GCIA Relevancy Question

lostsollostsol Member Posts: 18 ■□□□□□□□□□
I work on the networking team and deal with firewalls, SSL VPN gateways, DNS, NMS, and work mostly with open source solutions. And I'm defining my own role as a Network Security Specialist. I work on the MDR team and I'm expected to jump in whenever an issue goes beyond inspecting local machines and/or mail, like DoS prevention, DNS RPZ, etc. I'd like to learn how to further harden/segment/defend my network.

I've taken FOR572 and thought it was great. I thought 503 would be a great next course, but I've read a few posts questioning its relevancy because of the increasing amount of traffic being forced over SSL. Decrypting the SSL or flow inspection would be ways to inspect the encrypted traffic. So I'm wondering if there are any other SANS course suggestions that may I may benefit more from, like the SEC555 SIEM course. Thx.

Comments

  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    It's really hard to tell. I think knowing how to analyze packet captures is an important skill, and it might come in handy...will you be doing this on a day to day basis? really hard to predict.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • lostsollostsol Member Posts: 18 ■□□□□□□□□□
    I agree that it is a vital skill, but I don't do packet analysis every day.
  • FillAwfulFillAwful Member Posts: 119 ■■■□□□□□□□
    One thing that has translated very well for me in a Security Analyst role is the IDS/IPS piece. Specifically, using pcap to write a Snort rule, and then testing that snort rule against pcap (pcap with normal baseline traffic and the malicious pcap the rule was based on). This is something I do often and GCIA really helped with learning the tools and advanced packet analysis necessary to write a good snort rule.

    The other knowledge was good to have but above is what was most valuable for me in my role.
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    @FillAwful: see I use Palo Alto IDS/IPS, and I don't really write Snort rule...it's just a GUI.

    So you use Snort open source?

    I'm going to use Cisco FirePower soon-ish, not sure if it's a best practice to write Snort rules.?
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • lostsollostsol Member Posts: 18 ■□□□□□□□□□
    @FillAwful: Thank you for the feedback. I don't plan to write snort rules anytime soon, but I do agree you can't go wrong learning advanced packet analysis.
    I keep reading that IDS/IPS are old technology. So what about some type of hunt teaming course?
    How do I look for beaconing activity type of course. Choke points at the end of the network... DNS, http headers, x509 certs... look at choke points and find anomalous behavior.
  • FillAwfulFillAwful Member Posts: 119 ■■■□□□□□□□
    UnixGuy wrote: »
    @FillAwful: see I use Palo Alto IDS/IPS, and I don't really write Snort rule...it's just a GUI.

    So you use Snort open source?

    I'm going to use Cisco FirePower soon-ish, not sure if it's a best practice to write Snort rules.?

    We definitely write snort rules for Cisco Firepower, and some networks are indeed custom snort builds. (large mixed environment) Vendor sigs are great but sometimes we want to get ahead or need something more specific depending on the network environment.

    GCIA also covers some Bro usage, I've never worked with it myself but it was good to knowledge to have.

    After GCIA, I rarely see things in pcap that I don't know exactly what I'm looking at. It's really helpful not only for identifying false positive and true positive alerts, but also, knowing how common protocols work on a fine grained level really helps me analyze when these protocols are not behaving like they should and whether that's due to network mis-configuration or a malicious actor. It's made me a far better analyst.
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    My co-worker has his GCIA and everytime we have an issue he is the go to guy since he is able to analyze the traffic. He was able to do some serious analysis before the course so he said that helped a great deal. As far as SSL goes, a lot of internal traffic is still unencrypted and there is decryption tools companies will invest in just to have the visibility. I would highly encourage anyone who is interested in packets to do this course.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • E Double UE Double U Member Posts: 2,227 ■■■■■■■■■■
    I went for the GCIA because my team took ownership of the company's Cisco Sourcefire and that has been the primary benefit for me. That NIDS knowledge really comes in handy during hunting and when someone needs a Snort rule created.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Agreed that knowledge of how protocols work from GICA is priceless!

    Thanks guys
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • lostsollostsol Member Posts: 18 ■□□□□□□□□□
    Thanks everyone.
Sign In or Register to comment.