable network/system architecture: GCFW, CASP, GPPA, GMON, CISSP, CISSP-ISSAP
    - Application security: GWEB, CSSLP
    - Continuous security monitoring: GPPA, GCIH, GMON
    - Digital forensics: CHFI, GCFA, GCFE

    There are certs for SCADA/ICS/PDC security as well that fall under the "blue team" flag as well.

    Hope this helps.
    Last edited by renacido; 06-06-2017 at 01:15 AM.
    Reply With Quote Quote  

  8. Member
    Join Date
    Dec 2011
    Posts
    57

    Certifications
    Project+, A+ CE, Net+ CE, Sec+ CE, C|EH
    #7
    Quote Originally Posted by renacido View Post
    Forget about certs for specific tools/vendors/products for this, because the tools you use will depend almost 100% on the company or client you work for. Also, the tool is just the tool, the fundamental skills are the same regardless of the box or software you get to use. "A fool with a tool is still a fool."

    Blue team skills and corresponding certs:

    - Basic security knowledge: Security+, SSCP, GSEC, CEH
    - Intrusion analysis: ECSA, Analyst+, GCIA, GCIH, GCWN, GCUX
    - Defendable network/system architecture: GCFW, CASP, GPPA, GMON, CISSP, CISSP-ISSAP
    - Application security: GWEB, CSSLP
    - Continuous security monitoring: GPPA, GCIH, GMON
    - Digital forensics: CHFI, GCFA, GCFE

    There are certs for SCADA/ICS/PDC security as well that fall under the "blue team" flag as well.

    Hope this helps.
    Thank you for the insight. What are your thoughts on the cert below from ec-council?

    https://www.eccouncil.org/programs/c...-defender-cnd/

    Also, is Analyst+ just the CSA+ from CompTia?
    Reply With Quote Quote  

  9. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,133

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #8
    GCIH is great for a blue teamer.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Nov 2011
    Posts
    810
    #9
    ISACA CSX-P is a actually dedicated to BT role.
    Reply With Quote Quote  

  11. Member
    Join Date
    May 2013
    Location
    Singapore
    Posts
    35

    Certifications
    Network+, MTA 98-349, MTA 98-365, SSCP, CHFI, eJPT
    #10
    Quote Originally Posted by Elegyx View Post
    Title says it all. There's a ton of offensive certs but what are some of the best defensive certs to have?
    If you're focusing purely on certs, there is of course the GCIH and etc.

    You'll learn how to use tools and perhaps write reports, but I must emphasize focusing more on the organization first.

    Analyze your organization's tools, culture and processes.

    What tools/controls/devices are readily available? (Firewall, IPS, IDS, SIEM, WAF, User Account Management tools, Proxy, imaging software). Are you familiar with those tools? Do you instead, want to attend courses on them to learn how to use them properly?

    What is the organization's stand on purchasing new tools/controls/devices? Is it a massive pain to justify getting new tools or devices? Does your organization want to outsource the responsibility of the "blue team" instead, leaving you more time to focus on other things? Do you think you'll end up frustrated with having a "blue team" cert, but lack the skill or opportunity in utilizing the knowledge to the best of your ability?

    What is the current incident handling process in your environment? Is there even a process? Do you think you want to attend a course or two about business continuity instead? Perhaps you'd like to fine tune your vision and look to courses that might aid you in creating, testing and implementing an incident handling process?

    Just some food for thought
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #11
    Quote Originally Posted by Elegyx View Post
    Thank you for the insight. What are your thoughts on the cert below from ec-council?

    https://www.eccouncil.org/programs/c...-defender-cnd/

    Also, is Analyst+ just the CSA+ from CompTia?
    Yes, I was referring to the new sec analyst cert from CompTIA, CSA+.

    I don't know much about the CND but seems decent for blue teamers especially those in the DoD.
    Reply With Quote Quote  

  13. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    153

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #12
    The best blue team cert to have would be OSCP, because in order to defend a network, you need to understand the attacks and how the attacker thinks. This is actually why the course was created, not just to be a pen tester but so people on the defensive side could better understand their adversary.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Oct 2013
    Location
    Denver, CO
    Posts
    2,325

    Certifications
    MS: Information Security, CISSP, GCIH, CEH, CHFI, CCNA: S, CCNA: R&S, VCP6-DTM, Linux+, Project+, VCA6-DCV
    #13
    Quote Originally Posted by TechGromit View Post
    From the GIAC world, GCIH, GREM, GMON, GCIA are some good ones to have.
    That's the route to go if your company will pay for it. That's almost 30k for those
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Dec 2015
    Location
    Quebec, Canada
    Posts
    209

    Certifications
    A+, Network+, Linux+, HP APS, VCP 3-4-5-6, VSP,VTSP, SSCP, Veeam VMCE
    #14
    Quote Originally Posted by markulous View Post
    That's the route to go if your company will pay for it. That's almost 30k for those
    Yeah, and you don't take not into account expense(hotel, plane...)
    Reply With Quote Quote  

  16. Member
    Join Date
    Jan 2017
    Posts
    96
    #15
    You sure?
    While I am diligently working toward the deeply coveted OSCP, I thought, strictly from a blue team perspective, the CISSP would be the big one to have.


    Of course...I do see JUST having a CISSP is a false sense of security when there's the OSCP out there...
    Reply With Quote Quote  

  17. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    153

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #16
    Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors? CISSP is a manager level cert and will teach nothing useful about defending a network.
    Reply With Quote Quote  

  18. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Galloway, NJ
    Posts
    1,271

    Certifications
    A+, Network +, GSEC, GCIH, Lunatic+
    #17
    Quote Originally Posted by McxRisley View Post
    Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors?
    While I agree having a GPEN or OSCP would be beneficial certifications to have, if your looking for a Blue Team job, Blue team certifications are more important to have than a Red team certifications. They are great compliments, but if funding is a concern, concentrate on Blue team certs first, before red team certs.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  19. Member
    Join Date
    Jul 2010
    Posts
    94

    Certifications
    CISSP, OSCP, GXPN, CSXP, CEHv7, CCNA, CCNA Security, GCED, CCSK, Net+, Sec+, Project+
    #18
    Quote Originally Posted by McxRisley View Post
    Yes, I am 100000% sure. How can you possibly defend a network effectively if you dont even understand the mindset of an attacker or the attack vectors? CISSP is a manager level cert and will teach nothing useful about defending a network.

    I disagree. Understanding the mindset of an attacker, while important, is just one piece of knowledge for a blue teamer. The OSCP, generally speaking, covers only the niche of Vulnerability Assessments and Penetration Testing. The CISSP on the other hand covers numerous areas, but doesn't go into great detail in these areas. This is why the CISSP is often considered to be a mile wide and an inch deep. Many of the topics covered are essential for a well rounded information security professional to understand, even if only at a high level. Further, most of the areas covered are outside the scope of the OSCP (e.g. physical security, incident response, disaster recovery, access control, patch/vulnerability management, etc).

    Here's another way to put it.

    How many of the CIS Top 20 Security controls are covered by the CISSP? How many by the OSCP?

    http://www.isaca.org/Groups/Professi...er-2016(1).pdf
    Reply With Quote Quote  

  20. Junior Member
    Join Date
    Apr 2014
    Location
    Kiev, Ukraine
    Posts
    19

    Certifications
    LFCS, LFCE, eCPPT, eJPT, eMAPT, eNDP, eWPT, HP ATA Networks, HP ATA Connected Devices, HP ATA Servers & Storage, HP ATA Cloud
    #19
    Agree with thegoodbye. OSCP simply teaching you to CRACK and get inside (to be honest - you teach this yourself, not with OSCP shitty PDF and stupid videos). Nothing more.
    Reply With Quote Quote  

  21. Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    62

    Certifications
    OSCP, CISSP, Sec+
    #20
    Asking the question(s) posed on this thread is personal, and depends on what you're wanting to do. Are you hoping the cert process will teach you something? Are you hoping the cert will give you a certain cachet and resume value? If you're learning something from it, the OSCP process can absolutely help you gain some perspective to your blue team endeavors. Knowing how to think like an attacker will help in various aspect of your blue team posture. Is the CISSP going to teach you anything actionable? It didn't for me (and I took it 8 years ago). But let's face it, the CISSP is part of the necessary route that blue team members basically are expected to take.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  22. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    153

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #21
    I think you're missing the point though. In order to "CRACK" into systems as you mention, you need to understand the how and why behind it. This involves understanding the networking devices/protocols and the inner workings of whatever it is you are enumerating/attempting to break into. Also none of the blue teamers I have met in the DoD realm have had primarily defensive certs, in fact very few of them had a full blown defensive cert. This is because the concept of network defense is built-in to all of the offensive certs. While I'm not disagreeing that the GCIH and a few others certs are worth your time, I'm just saying that according to the industry and from what I've seen first hand, employers favor offensive certs over defensive certs for both roles.
    Reply With Quote Quote  

  23. Member
    Join Date
    Jan 2017
    Posts
    96
    #22
    I see your point..but id have to disagree and say, from what ive researched CISSP.
    From a strict defensive point of view id go with the CISSP.
    The OSCP is all fire and rage!
    I know that eventually ill be going for a CISSP AFTER i get the OSCP.
    I do a bit of blue team stuff where im at now and id bores the hell out of me.

    All in all, you wont really know the other side of the coin as the CISSP does sort of give you a false sense of security..if that makes any sense.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks