SANS 503 and GCIA Thoughts

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them.

In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago.

I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about filters, improved my familiarity with Wireshark quite a bit and got a more in depth look at a lot of correlation and analysis topics that I learned about in SEC 401.

I had a harder time studying for this exam than any of the previous GIAC exams I’ve taken as I often felt mentally exhausted. It’s tough for me to know what percentage of that was from the material itself and what percentage was the 17 certifications in under two years pace I’ve been on but I still wanted to mention it.

I had heard that the GCIA was one of the more difficult SANS exams, saw that the passing score was only 67% and was honestly a little  worried about the test. The practice exams drained me mentally but my scores were well above passing so I scheduled my test. I started the exam with a good score but on a slower than acceptable pace. My pace got quicker and quicker and I ended up finishing with a score of 92 and an hour left.

A few tips for anyone taking the GCIA exam:

  • I know I’m Mr. Index and I had a good one for this exam too but I used my index less on this test than I ever have before. You still absolutely need to make one (and make sure you include the packet header spreadsheet included on the course VM and a common port cheat sheet) but a lot of the questions required you to understand and apply concepts and analyze hex in addition to the normal syntax questions. Use lots of tabs on the books for this one my friends.
  • On the cover of my index I put what question I should be on at the one hour mark, two hour mark and three hour mark. I would recommend you do the same if you’re at all worried about time but don’t overreact if you’re behind pace early. I was 5 or 6 questions off the pace at the one hour mark but like I said earlier I ended up having an hour left at the end. You’ll end up performing the same sort of packet analysis repeatedly and will likely speed up quite a bit.

The 503 doesn’t have the sexiness of the hacking courses or the forensics courses but I enjoyed the class and it was a very important one for me as I really needed to work on my packet analysis skills. Next up on my to-do list is assembly language for reverse engineering and exploit development.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more