Review of the SANS504 (GCIH) Course

Hey guys!

Just finished the SANS504 course today, obtained my SEC504 CTF coin and thought that I might give a little review!

The course is structured really well, with a focus on IR on the first day, followed by hacker techniques and tools (and how to look out for them) on our networks.

It really reinforces that in order to be an efficient incident handler, you really need to know:
1) What you're up against,
2) What's "normal" in your environment

Without the above knowledge, you're just going to be spending a lot of time doing guesswork; which isn't what you want to do during an incident when the spotlight is on you.

My instructors were the combo of Kevin Fiscus and Steve Anson, and they were both really great and engaging instructors.

It's an awesome course, and I personally felt there were 3 things that really helped me understand the course materials better:

1) Material from ElearnSecurity's eJPT, which covered general pentesting tools and concepts
2) Incident Response & Computer Forensics, Third by Jason T. Luttgens Incident Response & Computer Forensics, Third by Jason T. LuttgensThe book: Incident Response & Computer Forensics Third Edition
3) 2-3 years of working experience

Without the above 3, you can still go through the course, but you'll appreciate the material much better, and you'll find the class pretty manageable.

If you're taking up a SANS course for the first time in your life, please note that you really need to prepare yourself mentally and physically, as SANS courses come jam packed with talks and NetWars. You likely will not have time for dinner, and the pre-talk/NetWars snacks that the training location provide may not be very nutritious or filling.

I participated in the Cyber Defense NetWars as well and got up to level 3 (out of 4).

Although it was an individual competition, I teamed up with a classmate and we hit the challenges together.

The key takeaway is that you absolutely need to know a lot. You'll be tested on your Windows knowledge, Linux kung fu and packet reading skills.

Although we were initially leading in the top 10, we eventually dribbled down to the 22nd place as the both of us were really weak in packet reading.

All in all though, it was good fun and we identified our weak areas!

Find more posts tagged with

Comments

johndoee

nebula105 wrote: »

Hey guys!

Just finished the SANS504 course today, obtained my SEC504 CTF coin and thought that I might give a little review!

The course is structured really well, with a focus on IR on the first day, followed by hacker techniques and tools (and how to look out for them) on our networks.

It really reinforces that in order to be an efficient incident handler, you really need to know:
1) What you're up against,
2) What's "normal" in your environment

Without the above knowledge, you're just going to be spending a lot of time doing guesswork; which isn't what you want to do during an incident when the spotlight is on you.

My instructors were the combo of Kevin Fiscus and Steve Anson, and they were both really great and engaging instructors.

It's an awesome course, and I personally felt there were 3 things that really helped me understand the course materials better:

1) Material from ElearnSecurity's eJPT, which covered general pentesting tools and concepts
2) Incident Response & Computer Forensics, Third by Jason T. Luttgens Incident Response & Computer Forensics, Third by Jason T. LuttgensThe book: Incident Response & Computer Forensics Third Edition
3) 2-3 years of working experience

Without the above 3, you can still go through the course, but you'll appreciate the material much better, and you'll find the class pretty manageable.

If you're taking up a SANS course for the first time in your life, please note that you really need to prepare yourself mentally and physically, as SANS courses come jam packed with talks and NetWars. You likely will not have time for dinner, and the pre-talk/NetWars snacks that the training location provide may not be very nutritious or filling.

I participated in the Cyber Defense NetWars as well and got up to level 3 (out of 4).

Although it was an individual competition, I teamed up with a classmate and we hit the challenges together.

The key takeaway is that you absolutely need to know a lot. You'll be tested on your Windows knowledge, Linux kung fu and packet reading skills.

Although we were initially leading in the top 10, we eventually dribbled down to the 22nd place as the both of us were really weak in packet reading.

All in all though, it was good fun and we identified our weak areas!

Congratulations.

The SEC 504 was my first SANS training that I ever attended. I would not necessarily say you need to know a lot. Netwars is a fun and exciting experience that ultimately identifies your strengths and weaknesses.

The caveat to that is, anything after training is not mandatory. Not mandatory whatsoever. So, a big if should be included in the sentence. Such as if you attend NetWars. The only stuff that is semi-mandatory or strongly encouraged after training is with regards to Work Study staff. Even then it's not really mandatory ..

Personally, I feel that you can get the same thing out of Netwars as you could with some other online and VM based challenges and CTF type scenarios.

Any extra material is great, but as has been repeated over and over, everything you need is in the books. If they say everything you need is in the books and they give me 5-6 books I personally don't want to read another book for shets and giggles.

. They produce enough books for me to read. That is just me though.

Any GIAC certifications next on your agenda?

When are you taking the exam?