Passed GCIA

monkykapmonkykap Member Posts: 24 ■□□□□□□□□□
Hi Everyone,

Been combing through this forum every since I decided to take a SANS course. I am new to the profession so I wasn't sure if i should take GSEC because I was so new to IT, but after much deliberation, I finally settled on GCIA because i wanted to learn more about networking (I considered GWAPT but it wasn't rated as highly as this course and I have good introductory knowledge for web technology and vulnerabilities already). My background is on the application side from school, but I really wanted understand the network protocols deeper; and this course gives you great sampling of RFC for the most important protocols (mind you, it will by no means make you an expert; but you will definitely be very proficient). Anyway really thankful to this forum for helping me decide to pursue GCIA; I really enjoyed the course and learned A LOT. While not as sexy as Red Team stuff, I came away with a deep appreciation for the challenge to detect signs of an intrusion. I'm actually leaning towards more Blue Team stuff as a career path now just because of how interesting this course was and at the end of the day our goal as Security Professionals is to prevent and detect security incidents and it's more for me (that being said i still want to learn the Red team stuff haha).

So as far as the test goes for future test takers: here are stats/advice (Please note: everyone learns better using different methods and this is just a reference of what worked for me)

Passed my first GIAC exam and professional certification for that matter today, and what a relief. I finally feel like i'm part of this community now. So, I Scored a 92% (better than I expected). Just for reference i got an 82% and 91% on the practice tests respectively. I took the first one two nights before the test and the other the night before. I think the practice tests are really accurate of what you will encounter. The second has a lot of repeat questions from the first, so it's not as helpful but still good practice. For those of you concerned about the gap between the practice tests and the real thing, don't be. There are maybe a handle of more questions of the difficult variety on the real test. Some of the answer choices are less egregious and are't as obvious, but this really shouldn't matter; you can still eliminate bad answers.

Pacing wise, i finished the first practice test with like 30 minutes left and the 2nd (alot of repeat questions) with about an hour left. The real thing i finished with about 20 minutes left. I think this is because i didn't reference the materials that much for this exam. I recommend the packet header stuff (the sans pamphlet one or the one provided in the vm or from outside; doesn't matter), list of common ports and what services run on them, tools and command switches not covered in the appendix, and the index is really optional. I poored (pun intended/Mike dishes it so he gets it back) a ton of time into making an index and didn't use it like at all (you should however tab your books for all major topics [anywhere from 2-5ish tabs depending on the book]). That being said i think creating the index did help a little with retention while studying -> or at least staying the course while studying lol. It gives you an objective to cover everything in the book because you rarely take open book exams and you want to take the fullest advantage of it; thus you end up studying everything; funny how they get you to study harder for an open book test. Full disclosure: I didn't do the day 6 CTF yet; I'll probably start it tomorrow. I just didn't get to it in time. I finished the material about 4 days prior to the exam (I took it On Demand style) and still had maybe a 3rd of the workbook left. The workbook doesn't take that much time though; I would have done it as I was going along but I needed to make sure i got. I started studying about 8 weeks before the exam, i had a family trip and trips with some friends planned, work stuff, and general procrastination (I was studying other material for some reason). I also went to check out the RSA expo (just vendor expo pass) for two days (first time, Moscone Center was hugeicon_cool.gif!, it was a really fun experience; I even got to do a free SANS Netwars:D); that kinda killed two days but was totally worth. So anyway the point is you need about 4 days to go through each day when learning the course. I think it can be done shorter if you avoid the audio and listen to it during your commute the days right after the material (sometimes can be done before); Only watch the demo related audio/video stuff. As i got more fatigued and concentration waned I would end up listening to a 10 minute Mike Poor like 3 times to catch everything point. It's much easier to listen to it a few times while your driving... (this is legal). He offers TONS of amazing industry experience that is invaluable, but he's not going into the material like the book does (there are a few areas that are exceptions); he is mostly covering the content on the slides and giving his experience. I started using this technique towards the end and it was more efficient. Once i got to the final four days I spend one day each deeply going through the first three books and creating my index at the same time; I found myself picking up a lot of subtle things easier this second time around that i would research (aka google); things were clicking and I was seeing things I didn't see the first go around. The last two books i covered in maybe a couple of hours since they mostly cover methodology and tools that you should learn. The workbook is really important, make sure you spend some time there. I constantly reference the demo-pcaps or even the exercises every time i think (why,where, ohh, i wonder...) anytime you ask one of these questions go look at a pcap!

Side note if you challenging: I think it's doable it but you should have solid prior network and industry experience. Network Intrusion Detection -Stephen Northcutt is your friend - i have it on my kindle and it's been a great read so far; It is really condensed well-straight to the point/traffic and a great supplement (it will cover alot of major topics covered in SANS material but mostly lighter, but in some small segments better); It is no where near enough for the exam but it is a very good base. The main challenge will be finding pcaps and other file-types that contain anomolous behavior that you can dive into (honeynet project is one source). I'm sure it's out there but you will have to do some digging (there are alot of wireshark and packet filtering books that come with or link to sites that have pcaps for reference with the material). There are many books/references for major tools covered (can be found on exam cert info page) and obviously all the protocol stuff is all over the intertubes -RFC/TCP/IP guides/books. (phrase I learned from Mike).

Before taking the course i had watched online lectures for a networking course delivered by University of Washington (UDUB, they say it alot and it's catchy); it covered TCP/IP stack routing algorithms, bgp, data-center tcp, and some more topics on the theory side. I really recommend MOOCS courses online offered by universities (it's really good content that they make available to promote learning for those who may not have access to university content the standard way; it's really awesome of the staff/uni's doing this). But anyway, in my opinion if you've been in security industry for about a year and have taken some sort of networking course or cert or you are coming from networking background you are ready for the GCIA, skip the GSEC. The material you learn in this course can really ramp up your security knowledge very quickly.

Anyway my next goals is to Challenge the GSEC and learn python scripting for pen testing on the side; i know there is alot on suggestions on the forum, but if anyone has any advice I'm all ears.


  • Options
    TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Congratulations on the pass.

    As for skipping the GSEC, I believe there was a mini-test on the SANS website were it would gauge where you should start your SANS training. When I took mine test, I scored higher than SANS 301 "Introduction to Information Security", but right in the middle of SANS 401. I thought it was a good gauge to see were I stood in my security knowledge, I guess if your scored high enough to get into SANS 501, you can safely skip the GSEC.
    Still searching for the corner in a round room.
  • Options
    EngRobEngRob Member Posts: 247 ■■■□□□□□□□
    Congrats! I believe the GSEC is valuable to have, even if you only challenge it.
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Excellent write up, congrats!!

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Options
    DAVIS NGUYENDAVIS NGUYEN Member Posts: 1,472 ■■■□□□□□□□
  • Options
    khiemkpkhiemkp Member Posts: 32 ■■□□□□□□□□
  • Options
    cyberguyprcyberguypr Mod Posts: 6,928 Mod
Sign In or Register to comment.