Forensics or Penetration Testing?

Hey all, looking to get some feedback on something. I'm trying to decide which SANS graduate certificate program would be the most beneficial to me. So far, I have the GSEC and GCIH, and I'm currently working on Netwars, so I'd have some credits to carry into either of these programs:
https://www.sans.edu/academics/certificates/penetration-testing
https://www.sans.edu/academics/certificates/incident-response

Basically, I don't know which to pursue, because neither carry a short-term benefit in my current role, so I'm looking for feedback on the content of the SANS courses and possibly long-term value of training for a forensics or pentest career. I think I'm more interested in the penetration testing route, but my current role mostly revolves around firewall admin, and both forensics and pentesting seem much more interesting to me. In addition, I already have access to the ELS Penetration Testing Elite course (but haven't really started yet), and I don't know how it compares to the SANS courses in this program. The little bit of forensics stuff covered in the GCIH course was awesome as well, as previously I hadn't ever given it any interest.

Side note: Worked out something with my employer where I'm using VA benefits for the program, and they cover the cost of attending in person, so I don't miss out on the housing allowance or the cool networking experience. Depending on which program I shift to, they may or may not continue this, given my current role. It's something in the back of my mind because if I stick with only the online options, I miss out on roughly $6,200 in housing money per SANS course. That's a decent chunk of money.

TLDR: SANS graduate cert, should I do a lump of penetration testing courses, or a lump of computer forensics courses?

Find more posts tagged with

Comments

xxxkaliboyxxx

You might be asking the wrong questions. Both of those programs are viable in the security field. You should be asking what do you like to do? Red Team, Offensive, Blue Team, Defensive?

What is your experience in?

globalenjoi

My experience is limited, I've only been in security for a little over a year. Moved into IT two years ago and landed a spot. I think that I really like the Red Team stuff, based on doing my own stuff at home. I've got a small lab of vulnerable machines set up that I've toyed with over the last 6 months some and it's really fun, lots of trial and error, lots of challenges. But again, I never gave forensics much of a thought, because I always assumed the biggest portion of jobs would be law enforcement related, hunting down child pornography and such. I know that I was definitely wrong now, so it's not something I think I would dislike.

My current company is only just now fleshing out an IR team. We have some guys that test against a web application full time, but no other internal red team stuff. While it presents a cool opportunity to get trained up and be one of the most qualified (at least on paper..) people for any new red team roles we develop, I do have some concerns that work may not be on board with spending money on me now to train me for a role that may not exist for a year or two.

TechGromit

While both areas offer lots of growth, my personal opinion in Blue Team related positions will be more secure in the future. While some pen testing knowledge is beneficial for blue team activities, I believe most people gravitate towards the pen testing roles because it's "cool". At the end of the day Companies are interested in how you can protect there networks from attacks and intrusions, and that's a blue team role. Might not be as exciting as the rush when you break into a system, but I feel demand will be more in favor of defending and attacking, thus more money and job security.

ramrunner800

I concur with TechGromit. Blue team gives you a larger number of potential employers. Most companies with a reasonably sized IT function will have roles for blue teamers. Red team is going to be a bit more limited. I don't think you can really go wrong though.

sb97

Personally, I went the DFIR route. For you, it really just depends on what kinds of things you like to do. In your shoes, I might look at some free or low cost options to kind of test the waters. Check out Security Tube, Cybrary, Youtube, etc. Then you might have a better understanding of which path suits you best.