New GNFA Cert!

ArabianKnight

Ran into this article today. Looks like something I would be interested in.

SANS Digital Forensics and Incident Response Blog | Announcing the GIAC Network Forensic Analyst Certification - GNFA | SANS Institute

thrall

any books recommendation for GNFA ?

docrice

Don't know about specific books, but I'm taking FOR572 in a few weeks.

TBRAYS

I'm studying for it now, SANS FOR572 books and ondemand.

OM602

I'm surprised they are hitting netflow so hard, not much wireshark/tcpdump, is there?

Hoping to attend this class somewhere next year or the year after

ccnpninja

Seems interesting

m3zilla

I took the OnDemand course, and was pretty disappointed. Perhaps its due to my background in network, but I felt like this was more of a introduction/basic course, rather than what they advertise, which is an intermediate to advance course.

Day 1 - More or less about proxy logs and packet captures. However, it was all the basic stuff that most people would know. For instance, we went over the wireshark display filters, the BPF for tcpdump, etc.. Didn't pick up much from day 1.

Day 2 - NetFlow. I remember during Day 1, there was an emphasis on NetFlow and how it was the single most useful tool available for network forensic and how he was going to convince us of that by end of day 2 so I was really looking forward to this... and it consisted of 'Here's what NetFlow is, here's what the NetFlow header looks like, and here are some open source software you can use to collect/analyze it' - needless to say, another disappointing day of material.

Day 3 - we get into the protocols, and again, it's relatively basic stuff. However, I did enjoy the SMB analysis section

Day 4 - Log formats (HTTP, syslog, firewalls, etc) and log aggregation (ie Splunk) and their uses. If you've ever used syslog or review IIS/Apache access logs, or can read column headers of whatever logs you're reviewing, there's nothing to see here...

Day 5 - A very very high level overview of encoding/encryption, MITM, and some tools that can assist in your investigation.

Honestly, I learned more from the lab workbook than the all 5 workbooks combined. I took and passed the exam 2 days after completing the course. Luckily, work paid for the course....I would have been pretty sad if I forked over 6K for the content of that class.

docrice

I think it depends on your background. I felt the class could use more advanced materials, but at the same time a lot of people aren't trained to think in terms of investigations, but rather troubleshooting. A 600-level course for this subject would be interesting.

JDMurray

I use very expensive Netflow tools every day. These tools only show me traffic flows between IPs and ports, when the flows happened, how much data flowed from one point to another, and the pattern of the flows over time. To know if any of that information indicates anything suspicious or malicious happening on my network, I must first know what the normal operations of my entire network looks like from a Netflow perspective. How one determines what is "normal" on a vast network is a huge task that the Netflow sales people never seem to mention as necessary for using their product. Typical SecOps people do not have the NetOps experience to baseline a Netflow tool let alone use it on a daily basis.

Did the FOR572 instructor mention any of that?

docrice

He did mention the tricky thing about baselining an environment that may already have "bad" traffic in it. A very difficult task and without sufficient environment context, it's a big slice-and-dice exercise which could take a long time.

alexsta

Hi,

Would you recommend any particular book or combo of books to cover the stuff demanded by the exam.

Also the exam seems to be quite short, only 50 questions with a passing score of 60%. I'd have a few qq about the exam:
1. which tools are the most demanded?
2. any investigative scenario/s asked?
3. are there any theoretical concepts tested in the exam? which?

Thank you.

LionelTeo

This book seems to be the closest in terms of the content. Network Forensics: Tracking Hackers through Cyberspace: Sherri Davidoff, Jonathan Ham: 9780132564717: Amazon.com: Books

For the tools related question, purchase a 139 USD practice test and you should get a better idea, google them up and bring those tools manuals into the exam.

alexsta

Thank you. I'm using just that plus three others:
[2014] Applied Network Security Monitoring - Collection, Detection and Analysis
[2014] Network Security Through Data Analysis
[2013] The Practice of Network Security Monitoring

I'm complementing these with some papers from SANS Reading Room.

About the 139USD test, do you recommend any vendors? I know the GIAC exam comes with 2 practice tests, but with GCFA for example I found the practice tests were significantly easier compared to the actual exam.

LionelTeo

Just buy the practice test from GIAC itself, this will give a good insight on the topic those books misses. Google them up while you are doing the practice so you can find additional materials to print later. If you passed the GIAC practice test, then proceed to buy the actual exam with practice test.

alexsta

Right, I didn't realized one can buy those independent of a certification attempt. I had the impression the availability of more/other practice tests was conditioned if you purchase the certification attempt (which has 2 practice tests included already).

The questions normally give you a very good idea of the exam scope (how wide and deep it goes). 129$ each attempt... these don't play around when it comes to money.

LionelTeo

alexsta wrote: »

Right, I didn't realized one can buy those independent of a certification attempt. I had the impression the availability of more/other practice tests was conditioned if you purchase the certification attempt (which has 2 practice tests included already).

The questions normally give you a very good idea of the exam scope (how wide and deep it goes). 129$ each attempt... these don't play around when it comes to money.

After you go for the exam, do share your experience here. You can literally challenge almost every GIAC exams without the official course material. It is difficult but it was possible.

docrice wrote: »

I think it depends on your background. I felt the class could use more advanced materials, but at the same time a lot of people aren't trained to think in terms of investigations, but rather troubleshooting. A 600-level course for this subject would be interesting.

Talking about 600 level network analysis. Our team had came across a lengthly obfuscated javascript in a pcap recently that had several of my team members trying to de-obfuscated for the past few days. A malware analyst in my team loaded the script to debug it in the internet explorer; and step through the code until one of the variable turns out to be an iframe injection attempt, something like this would certainly be useful in network forensics and should be in this course or maybe a 600+ pcap analysis course.

Just fun thoughts about network analysis going to the next level, a few topics I can think of would be 600 level (or high end 500) materials will be
- intro to cyberkill chain and how it helps in network analysis
- wireshark overview
- analysizing pcap with cli tools, tshark, tcpick, tcpflow, tcpdump
- extracting pcap objects with cli tools, tcpflow, tcpxtract?
- utilizing python to examine pcaps, resolving geo locations
- pyshark (haven't figure how to use this yet)
- http request and response commonly used by malware and exploit kits
- examine malware/attacker shell state of connection using frequency analysis
- examine clear text shell using tcpick
- examine malware bytes outbound and bytes in connection
- profiling malware/exploit kit
- identifying vulnerability scans via push packets and user-agents
- regex overview and pcre rules with snort
- overview of splunk and useful advance splunk commands for report/alerts
- tips for rules creation with less false positive
- using pcap; tcpprep, tcprewrite, tcpreplay to test rules
- editing pcap with hex editor for public release.
- using debugger to deobfusucate javascript
- decrypting encryption (like fiesta flash payload)


Even so, it doesn't seems to be able to make up a total of 5 days workbook content. I think its covers about 3.5 days at most. I believe there is still some areas regarding network analysis that are not discovered yet, really look forward to community research regarding it.

Balantine

The Network Forensics book is superior. Also written by a certified SANS instructor, Jonathan Ham.

matt18e

OM602 wrote: »

I'm surprised they are hitting netflow so hard, not much wireshark/tcpdump, is there?

Hoping to attend this class somewhere next year or the year after

Just took the test last week. Passed with 84%. Yes, netflow gets hit hard (nfdump, nfsen). so does wireshark/tshark and tcpdump. The fact is that storage is at a premium and at the end of the day you get more bang for the buck using net flow than full packet captures. If you are planning on taking the cert I also highly recommend you brush off your sed/awk/grep skills and work on your " command line Kung-fu"...

docrice

I'm getting dangerously close to my certification attempt deadline and I haven't even started studying. I might pay up for an extension or just not take the exam at all. Way too busy at work.

JoJoCal19

docrice wrote: »

I'm getting dangerously close to my certification attempt deadline and I haven't even started studying. I might pay up for an extension or just not take the exam at all. Way too busy at work.

Same with my GCIA. A little less than one month away from my deadline and have one book read.

Pupil

Thanks for providing feedback on this course. I was thinking of taking it next year but if it's that simple, I don't think I'll benefit much.

docrice

I have a very strong feeling I'll likely have to either file for an extension to take the exam, or skip out on it entirely. I haven't had a day off since I took the class in September. It's starting to look like this will be the first GIAC exam I'll "fail" by default.

TBRAYS

docrice wrote: »

I have a very strong feeling I'll likely have to either file for an extension to take the exam, or skip out on it entirely. I haven't had a day off since I took the class in September. It's starting to look like this will be the first GIAC exam I'll "fail" by default.

I'm with you, I took the class back in April and I've done 3 extensions so I understand your frustration. But this is my last I have to get it out of the way, I'm pursuing the GREM next.

JoJoCal19

Isn't it better to just use your initial attempt rather than skip out on it entirely or do multiple extensions at over $300 a pop? At a minimum can't you just make a good index and try to look up any answer you don't know off the top of your head? I'm feeling woefully under-prepared for the GCIA but will still take the exam on the 11th.

TBRAYS

JoJoCal19 wrote: »

Isn't it better to just use your initial attempt rather than skip out on it entirely or do multiple extensions at over $300 a pop? At a minimum can't you just make a good index and try to look up any answer you don't know off the top of your head? I'm feeling woefully under-prepared for the GCIA but will still take the exam on the 11th.

From what everyone has told me is that this exam is not like the traditional SANS exam when you can reference a index and the answer. You actually have to know it and tools to use and when.

matt18e

TBRAYS wrote: »

From what everyone has told me is that this exam is not like the traditional SANS exam when you can reference a index and the answer. You actually have to know it and tools to use and when.

I can only speak from my limited experience with having taken only 2 GIAC exams. My first was the GNFA. I attended the SANS 572 course. I read all the books twice, did all of the labs twice, and brushed up on my AWK and SED skills, which I already had prior experience with from a few UNIX classes I took working on my C.S. degree. I then built a very detailed index, and used both of my practice attempts. Ultimately, I spend about 2 months prepping after taking the course, and I scored an 84%. The only other GIAC cert I have is the GCIH. I had the on demand, but didn't use it. Basically, I read the books once, did about half of the labs, built a decent index, used 1 of my 2 practice attempts, and then took the test and scored a 96%. The GNFA was far more difficult than the GCIH. A good index will get you through GCIH. A good index will not get you through GNFA if you don't understand the material, do the labs, and practice, practice, practice!

UnixGuy

@Matt18e: did you have prior experience with packet analysis / protocol analysis prior to taking the course? How much of a background did you have? do you do network forensics as part of your job? I wanted to take this but I wasn't sure if I had enough background...

matt18e

UnixGuy wrote: »

@Matt18e: did you have prior experience with packet analysis / protocol analysis prior to taking the course? How much of a background did you have? do you do network forensics as part of your job? I wanted to take this but I wasn't sure if I had enough background...

First off, sorry for the delayed response. I've been busy studying for my CCNP Route exam and also prepping for my CISM. I did have a decent amount of prior packet / protocol analysis experience and training prior to taking FOR 572 and my GNFA cert. I was very comfortable with Wireshark and my background is in CS and telecommunications engineering. I don't do network forensics as a part of my job, as I am a Cyber Defense Manager. That being said, I do have a strong background in networking, and I found it was extremely helpful for this course. I have on occasion taken the opportunity to jump back on the keyboard and contribute to the team effort when network forensics skills were required. As a matter of fact just a few weeks ago, we were doing some training and didn't have any available techs on the team that were strong with network forensics, so I took the opportunity to dive in and do some Netflow analysis with Silk. If you have the opportunity to take 572 I say go for it. It is some of the best bang for the buck training I have ever had, and I've had a lot. Good luck!