New GNFA Cert!
ArabianKnight
Member Posts: 278 ■■■□□□□□□□
in GIAC
Ran into this article today. Looks like something I would be interested in.
SANS Digital Forensics and Incident Response Blog | Announcing the GIAC Network Forensic Analyst Certification - GNFA | SANS Institute
SANS Digital Forensics and Incident Response Blog | Announcing the GIAC Network Forensic Analyst Certification - GNFA | SANS Institute
Comments
-
docrice Member Posts: 1,706 ■■■■■■■■■■Don't know about specific books, but I'm taking FOR572 in a few weeks.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
TBRAYS Member Posts: 267I'm studying for it now, SANS FOR572 books and ondemand.Bachelors of Science in Technical Management - Devry University
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida -
OM602 Member Posts: 56 ■■□□□□□□□□I'm surprised they are hitting netflow so hard, not much wireshark/tcpdump, is there?
Hoping to attend this class somewhere next year or the year afterThe world chico, and everything in it -
m3zilla Member Posts: 172I took the OnDemand course, and was pretty disappointed. Perhaps its due to my background in network, but I felt like this was more of a introduction/basic course, rather than what they advertise, which is an intermediate to advance course.
Day 1 - More or less about proxy logs and packet captures. However, it was all the basic stuff that most people would know. For instance, we went over the wireshark display filters, the BPF for tcpdump, etc.. Didn't pick up much from day 1.
Day 2 - NetFlow. I remember during Day 1, there was an emphasis on NetFlow and how it was the single most useful tool available for network forensic and how he was going to convince us of that by end of day 2 so I was really looking forward to this... and it consisted of 'Here's what NetFlow is, here's what the NetFlow header looks like, and here are some open source software you can use to collect/analyze it' - needless to say, another disappointing day of material.
Day 3 - we get into the protocols, and again, it's relatively basic stuff. However, I did enjoy the SMB analysis section
Day 4 - Log formats (HTTP, syslog, firewalls, etc) and log aggregation (ie Splunk) and their uses. If you've ever used syslog or review IIS/Apache access logs, or can read column headers of whatever logs you're reviewing, there's nothing to see here...
Day 5 - A very very high level overview of encoding/encryption, MITM, and some tools that can assist in your investigation.
Honestly, I learned more from the lab workbook than the all 5 workbooks combined. I took and passed the exam 2 days after completing the course. Luckily, work paid for the course....I would have been pretty sad if I forked over 6K for the content of that class. -
docrice Member Posts: 1,706 ■■■■■■■■■■I think it depends on your background. I felt the class could use more advanced materials, but at the same time a lot of people aren't trained to think in terms of investigations, but rather troubleshooting. A 600-level course for this subject would be interesting.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
JDMurray Admin Posts: 13,099 AdminI use very expensive Netflow tools every day. These tools only show me traffic flows between IPs and ports, when the flows happened, how much data flowed from one point to another, and the pattern of the flows over time. To know if any of that information indicates anything suspicious or malicious happening on my network, I must first know what the normal operations of my entire network looks like from a Netflow perspective. How one determines what is "normal" on a vast network is a huge task that the Netflow sales people never seem to mention as necessary for using their product. Typical SecOps people do not have the NetOps experience to baseline a Netflow tool let alone use it on a daily basis.
Did the FOR572 instructor mention any of that? -
docrice Member Posts: 1,706 ■■■■■■■■■■He did mention the tricky thing about baselining an environment that may already have "bad" traffic in it. A very difficult task and without sufficient environment context, it's a big slice-and-dice exercise which could take a long time.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
alexsta Registered Users Posts: 3 ■□□□□□□□□□Hi,
Would you recommend any particular book or combo of books to cover the stuff demanded by the exam.
Also the exam seems to be quite short, only 50 questions with a passing score of 60%. I'd have a few qq about the exam:
1. which tools are the most demanded?
2. any investigative scenario/s asked?
3. are there any theoretical concepts tested in the exam? which?
Thank you. -
LionelTeo Member Posts: 526 ■■■■■■■□□□This book seems to be the closest in terms of the content. Network Forensics: Tracking Hackers through Cyberspace: Sherri Davidoff, Jonathan Ham: 9780132564717: Amazon.com: Books
For the tools related question, purchase a 139 USD practice test and you should get a better idea, google them up and bring those tools manuals into the exam. -
alexsta Registered Users Posts: 3 ■□□□□□□□□□Thank you. I'm using just that plus three others:
[2014] Applied Network Security Monitoring - Collection, Detection and Analysis
[2014] Network Security Through Data Analysis
[2013] The Practice of Network Security Monitoring
I'm complementing these with some papers from SANS Reading Room.
About the 139USD test, do you recommend any vendors? I know the GIAC exam comes with 2 practice tests, but with GCFA for example I found the practice tests were significantly easier compared to the actual exam. -
LionelTeo Member Posts: 526 ■■■■■■■□□□Just buy the practice test from GIAC itself, this will give a good insight on the topic those books misses. Google them up while you are doing the practice so you can find additional materials to print later. If you passed the GIAC practice test, then proceed to buy the actual exam with practice test.
-
alexsta Registered Users Posts: 3 ■□□□□□□□□□Right, I didn't realized one can buy those independent of a certification attempt. I had the impression the availability of more/other practice tests was conditioned if you purchase the certification attempt (which has 2 practice tests included already).
The questions normally give you a very good idea of the exam scope (how wide and deep it goes). 129$ each attempt... these don't play around when it comes to money. -
LionelTeo Member Posts: 526 ■■■■■■■□□□Right, I didn't realized one can buy those independent of a certification attempt. I had the impression the availability of more/other practice tests was conditioned if you purchase the certification attempt (which has 2 practice tests included already).
The questions normally give you a very good idea of the exam scope (how wide and deep it goes). 129$ each attempt... these don't play around when it comes to money.
After you go for the exam, do share your experience here. You can literally challenge almost every GIAC exams without the official course material. It is difficult but it was possible.I think it depends on your background. I felt the class could use more advanced materials, but at the same time a lot of people aren't trained to think in terms of investigations, but rather troubleshooting. A 600-level course for this subject would be interesting.
Talking about 600 level network analysis. Our team had came across a lengthly obfuscated javascript in a pcap recently that had several of my team members trying to de-obfuscated for the past few days. A malware analyst in my team loaded the script to debug it in the internet explorer; and step through the code until one of the variable turns out to be an iframe injection attempt, something like this would certainly be useful in network forensics and should be in this course or maybe a 600+ pcap analysis course.
Just fun thoughts about network analysis going to the next level, a few topics I can think of would be 600 level (or high end 500) materials will be
- intro to cyberkill chain and how it helps in network analysis
- wireshark overview
- analysizing pcap with cli tools, tshark, tcpick, tcpflow, tcpdump
- extracting pcap objects with cli tools, tcpflow, tcpxtract?
- utilizing python to examine pcaps, resolving geo locations
- pyshark (haven't figure how to use this yet)
- http request and response commonly used by malware and exploit kits
- examine malware/attacker shell state of connection using frequency analysis
- examine clear text shell using tcpick
- examine malware bytes outbound and bytes in connection
- profiling malware/exploit kit
- identifying vulnerability scans via push packets and user-agents
- regex overview and pcre rules with snort
- overview of splunk and useful advance splunk commands for report/alerts
- tips for rules creation with less false positive
- using pcap; tcpprep, tcprewrite, tcpreplay to test rules
- editing pcap with hex editor for public release.
- using debugger to deobfusucate javascript
- decrypting encryption (like fiesta flash payload)
Even so, it doesn't seems to be able to make up a total of 5 days workbook content. I think its covers about 3.5 days at most. I believe there is still some areas regarding network analysis that are not discovered yet, really look forward to community research regarding it. -
Balantine Member Posts: 77 ■■□□□□□□□□The Network Forensics book is superior. Also written by a certified SANS instructor, Jonathan Ham.dulce bellum inexpertis
-
matt18e Member Posts: 28 ■□□□□□□□□□I'm surprised they are hitting netflow so hard, not much wireshark/tcpdump, is there?
Hoping to attend this class somewhere next year or the year after
Just took the test last week. Passed with 84%. Yes, netflow gets hit hard (nfdump, nfsen). so does wireshark/tshark and tcpdump. The fact is that storage is at a premium and at the end of the day you get more bang for the buck using net flow than full packet captures. If you are planning on taking the cert I also highly recommend you brush off your sed/awk/grep skills and work on your " command line Kung-fu"... -
docrice Member Posts: 1,706 ■■■■■■■■■■I'm getting dangerously close to my certification attempt deadline and I haven't even started studying. I might pay up for an extension or just not take the exam at all. Way too busy at work.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
JoJoCal19 Mod Posts: 2,835 ModI'm getting dangerously close to my certification attempt deadline and I haven't even started studying. I might pay up for an extension or just not take the exam at all. Way too busy at work.
Same with my GCIA. A little less than one month away from my deadline and have one book read.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
Pupil Member Posts: 168Thanks for providing feedback on this course. I was thinking of taking it next year but if it's that simple, I don't think I'll benefit much.2015 Certification Goals: CCNA: Routing & Switching FONT=courier new][SIZE=2][COLOR=#ff0000]X[/COLOR][/SIZE][/FONT, CCNA: Security FONT=courier new][SIZE=2][FONT=courier new][SIZE=2][COLOR=#ff0000]X[/COLOR][/SIZE][/FONT][/SIZE][/FONT, Security+ COLOR=#ff0000]X[/COLOR
-
docrice Member Posts: 1,706 ■■■■■■■■■■I have a very strong feeling I'll likely have to either file for an extension to take the exam, or skip out on it entirely. I haven't had a day off since I took the class in September. It's starting to look like this will be the first GIAC exam I'll "fail" by default.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
TBRAYS Member Posts: 267I have a very strong feeling I'll likely have to either file for an extension to take the exam, or skip out on it entirely. I haven't had a day off since I took the class in September. It's starting to look like this will be the first GIAC exam I'll "fail" by default.
I'm with you, I took the class back in April and I've done 3 extensions so I understand your frustration. But this is my last I have to get it out of the way, I'm pursuing the GREM next.Bachelors of Science in Technical Management - Devry University
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida -
JoJoCal19 Mod Posts: 2,835 ModIsn't it better to just use your initial attempt rather than skip out on it entirely or do multiple extensions at over $300 a pop? At a minimum can't you just make a good index and try to look up any answer you don't know off the top of your head? I'm feeling woefully under-prepared for the GCIA but will still take the exam on the 11th.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
TBRAYS Member Posts: 267Isn't it better to just use your initial attempt rather than skip out on it entirely or do multiple extensions at over $300 a pop? At a minimum can't you just make a good index and try to look up any answer you don't know off the top of your head? I'm feeling woefully under-prepared for the GCIA but will still take the exam on the 11th.
From what everyone has told me is that this exam is not like the traditional SANS exam when you can reference a index and the answer. You actually have to know it and tools to use and when.Bachelors of Science in Technical Management - Devry University
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida -
matt18e Member Posts: 28 ■□□□□□□□□□From what everyone has told me is that this exam is not like the traditional SANS exam when you can reference a index and the answer. You actually have to know it and tools to use and when.
I can only speak from my limited experience with having taken only 2 GIAC exams. My first was the GNFA. I attended the SANS 572 course. I read all the books twice, did all of the labs twice, and brushed up on my AWK and SED skills, which I already had prior experience with from a few UNIX classes I took working on my C.S. degree. I then built a very detailed index, and used both of my practice attempts. Ultimately, I spend about 2 months prepping after taking the course, and I scored an 84%. The only other GIAC cert I have is the GCIH. I had the on demand, but didn't use it. Basically, I read the books once, did about half of the labs, built a decent index, used 1 of my 2 practice attempts, and then took the test and scored a 96%. The GNFA was far more difficult than the GCIH. A good index will get you through GCIH. A good index will not get you through GNFA if you don't understand the material, do the labs, and practice, practice, practice! -
matt18e Member Posts: 28 ■□□□□□□□□□@Matt18e: did you have prior experience with packet analysis / protocol analysis prior to taking the course? How much of a background did you have? do you do network forensics as part of your job? I wanted to take this but I wasn't sure if I had enough background...
First off, sorry for the delayed response. I've been busy studying for my CCNP Route exam and also prepping for my CISM. I did have a decent amount of prior packet / protocol analysis experience and training prior to taking FOR 572 and my GNFA cert. I was very comfortable with Wireshark and my background is in CS and telecommunications engineering. I don't do network forensics as a part of my job, as I am a Cyber Defense Manager. That being said, I do have a strong background in networking, and I found it was extremely helpful for this course. I have on occasion taken the opportunity to jump back on the keyboard and contribute to the team effort when network forensics skills were required. As a matter of fact just a few weeks ago, we were doing some training and didn't have any available techs on the team that were strong with network forensics, so I took the opportunity to dive in and do some Netflow analysis with Silk. If you have the opportunity to take 572 I say go for it. It is some of the best bang for the buck training I have ever had, and I've had a lot. Good luck!