Summer Reading 101 – The Blue Team Field Manual

I read all the time.  I admit that I read less now that I found and use Audible the Amazon audio book service).  While Audible is great the books I chose to read (or re-read) this summer are probably not available there.  I recently re-read the Blue Team Field Manual (BTFM) and read the Red Team Field Manual (RTFM) and Operator Handbook for the first time.  All are fantastic and I recommend that anyone in any cyber role from student to practitioner  should consider having copies of all three near their desk.

About these books.  These are not anything like reading popular science fiction.  These are all books that you read sitting next to a computer  (or computers) running Windows and or Linux.  These literally are a handbook and manuals; technical references that list out instructions for how to accomplish various tasks and gather information.

The Blue Team Field Manual version 1.2 by Alan White and Ben Clark


I believe I purchased the BTFM at least 2 years ago.  When I went looking for it I couldn’t find it so I bought another copy at Amazon.  For $14.95 you can’t go wrong.  The BTFM was written by Alan White and Ben Clarke and version 1.2 is copyrighted 2017.  My recent copy from Amazon says that it was printed in June 2020 (so you know it’s a hot item or other people like me are losing their copies).

The BTFM is based on the NIST Cybersecurity Framework.  The National Institute of Standards and Technology (NIST) Framework consists of standards, guidelines and best practices to guide organizations seeking to manage cybersecurity risk.  It’s a how to guide for organizations to structure how to defend their digital presence.

The reason the BTFM is so great is because it’s structured based on the NIST Framework.  The sections of that Framework are:

  • Identify,
  • Protect,
  • Detect,
  • Respond, and
  • Recover

The BTFM walks through tools and concepts that applicable at each section; such as describing Linux and Windows defenses in the Protect chapter and describing the steps to perform live triage of Linux and Windows systems in the respond chapter.  I call theses descriptions but they really are not.  Each chapter has a list of commands that the reader can execute on a computer and then review.  After you’ve done this if you were unfamiliar with that command you’ll likely use Google and find out more about it.  But along the way you’ll see the command and see the output and hopefully create a memory so that if you are looking for a way to copy the application logs from a Windows computer in the future there is a wmic command to list all log files and the wevtutil command to copy the individual files.

The BTFM is only 132 pages long including the index and two scratch pad pages.  That said it is not a ‘fast read’.  If you take a copy and sit by a dual boot computer it will take days to go over the commands.  I suggest trying to knock out a chapter per evening.  Beyond the five chapters I pointed out earlier there is a chapter 0 (zero) that lists key documents as per the NIST Framework.  There is a chapter titled Tip and Tricks that has various OS Cheats and descriptions of tools; this really compliments the material in chapters one through 5.  The last two sections contain various Incident Management Checklists  (good questions that should be included in an investigation) and Security Incident Information about the (open source) VERIS schema.