GREM Passed - 3 SANS Classes/Certs in 1 year

ramrunner800

Today I took the GREM exam, and passed with 92%. This caps off a monster year of training and testing that has been extremely rewarding, if exhausting. I'm writing this post because I learned alot about how to prepare for a SANS exam over this year, and hopefully some folks thinking about attempting a GIAC cert will be able to benefit from my experience.


To start with a bit of what my background was going into this, in late 2014 I made a career change into Infosec from a non-tech related field. I started working as a SOC Analyst at a large organization, learning lots about IDS monitoring and PCAP analysis. After about 9 months, in June 2015, I was presented with the opportunity to move to a large household name company as an Incident Response Analyst, which meant learning another new skillset, digital forensics. Thankfully my new company is very generous with training, and I have been afforded the opportunity to attend 3 SANS courses since September of last year. I attended in person training for GCFE in Sep '15, GCFA in April '16, and GREM in June '16. My expereince at each of these trainings was awesome. I haven't tried any On Demand courses from SANS, but I can heartily recommend attending in person training if you have the opportunity. I enjoy having a week of solid class, with nothing else to take attention away, and face-to-face interaction with the instructor and peers from other companies.


Studying for these exams has been no small task. I have found marathon study days of 8+ hours to be very effective. I usually take half of my weekend days and dedicate them solely to studying. It is very hard for me to get any meaningful studying done on days where I have work, so I stopped trying. My indexes were between 500 and 700 lines long, printed both in page order and alphabetical order. This made it easy to access the material depending on how the question was phrased or how I happened to remember that particular piece of material. I found that with an index of this size/detail I was able to look up the majority of the answers in the books to verify that the answer I was contemplating was correct.


The practice tests that came with the exam attempts were also very useful. I know some people like to do the first practice exam without their index, but I found that using both exams to get to know my index, and refine it a bit, was most effective for me. For both GCFE and GREM I found that the practice tests were a fair bit easier than the actual exam itself, though on every exam I scored significantly higher on the real exam. I generally scored mid-70's to mid-80's on my practice exams, and got 96 on GCFE, 93 on GCFA, and 92 on GREM. Even though the real exams were harder, the seriousness of the real exam experience was good for a 10-point bump.


Now for a few weeks of relaxation before the next challenge.

nopx90

ramrunner800 wrote: »

Today I took the GREM exam, and passed with 92%. This caps off a monster year of training and testing that has been extremely rewarding, if exhausting. I'm writing this post because I learned alot about how to prepare for a SANS exam over this year, and hopefully some folks thinking about attempting a GIAC cert will be able to benefit from my experience.


To start with a bit of what my background was going into this, in late 2014 I made a career change into Infosec from a non-tech related field. I started working as a SOC Analyst at a large organization, learning lots about IDS monitoring and PCAP analysis. After about 9 months, in June 2015, I was presented with the opportunity to move to a large household name company as an Incident Response Analyst, which meant learning another new skillset, digital forensics. Thankfully my new company is very generous with training, and I have been afforded the opportunity to attend 3 SANS courses since September of last year. I attended in person training for GCFE in Sep '15, GCFA in April '16, and GREM in June '16. My expereince at each of these trainings was awesome. I haven't tried any On Demand courses from SANS, but I can heartily recommend attending in person training if you have the opportunity. I enjoy having a week of solid class, with nothing else to take attention away, and face-to-face interaction with the instructor and peers from other companies.


Studying for these exams has been no small task. I have found marathon study days of 8+ hours to be very effective. I usually take half of my weekend days and dedicate them solely to studying. It is very hard for me to get any meaningful studying done on days where I have work, so I stopped trying. My indexes were between 500 and 700 lines long, printed both in page order and alphabetical order. This made it easy to access the material depending on how the question was phrased or how I happened to remember that particular piece of material. I found that with an index of this size/detail I was able to look up the majority of the answers in the books to verify that the answer I was contemplating was correct.


The practice tests that came with the exam attempts were also very useful. I know some people like to do the first practice exam without their index, but I found that using both exams to get to know my index, and refine it a bit, was most effective for me. For both GCFE and GREM I found that the practice tests were a fair bit easier than the actual exam itself, though on every exam I scored significantly higher on the real exam. I generally scored mid-70's to mid-80's on my practice exams, and got 96 on GCFE, 93 on GCFA, and 92 on GREM. Even though the real exams were harder, the seriousness of the real exam experience was good for a 10-point bump.


Now for a few weeks of relaxation before the next challenge.

Wow. That's not bad at all. Matched my pace. Congrats on the pass! And, you found yourself a great place of employment it seems like.

Was GREM the toughest of the lot? What's next?

ramrunner800

nopx90 wrote: »

Was GREM the toughest of the lot? What's next?

GREM was the toughest for me, but I can see GCFA taking that spot for some people. The GCFA is me day-in/day-out bread and butter work, so I got more practice with that than with any of the other material, but it does cover a wide range of reasonably challenging topics. GCFA was also the most fun of them all as well.

Gonna take a stab at OSCP before the end of the year, as I've been feeling itchy to try some offense. GREM also fills in alot of the blanks on how exploits work at an assembly level. If that goes well, I'll try GXPN with next year's training budget. If it goes poorly, probably the Threat Intel class.

zxbane

Amazing progress, curious what field you came from? You seem to have picked up Cyber very quickly.

the_Grinch

As far as GREM goes, if you don't have a programming background of some kind, did you find you were able to keep up with the class or did it require a lot of extra studying from other sources?

5ekurity

the_Grinch wrote: »

As far as GREM goes, if you don't have a programming background of some kind, did you find you were able to keep up with the class or did it require a lot of extra studying from other sources?

Interested to know this as well - before embarking on something like the GREM, do I need something beyond a base level of understanding with assembly / C?

the_Grinch

Also congrats! To get so much done in one year is quite a feat!

ramrunner800

zxbane wrote: »

Amazing progress, curious what field you came from?

I previously worked as a non-cyber intel analyst.

the_Grinch wrote: »

As far as GREM goes, if you don't have a programming background of some kind, did you find you were able to keep up with the class or did it require a lot of extra studying from other sources?

I don't have a coding background, besides some basic Bash and Python scripting, and a bit of assembly from learning to exploit buffer overflows and such. The course provides plenty of information on assembly to stand by itself. I didn't need to go to any other resources to supplement the material. A good grasp of coding is definitely required to become a master reverser, but it seems you can perform reasonably competent malware analysis with just a rudimentary understanding.

the_Grinch

Thanks for the info!