Passed GCIA (SEC503)

MalwareMike

Disclaimer: I'm enrolled in the SANS master program and now have completed GSEC, GCIH. GWAPT, and GCIA.

I have to say I really enjoyed this course after I started to actually absorb the information. Going through book 1 and 2 the first time was mentally draining but after the 3rd go around, everything started to come together. So for anyone taking this class in the future, don't get overwhelmed with the first two books, give it time and you'll start absorbing the concepts. Once you grasp the information in the first two books, I believe books 3,4, and 5 are cake...just understand how to use tcpdump, tshark, wireshark, snort, and bro (run through the labs 2-3 times and you'll be a good spot).

Tips for the exam:
**Bring the following with you**
1) A chart that shows you the conversion between decimal/hex/binary (very useful, you dont' want to be converting hex during the exam if you don't have to)
2) Print out a few IP and TCP headers in hex format and label each field...doing this alone helped me solve 8-10 problems
3) Print out all of the ICMP codes (I used this: erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html)
4) Print out a list of examples for: tcpdump commands, wireshark commands, tshark commands, snort rules, bro scripts, silk commands
SANS provides a book with tcpdump and wireshark commands but I found my personal list to help more
5) The practice exams will tell you where you stand...I received a 87% on my second practice exam and received an 87% on my actual test
6) Great website to test your skills during and after the class: www.malware-traffic-analysis.net/

DJVeritas

Thanks for the tips!  Congrats on your pass!

chrisone

Thanks man! I just finished all 5 books. I need to go over the books a second time and listen to the class mp3s. I hope to take the test at the end of Feb. 

MalwareMike

@chrisone how did you like the FOR508 course?

chrisone

MalwareMike said:

@chrisone how did you like the FOR508 course?

I am not taking it until SANS Network Security in Vegas in Sept 2019. My signature displays 2019 goals (courses and certs), as you can see I have a lot on my plate. I just finished AppSec Cali Red Team Attacks and next will be SANS West in San Diego May 2019. I will be taking the SEC660 course and hopefully pass the GXPN sometime in the summer. Before May/SANS WEST I want to knock out GCIA and GCIH. I was hoping to pass GCIA at the end of Feb and GCIH at the end of April.  

MalwareMike

@chrisone I found GCIH to be super easy, I think I passed the exam in a month. I just started the SANS SEC573 (Automating security with Python) yesterday, just patiently waiting for the books and labs to come in.

chrisone

Good deal! you are giving me lots of motivation and hope that I can finish GCIA and GCIH by May  

The SEC573 looks like a very good course. I am sure the labs will be loads of fun! Id like to eventually take SEC573 and SEC505 Powershell courses but that will be sometime in 2020. 

E Double U

I found GCIA to be a beast so congratulations to anyone that passes and good luck to anyone pursuing it. 

chrisone

E Double U said:

I found GCIA to be a beast so congratulations to anyone that passes and good luck to anyone pursuing it. 

what is your assessment on GCIH? was it as easy as Malware Mike mentions it to be?

Blucodex

I just passed (challenged) GCIH two weeks ago after a couple weeks of self-study--so I did not take the 6 day course.

Difficulty is going to depend on your experience/knowledge level.  I didn't find it particularly difficult but you really need to know attacks/tools/defenses to make things easier.  

Having passed both, for me personally....  If GCIA is a 9 for difficulty I would give the GCIH a 7.

E Double U

chrisone said:

E Double U said:

I found GCIA to be a beast so congratulations to anyone that passes and good luck to anyone pursuing it. 

what is your assessment on GCIH? was it as easy as Malware Mike mentions it to be?

Malware Mike described it as super easy, but that was not the case for me (my official score was 76%). But our differences in opinion is not relevant. Like Blucodex said, the level of difficulty depends on your experience/knowledge going in to it. At the time of taking that exam, my day-to-day job focused more on firewalls, vpn, ids, web filters, etc. All of those exploits covered during the course were things I had only read about, but never actually tried. I had not used most of those tools I learned about in the SANS course (including nmap) and some I never heard of. 

MalwareMike

E Double U/Blucodex/Chrisone,

I don't mean to make the certifications sound easy because they aren't. Having taken 4 of the SANS certs, I understand the way they ask questions so when Im going through the books I can now highlight things I think will be on the test and I'm pretty accurate. Mix that in with a damn good index and knowing exactly where to go when you see a question...for example: when I see a DNS question that I didnt know or wanted to double check, I already know to look at Book 3/page 64 (and that was from memory). But everyone correlates info differently, so I just wanted to throw that out there.

chrisone

No worries Mike, I understood what you and the others were saying. In the end these are just peoples personal experiences. I take all this input and formulate a guess as to how I may experience the exam. Everyone is correct that each persons level of experience will influence their own personal level of difficulty for any exam. I feel I may take a month and a half for the GCIH, well see


Thanks guys!

E Double U

MalwareMike said:

E Double U/Blucodex/Chrisone,

I don't mean to make the certifications sound easy because they aren't. Having taken 4 of the SANS certs, I understand the way they ask questions so when Im going through the books I can now highlight things I think will be on the test and I'm pretty accurate. Mix that in with a damn good index and knowing exactly where to go when you see a question.

I have gotten to that point as well. It took me several months to prepare for my first two GIAC certs (GCIH/GCIA), but I passed GPEN a few weeks after completing the course. 

Randy_Randerson

Easily the hardest one I took -- Thank you for the insight! I need to tackle the beast again soon! 

unrealskillz06

Great job! I'll be sitting for this one later this week

MalwareMike

unrealskillz06 said:

Great job! I'll be sitting for this one later this week

Make sure you know DNS in detail or at the very least, you know where to go to review the information

eng11m

how ware the lab questions.?

 was the time limit enough ?

tboe

Congratz and welcome to the club!

SATart

I am curious about how time intensive the labs/hands-on portion is as well. SiLK was covered only briefly in book 5, yet the practice test lab on it was quite intensive and required a lot of time (IMO/for me). Also, the labs appear to be weighted more heavily in score than the multiple choice questions. The practice test suggest they are at least.

MalwareMike

If I recall correctly, there were 11 lab questions on the practice exam and the real exam follows that rubric. The lab questions are very similar from the practice exams to the real exam, so if they asked you to use SiLK, it will probably be on the exam. But I dont recall it taking a long time, you just have to understand the syntax

SATart

MalwareMike said:

If I recall correctly, there were 11 lab questions on the practice exam and the real exam follows that rubric. The lab questions are very similar from the practice exams to the real exam, so if they asked you to use SiLK, it will probably be on the exam. But I dont recall it taking a long time, you just have to understand the syntax

Thanks for the feedback. 

charismaticx

@MalwareMike would you say indexing the lab book help for reference? I’m debating on what I can do to tackle the vm questions better. 

Randy_Randerson

charismaticx said:

@MalwareMike would you say indexing the lab book help for reference? I’m debating on what I can do to tackle the vm questions better. 

I would. Especially things like specific commands with their options for quick reference. Nothing is really tricky, but it'll speed things up a bit if you know how to correctly open Snort conf file and edit it. I found the lab books much quicker for that information than the actual books themselves since its over a few slides.

charismaticx

I’ve tabbed out my lab book for quick reference. I think I have an idea of what to expect. I’m not sure what kind of questions they’ll ask so I guess I’ll just be prepared.  

quogue66

There are a few things in the lab book that aren't anywhere else in the material.  For the GSE multiple choice test I actually took apart the lab book and added sections to each of the 5 books.  The time is so short for GSE that I didn't look at it very often but it made it easier to study with.  I also didn't have to carry the lab book with me all the time.

charismaticx

I just passed the GCIA a little while ago. I have to admit it was significantly harder than both practice exams. The lab book definitely helps but you have to be creative on the labs.  

Chris200712

I am taking mine next week. How was the admissions process for the Masters program?

quogue66

It's pretty easy.  You send your transcripts, write two papers and make a video of yourself giving a talk on one of the papers.