Just Finished For578 Course and Coinslayer Netwars

sb97sb97 Posts: 109Member
JCundiff gave a great summary of the course here:
http://www.techexams.net/forums/sans-institute-giac-certifications/131868-sans-578-cyber-threat-intelligence-course-reivew.html


My experience was different than his but still very good. To start with, my background is SOC Analyst/IR but am moving towards the CTI space. I would also say the make up of my class was more heavily weighted with people that were already working in well established CTI functions. There were a lot of former gov't and military in my class. My instructor was Rob M. Lee. In my class there was a pretty wide range of people that were willing to engage and talk. Maybe 50-60% of the people were willing to talk. There were times when Rob would almost stop the class to get some of the folks in the back to engage a bit.

This class itself focused on analytic techniques. The labs were not super technical. They all built on a scenario and each lab showed how different techniques could contribute to the CTI process. Rob kept reminding people that not every technique would be relevant to everyone. People just needed to find what works for them. The point was to expose them to different ways of working through issues and helping them identify bias. I came away with a few things i wanted to bring back to my organization pretty much right away. The focus on this class is the discussions rather than the labs. After taking it, I am glad I did it in person rather than on demand. The discussions with your classmates really contribute to the overall experience. My team won a challenge coin during the capstone which really made my day.

Coin Slayer Netwars was an interesting beast. There were some technical difficulties to start with so we got a bit of a late start. This is a different style of Netwars. There were no hints. Questions were broken up by DFIR discipline. There were four levels of questions with five questions at each level for each discipline. You could start at any level and with any discipline. If you answered all questions correctly for a single discipline you earned the class coin. I was taking public transportation so I couldn't stay until then end on either night but I did see a couple of coins for Malware Reverse Engineering and Mobile Forensics get awarded. This was my first netwars experience. I was able to answer questions at all of the levels but I struggled a bit with getting the exact format they were looking for. I bounced around between the questions for For500 (formerly 40icon_cool.gif For508 and For572 disciplines. Initially, I was going to try and earn the 508 coin but I got interested to see what kinds of things they were asking for the other disciplines.

Comments

  • sb97sb97 Posts: 109Member
    One nice little bonus is that the books are relatively short and have a lot of case studies. Should make indexing a bit easier
  • sb97sb97 Posts: 109Member
    I have slowly been working through building my index. Going back through the day 2 material has been a bit of an eye opener. There is a section in there with a sample intrusion where they demonstrate the Kill Chain in action (More information available in the course description). This section ties together a lot of other SANS courses. You walk through an intrusion and look for pivot points based off of Kill chain analysis. Along the way, you talk about how to tie things like host forensics, network forensics, memory analysis, and malware analysis to get a more complete threat-centric view of the intrusion.
  • jcundiffjcundiff Posts: 486Member ■■■■□□□□□□
    If you were in Austin, I think a couple of my team mates went through with you. I am still working on my index from April, so down under 60 days to test and still on book two icon_sad.gif
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • sb97sb97 Posts: 109Member
    jcundiff wrote: »
    If you were in Austin, I think a couple of my team mates went through with you. I am still working on my index from April, so down under 60 days to test and still on book two icon_sad.gif
    My index ended up being quite a bit shorter than I expected. Getting ready for a practice test now. Hopefully, I wont need to go back and add a lot more.
  • jcundiffjcundiff Posts: 486Member ■■■■□□□□□□
    sb97 wrote: »
    My index ended up being quite a bit shorter than I expected. Getting ready for a practice test now. Hopefully, I wont need to go back and add a lot more.

    I took the first practice exam cold without books, and pulled a 64 or 66, so now working on the index, through 1 and a half books, I am over 300 line entries on my index
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Sign In or Register to comment.