Dennis Kontic Cybersecurity Lab Portfolio
Blue Team Project

Blue Team Level 1 BTL1

Back to Projects Main Portfolio DonkeySec YouTube

Blue Team Level 1: Security Blue Team BTL1

Overview

This project summarizes my completion of the Security Blue Team Level 1 certification path. BTL1 is a practical blue team certification focused on developing defensive cybersecurity skills across digital forensics, threat intelligence, phishing analysis, SIEM investigation, incident response, and case management.

The training was designed around real security workflows used by defenders to detect, investigate, and respond to cyber incidents. It combined lessons, quizzes, videos, browser labs, and a practical exam focused on applying blue team skills in a realistic investigation environment.

Certification Scope

The BTL1 path covered several major defensive security areas:

  • Security fundamentals
  • Threat intelligence
  • Digital forensics
  • Phishing analysis
  • Security information and event monitoring
  • Incident response
  • Case management
  • Cyber Kill Chain analysis
  • MITRE ATT&CK mapping
  • Windows, browser, Linux, and memory artifacts

Lab Summary

During this certification path, I completed 23 labs covering practical blue team investigation workflows.

The labs included:

  • Threat intelligence labs
  • Digital forensics labs
  • Phishing analysis activities
  • SIEM investigation labs
  • Incident response labs
  • Log analysis exercises
  • Case management scenarios
  • Evidence review and reporting activities

These labs helped reinforce the practical side of defensive security by requiring analysis of artifacts, logs, emails, indicators, and investigation data instead of relying only on theory.

Section Breakdown

Threat Intelligence

This section covered threat actors, attack motivations, threat intelligence disciplines, and malware campaign analysis.

Topics Covered

  • Introduction to threat intelligence
  • Threat actors and APT groups
  • Operational threat intelligence
  • Tactical threat intelligence
  • Strategic threat intelligence
  • Malware campaign research
  • Open source intelligence
  • Indicator enrichment
  • Threat actor profiling

Skills Demonstrated

  • Threat intelligence analysis
  • MISP usage
  • OSINT research
  • VirusTotal analysis
  • Strategic intelligence review
  • Tactical intelligence review
  • Indicator context development

What I Did

I practiced researching threat actors, analyzing indicators, reviewing malware campaign information, and understanding how intelligence can support security operations. This helped me understand the difference between raw indicators and useful intelligence that can support detection, response, and risk decisions.

Digital Forensics

This section covered Windows, browser, Linux, disk, and memory artifacts that are useful during forensic investigations.

Topics Covered

  • Introduction to digital forensics
  • Forensics fundamentals
  • Digital evidence collection
  • Windows investigations
  • Linux investigations
  • Memory analysis with Volatility
  • Disk analysis with Autopsy
  • Browser artifact review
  • File recovery concepts
  • Timeline analysis concepts

Skills Demonstrated

  • Evidence collection
  • Disk image analysis
  • Memory analysis
  • Windows artifact review
  • Linux artifact review
  • Browser history analysis
  • File recovery
  • Timeline reconstruction
  • Forensic tool usage

Tools Used

  • Autopsy
  • Browser History Capturer
  • Browser History Viewer
  • FTK Imager
  • JumpList Explorer
  • KAPE
  • Linux CLI
  • PECmd
  • Scalpel
  • Volatility
  • Windows File Analyzer

What I Did

I reviewed forensic artifacts from Windows, Linux, browsers, disk images, and memory captures. I practiced identifying useful evidence, preserving investigation context, and using forensic tools to support incident analysis. This helped build a stronger foundation in evidence handling and investigation workflows.

Phishing Analysis

This section focused on analyzing suspicious emails from initial receipt through investigation, artifact review, defensive action, and reporting.

Topics Covered

  • Introduction to phishing and emails
  • Types of phishing emails
  • Phishing tactics and techniques
  • Investigating a phishing email
  • Analyzing artifacts
  • Taking defensive actions
  • Report writing
  • Phishing response challenge

Skills Demonstrated

  • Email header analysis
  • URL analysis
  • File analysis
  • Malware sandboxing
  • OSINT research
  • Sender analysis
  • Domain and WHOIS review
  • Phishing technique identification
  • Report writing

Tools Used

  • PhishTool
  • URL2PNG
  • URLScan
  • WHOIS
  • VirusTotal
  • Malware sandboxing tools
  • Header analysis tools

What I Did

I investigated suspicious emails by reviewing headers, links, attachments, sender details, domain information, and external reputation data. I practiced identifying phishing techniques, extracting indicators, determining risk, and writing clear reports that explain the threat and recommended defensive actions.

Security Information and Event Monitoring

This section introduced SIEM components, log aggregation, correlation, and investigation workflows using Splunk.

Topics Covered

  • Introduction to SIEM
  • Logging and aggregation
  • Correlation
  • Using Splunk SIEM
  • Event review
  • Alert investigation
  • Detection logic concepts
  • Case management support

Skills Demonstrated

  • SIEM analysis
  • Log review
  • Event correlation
  • Splunk searching
  • ATT&CK mapping
  • Sigma awareness
  • Case documentation
  • Alert triage

Tools Used

  • Splunk
  • Event Viewer
  • Sigma
  • MITRE ATT&CK
  • Case management concepts

What I Did

I used SIEM workflows to review logs, correlate events, analyze suspicious activity, and support investigations. These labs helped me understand how defenders use log data to identify malicious behavior and connect separate events into a larger investigation timeline.

Incident Response

This section focused on defending organizations and responding to cyber attacks using a structured incident response approach.

Topics Covered

  • Introduction to incident response
  • Preparation phase
  • Detection and analysis phase
  • Case management
  • Containment, eradication, and recovery phase
  • Lessons learned and reporting
  • MITRE ATT&CK framework
  • Cyber Kill Chain

Skills Demonstrated

  • Incident response methodology
  • PICERL process understanding
  • Case management
  • Alert review
  • Evidence analysis
  • Containment planning
  • Eradication and recovery planning
  • Reporting and lessons learned
  • Cyber Kill Chain analysis

Tools Used

  • TheHive5
  • Wireshark
  • Event Viewer
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Case management workflows

What I Did

I practiced working through incident response scenarios from detection through reporting. This included reviewing evidence, documenting findings, organizing cases, analyzing network and host activity, and thinking through containment, recovery, and lessons learned. The section helped me connect technical findings to a structured response process.

Exam Preparation

The final section prepared me for the BTL1 certification exam by explaining the exam structure, expectations, and practical focus.

Topics Covered

  • Exam details
  • Practical exam preparation
  • Investigation mindset
  • Time management
  • Report awareness
  • Tool review
  • Lab review

What I Did

I reviewed the major areas from the course and prepared to apply the skills in a practical investigation setting. The focus was on being able to analyze evidence, use the right tools, document findings clearly, and approach the exam like a real security investigation.

Tools and Technologies Practiced

  • ATT&CK
  • Autopsy
  • Browser History Capturer
  • Browser History Viewer
  • CyberChef
  • DeepBlueCLI
  • DomainTools
  • Event Viewer
  • FTK Imager
  • JumpList Explorer
  • KAPE
  • Linux CLI
  • MISP
  • OpenCTI
  • PECmd
  • PhishTool
  • PowerShell
  • ProcDump
  • Scalpel
  • Sigma
  • Splunk
  • TheHive5
  • URL2PNG
  • VirusTotal
  • Volatility
  • WannaBrowser
  • Windows File Analyzer
  • Wireshark

Key Takeaways

BTL1 strengthened my foundation as a blue team analyst by giving me practical exposure to the core areas of defensive security. The most valuable part of the certification was seeing how different disciplines connect together during an investigation.

Threat intelligence helped provide context. Digital forensics helped identify evidence. Phishing analysis helped investigate one of the most common attack vectors. SIEM analysis helped correlate activity across logs. Incident response helped organize the full investigation process from detection to reporting.

What This Project Demonstrates

This project demonstrates my ability to:

  • Investigate suspicious emails and phishing artifacts
  • Analyze forensic evidence from Windows, Linux, browser, disk, and memory sources
  • Use SIEM data to investigate suspicious activity
  • Review indicators and threat intelligence
  • Work through incident response phases
  • Use case management concepts during investigations
  • Map activity to MITRE ATT&CK and the Cyber Kill Chain
  • Communicate findings through clear documentation
  • Apply practical blue team skills in a certification lab environment

Disclosure Notice

This writeup does not include BTL1 exam questions, answers, private exam content, or protected assessment material. The purpose of this page is to document the skills, labs, tools, and defensive security concepts practiced during the certification path while respecting exam integrity.

Back to Projects Portfolio Home