GSE Written conquered, on to GSE Lab!

WilliamK99WilliamK99 Senior MemberMember Posts: 278
After about 2 1/2 years of taking a ton of Sans classes and holding 7 GIAC certifications I decided it would be best for me to attempt the GSE as it would save me thousands in having to recert Took the GSE written today and scored a 89%, which is lower than I would have liked but I coasted at the end once I realized I was going to pass. The test was tough but manageable, if you master the GSEC, GCIA, and GCIH material, you will do great on the GSE Written.

For the lab, I am nervous as I feel my hands on skills need work, planning on taking the Lab in April , hopefully when they announce the dates it will work out with work. To prepare for the lab I am currently enrolled in OSCP and will be working on that the next 60 to 90 days before I take some time to dive deep into Nmap, Wireshark, Snort, traffic analysis and my other weak areas. Work will also allow me to hone my skills. If anyone has any other suggestions, would be glad to hear them. Thanks!


  • docricedocrice Random Member Member Posts: 1,706 ■■■■■■■■■■
    Was the written sort of a re-hash of the GSEC, GCIA, and GCIH material (that is, did they just re-used a lot of the same questions or similar) or did the questions combine the concepts from all three and make it more scenario-focused?
    Hopefully-useful stuff I've written:
  • LionelTeoLionelTeo Senior Member Member Posts: 526 ■■■■■■■□□□ may be a good start for pcap analysis and even incident handling training.

    Try exploring using tcpick, tshark and tcpflow for pcap analysis. Wireshark is good but not the best. Learn to carve executable and flash file from the tcp streams. There is many flash and executable contain in the pcaps available in the blog post for carving.

    The malware is also available to infect your machine, you can get your own small laptop, run the malware to infect yourself. dd the infected host hard drive and collect the memory using FTK or something similar, and analyze it.

    The malware can melt and move to other file system. Once you carve the downloaded executable from the pcap, compute the md5 and sha hash. Figure a way to get a list of hashes of all the files in the duplicated drive and search from the same hash as the executable, from there you will be able to find the directory the executable is in. There is a possibility of the keylogged files being in the same directory.

    Base on the malware outbound traffic, write a snort rule to capture it, u can use to train your regex skill.

    PGP is likely used to sign the email report that you will be submitting as the answers.
  • darkuserdarkuser Senior Member Member Posts: 620 ■■■□□□□□□□
    this is one one my biggest gray areas
    sans has tons of training
    and mentoring for gold papers
    but how do you prepare for GSE?
    rm -rf /
  • NovaHaxNovaHax Senior Member Member Posts: 502 ■■■■□□□□□□
    darkuser wrote: »
    this is one one my biggest gray areas
    sans has tons of training
    and mentoring for gold papers
    but how do you prepare for GSE?

    As OP mentioned...being polished in all areas covered by GCIH, GCIA and GSEC is the best way to prepare.
Sign In or Register to comment.