Battle of the Certs

Last October, I found myself working towards my next two certifications simultaneously. As part of my Skillbridge program, U.S. VALOR sponsored my training and exam fees for the CompTIA Cybersecurity Analyst (CySA+) certification. Around the same time, I was fortunate to receive a voucher from VetSec, a non-profit dedicated to supporting veterans in the cybersecurity field. The voucher covered training and exam fees for the Security Blue Team—Blue Team Level 1 (BTL1) certification. What followed was four months of incident response, vulnerability assessment, and digital forensics training that culminated in two tests in January.

Now that I've completed both exams (and passed!), I am obligated to share my opinion on both because society has dictated this is the way. So, without further ado, here's my comparison and review of the CySA+ and BTL1 certifications.

First, let's take a look at each certification in detail.

CompTIA CySA+

Number of Questions: Maximum of 85 questions
 
Question Types: Multiple choice and performance-based
 
Exam Length: 165 minutes
 
Passing Score: 750 (on a scale of 100-900)
 
Cost: $404 USD

Training included?: No

Test Domains:
  Security Operations
  Vulnerability Management
  Incident Response and Management
  Reporting and Communication
  

The CySA+ exam is very similar to other CompTIA exams. Most questions are multiple-choice and worded in a way that will make you think twice about what color the sky is. Seriously, I don't know who writes these things, but apparently, CompTIA has mastered the ambiguous question format, and the CySA+ exam is no different. The performance-based questions (PBQs) will come in various styles; however, from what I've seen, most are just fancy multiple-choice questions. The test provides a scenario, and you must select the correct answers from a handful of dropdown boxes using the information available. You may have a question that requires you to use a command line, but the simulation will not include full functionality; it consists of canned responses to specific inputs. For example, you can ping an address listed in the scenario, but you can't ping a random website.

The most technical aspects of the exam consist of log reviews. The test gives you a snippet of logs or the output of a command, and you will need to use the information available to answer a question. If you're not paying attention, you will miss critical information highlighting an issue, such as mismatched port numbers or communication with an external IP address. The key to these questions is recognizing indicators of compromise, such as SQL injection, password spraying, or directory traversal. Aside from these, the rest of the exam is very similar to Security+, and understanding terminology, frameworks, and good cybersecurity practices will go a long way to getting through these questions. One thing to remember with the CySA+: purchasing the exam voucher does not include training materials by default. The price covers only the test; you must pay extra for CompTIA training resources or find alternate study materials.

Security Blue Team BTL1

Number of Questions: 20 questions
 
Question Types: Short Answer
 
Exam Length: 24 Hours
 
Passing Score: 70%
 
Cost: £399.00 GBP (~$494.98 USD)

Training included?: Yes

Test Domains:
  Security Fundamentals
  Phishing Analysis
  Threat Intelligence
  Digital Forensics
  Security Information and Event Monitoring
  Incident Response
  

Of the two exams, BTL1 is far better at simulating real-world conditions than the CySA+. When you are ready to take the exam, start the lab environment, and the exam will begin. The scenario puts you in the seat of an incident responder, and you have 24 hours to investigate the systems and answer all questions. The lab is a complete desktop environment with an adjacent network server you can access remotely to pull forensic data. Most of the tools covered in the course materials are available, and there is no specific guidance on completing the questions; just like in the real world, you're left to your own devices. Unlike the CySA+, you'll take the exam at home on your computer and have full access to notes and other resources. In fact, it's encouraged to have sites like VirustTotal readily available to help investigate suspicious files and URLs. Time management is essential; you'll need to find a good 24-hour period where you're available and schedule exam work, breaks, sleep, hygiene, childcare, crimes against humanity, and anything else that may crop up. I opted to forego parenting duties, and my wife is still bitter about that, so plan accordingly.

All 20 questions require short answers; this test has no multiple-choice questions. Each question provides the correct answer format (i.e., YYYY-MM-DD SSS.SSS or badwebsite1.xyz; badwebsite2.xyz), so you'll have some clue as to whether you found the correct answer. The nice part about BTL1 is that the cost includes everything you need to pass the exam; all training materials, videos, and labs are included and accessible for four months from the purchase date. The coursework covers all domains and provides plenty of external resources to reference whenever you need to dive deeper into a subject. Every domain includes practical application labs. The labs are full desktop environments; the virtual machine simulates nothing aside from the data used for the investigations. You have 100 hours of lab time available, which may not seem like much, but I only used about 12 hours total when I finished the coursework. If you're unfamiliar with a particular tool, you can spend much more time in the lab tinkering than I did. The lab environments are the same as the exam, so you'll feel right at home when it's time for the test.

Same, Same, But Different

When I first started studying for these exams, I assumed that most of the material would overlap and that studying for one exam would help prepare me for the other. That assumption proved correct, and I hit the same topics repeatedly. Both exams highlight frameworks such as MITRE ATT@CK, the Cyber Kill Chain, and the NIST Incident Response Cycle. Both exams require understanding where to find specific information from endpoints, such as the Windows Registry or Syslog. Both cover assessing vulnerability reports and using tools such as Autopsy, FTK Imager, Windows Event Viewer, and Wireshark. You'll need to know about memory volatility and the tools and correct procedures for collecting digital forensic evidence, including chain of custody requirements. Both exams will cover threat intelligence and vulnerability management extensively. I often reviewed material for one, and a few days later, I found myself reviewing the same information again.

Where the two exams diverge comes down to how they're administered and the skills needed to pass. CySA+ leans heavily on knowledge retention; memorizing terminology, process steps, and networking concepts will go a long to help you pass the exam. Recognizing indicators of compromise and code syntax will also prove critical. In contrast, BTL1 is entirely hands-on. You must know the processes and where to find information, but knowing how and what tools you'll need to accomplish that task is more important. BTL1 is all about hands-on a keyboard: navigating the command line, running Splunk queries on log indices, log correlation, and analyzing e-mail headers. It also requires good investigative skills such as note-taking, time management, and critical thinking. I spent most of my time correlating events and testing assumptions; even when I found an answer, I would confirm by using a secondary method or data point to ensure I hadn't gone down the wrong rabbit hole. Unlike the practice labs, the amount of data available is massive. Think packet captures with over a million packets and Syslog events from multiple endpoints over several days.

And the Winner is...

So, which is the 'better' certification?

There's a saying we use in the Marine Corps (and one I am loathe to use when I must) that applies here: the situation dictates.

The BTL1 exam is a better test of whether you can do the tasks asked of a SOC Analyst or Incident Responder. It's a good simulation of an actual security breach and how you would go about an investigation. However, it's not as widely recognized as CySA+, particularly here in the U.S. If you don't believe me, do a quick search on job boards and see how many reference BTL1 compared to CySA+. Although both exams cover much of the same material, the CySA+ requires a deeper knowledge of these subjects because you cannot use any notes on exam day. Admittedly, I was more stressed about the CySA+ exam than the BTL1 exam for no reason other than CompTIA's reputation for 'gotcha' style questions.

I was fortunate to take both and have the costs offset by someone else. That's not the case for everyone, so if you're funding this from your personal account, you'll need to research which will be more valuable in your situation. The CySA+ has more recognition but could cost you more than BTL1 when you factor in study materials. I used Testout.com ($349), Sybex CySA+ Study Guide and Practice Tests (on sale @ $52), and Jason Dion's CySA+ Practice Tests ($64.99) to help prep for the CySA+ but I paid for none of them out of pocket. You could also use free resources like YouTube videos to help prep for CySA+. I prefer using plenty of practice questions, which are difficult to find for free, but you might have better results than I did. On the other hand, BTL1 includes everything you need for test prep; no additional materials are required.

Regardless of which exam you shoot for, preparing for both will go a long way in making you a more adept analyst.