GCIA Preparation and attempt log

Paul Boz

Well, with the GSEC, GCFW, and GCIH out of the way, I only need the GCIA and one gold paper to satisfy the requirement to attempt the GSE. I can't start on the gold paper until I get a response from SANS regarding whether a gold paper for the GCFW would count for the GSE so I'm going to start self-studying for the GCIA.

I compared the curriculum between the GCFW and the GCIA and don't see a huge difference. It looks like 85% of the material is shared. I suspect that certain topics are covered more in depth than on the GCFW but I can certainly fill in the gaps. I imagine I'm going to have to go a bit harder on signature and traffic analysis, Snort, and TCP ****. That shouldn't be a problem though because I've recently purchased some excellent books on intrusion analysis and have a strong background in TCP/IP as a whole.

My resources so far include:

SANS GCFW books
Routing TCP/IP Vol 1/2
The new Wireshark U book

Dynamik recommended the following and are books he's using for his attempt:

The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century
Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks
Intrusion Signatures and Analysis
Extrusion Detection: Security Monitoring for Internal Intrusions (this one is particularly interesting to me)
The Tao of Network Security Monitoring: Beyond Intrusion Detection (probably the best book of them all)

My first order of business is going to be sitting down with the GCIA's curriculum and mapping each focus area to specific training resources. I should be able to complete that task in a day or two. From there I can really drill down to the specifics of the material. I'm going to need a steady supply of interesting traffic flows so I'm going to be generating some pcap files for analysis and hopefully I can find some good ones on the internet as well. The curriculum calls for analysis of attack patterns so I'm sure I'll have to be able to spot specific attacks from packet analysis.

I'll be sure to keep this updated as I progress further through this journey.

docrice

Good luck on this. The GCIA could very well be the next GIAC course I take (funds permitting) and it'd be great to read about your experience. Do you have a lot of experience already with Snort / Sourcefire / other IPS?

Paul Boz

docrice wrote: »

Good luck on this. The GCIA could very well be the next GIAC course I take (funds permitting) and it'd be great to read about your experience. Do you have a lot of experience already with Snort / Sourcefire / other IPS?

All of those subjects were well covered on the GCFW and I did relatively decent on the test. I would probably have a pretty tough time with the test if I took it tomorrow but with a few months of prep I can get back to where I need to be.

dynamik

That looks like you just copy-and-pasted from some blog

Definitely check that out if you're interested. We're going to be posting tons of cool GCIA/GSE stuff.

Paul Boz

I'm going through the GCIA Day 1 Overview and breaking down what I know, what I need to know, and how the topics map to my existing SANS training material. I was going along fine with topics like fragmentation, TCP/IP, etc, then hit "SMB/CIFS/AD" and realized I'm pretty damn weak on Microsoft protocols. As a result I've emersed myself in CIFS for the night. I found a great guide here which explains the TCP exchange that I would expect to see in a traffic flow. The wireshark wiki has a great packet capture of CIFS being tortured so between the link I provided and the packet capture I should have a good enough grasp on CIFS/SMB. I will need to study up on Active Directory protocols but that's something Dynamik can help me with.

Honestly I'm worrying about the GCIA less and less the more I look at how much the material directly maps to the GCFW. The GCFW's book 1 was almost a DIRECT copy of the material covered on the GCIA day 1 overview almost down to the headings. I'm 100% sure that I can use my GCFW book 1 with zero problems on the IA. I'm sure I'll need quite a bit more TCPDump and Snort reference but there was strong coverage of both of those on the FW as well. I'm starting to think that the FW experience is going to make the GCIA pretty easy.

When I did the GCFW I didn't know what the exam would be like or how direct the material in the books would map to the test. As a result I made a huge reference guide with sections for TCP **** and Snort amongst others. I'm sure this will be a valuable resource as well.

dynamik

Nice find; I hadn't seen the day break-down pages before. Those provide more information than the course outline. Between those and the practice exams, I think we're going to get everything covered.

Paul Boz

I got a response from Jeff Pike, Sr. Technical Director of GIAC, with regards to my query as to whether or not I could use a GCFW gold paper to meet the GSE requirement for gold papers. He explained that I can in fact write the GCFW gold paper because it will count for the GSE. What was really nice was when he said " If you write a GCFW gold and earn a GCIA silver you will be all set for the GSE." It really put into perspective that I'm most of the way there

dynamik

Ah, I was going to complain, but then I saw the email you forwarded me stating they were a bit backed up. I know you sent that in a few days before I did. I asked the same question about a GPEN gold and even applied and submitted an abstract. Hopefully I hear back soon

veritas_libertas

Now, you guys are going to have a thread going about your GSE preparation / experience, right?

Paul Boz

veritas_libertas wrote: »

Now, you guys are going to have a thread going about your GSE preparation / experience, right?

InfoSiege

Paul Boz

I'm sitting on a plane in salt lake city at 530 am. It takes something significant to brighten that kind of day. Something like checking your email and finding that my application for the SANS mentor program has been approved. Anyone need a GCFW instructor?

NightShade03

Paul Boz wrote: »

I'm sitting on a plane in salt lake city at 530 am. It takes something significant to brighten that kind of day. Something like checking your email and finding that my application for the SANS mentor program has been approved. Anyone need a GCFW instructor?

Only if you come equipped with enough cash to pay for the training course and exam too

down77

NightShade03 wrote: »

Only if you come equipped with enough cash to pay for the training course and exam too

+1!!! Shame the place I work for doesn't believe in training their technical employees. I'll have to save my pennies and see what I can do out of pocket after the start of the new year.

Paul Boz

for anyone that wants to get into intrusion detection or network security monitoring (NSM) definitely read Tao of Network Security Monitoring - Beyond Intrusion Detection by Richard Bejtlich. I'm pretty sure you could pass the GCIA with this book alone.

wastedtime

Paul Boz wrote: »

for anyone that wants to get into intrusion detection or network security monitoring (NSM) definitely read Tao of Network Security Monitoring - Beyond Intrusion Detection by Richard Bejtlich. I'm pretty sure you could pass the GCIA with this book alone.

Looks like there are a lot of recommendations on Amazon about this book too. I am going to add this to the list of books I am going to buy.

Paul Boz

I'm on chapter 11 of the Tao book now. It covers the best practices for collecting and analyzing data. I've taken away a ton from the book so far. High points include defining the types of NSM data you should be looking at (full content, session, statistical, and alert data), example tools for analyzing the data, and best practices for how to manage a network security monitoring (NSM) deployment. The fact that the author explains the value of NetFlow, session data, and router/switch resources is important. I've always felt that these lines of defense are often under-utilized so its nice to see the author tie them into the big picture.

So far Part III is proving to be invaluable. The explanation of assessment, protection, detection, and response falls in line with the information security circle flow chart as well as incident handling. My favorite thing about this book by far is that the author takes the time to explain how NSM ties into network incident handling. I should be through chapter 12 later. That one looks very interesting, as its all about case studies.

One minor caveat that I've found is that because the book is over half a decade old now many of tools references aren't applicable any more. You can also disregard some of the more outdated installation tips since the author uses a version of BSD from 2004 (when the book was launched).

I've heard from several folks that this book was what the current GCIA was loosely based on. I've also heard that the book is a bit over-kill in certain areas. Overkill = better chance of passing so that's great.

So far the book hasn't gone into a ton of super-deep detail but I'm sure that will come eventually. I'll be sure to keep my review updated as I progress through the book. I also picked up a copy of "Extrusion Detection: Security Monitoring for Internal Intrusions" also by Richard Bejtlich (who authored the Tao book). His website Tao Security explains that "Extrusion Detection" is a follow-up sequel to the Tao book. It should be a nice follow-up read.

Paul Boz

Thought I'd mention that I just ordered a used copy of "Real Digital Forensics: Computer Security and Incident Response" by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. I'm on a Bejtlich kick apparently.

dynamik

You need to get the Hackers Challenge books too if you like stuff like that. Or steal them from me.

NightShade03

dynamik wrote: »

You need to get the Hackers Challenge books too if you like stuff like that. Or steal them from me.

Call me a noob but I have tried getting through one of the hackers challenge books and they are very difficult. Awesome read, but will really pick apart your brain.

dynamik

NightShade03 wrote: »

Call me a noob but I have tried getting through one of the hackers challenge books and they are very difficult. Awesome read, but will really pick apart your brain.

There's no need to call names

It all comes with experience. You'll probably look back a year from now and laugh at what you got hung up on.

I do pretty well, but I certainly don't get every little thing. Honestly, I'd rather struggle and learn a ton than just breeze through them.

NightShade03

dynamik wrote: »

There's no need to call names

It all comes with experience. You'll probably look back a year from now and laugh at what you got hung up on.

I do pretty well, but I certainly don't get every little thing. Honestly, I'd rather struggle and learn a ton than just breeze through them.

Haha well thanks for the vote of confidence, hopefully it will be true by next year.

@Paul Boz: This book is also a pretty good read on the same topic as the other two.

Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks…

dynamik

NightShade03 wrote: »

Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks…

That came in yesterday. Thanks Amazon Prime!

Paul Boz

I just ordered a book called Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks which I saw on Dynamik's desk earlier today. I believe another co worker recommended it so I thought I'd pick it up. I love how cheap tech books are used on Amazon. I figure if I'm more expert on passive recon & attacks I'll be able to better discover those attack vectors.

I'm self-admittedly weak on Linux so I'm starting to use CentOS 5 more and more. Just about all of the security work I'm doing now is in Linux and I'm going through the introductory RHCE material. The GSE is big on Linux so I need to be.

Bl8ckr0uter

Paul Boz wrote: »

I'm self-admittedly weak on Linux so I'm starting to use CentOS 5 more and more. Just about all of the security work I'm doing now is in Linux and I'm going through the introductory RHCE material. The GSE is big on Linux so I need to be.

Sounds like you are making good progress. Good job. So is an LPI/RH cert in your future?

Paul Boz

knwminus wrote: »

Sounds like you are making good progress. Good job. So is an LPI/RH cert in your future?

No, I just prefer to use a structured learning environment and redhat is fun to learn. Perhaps if I achieve the GSE I will look into the SANS Linux certification.

dynamik

Wow, I was just lamenting how I wish there were more advanced LPI resources available (most books only cover LPIC-1, the 101 and 102 exams).

I cannot believe I completely forgot about this: Linux Professional Institute (LPI) exam prep : Overview I'll definitely be getting the new O'Reilly book in a couple of months too: http://oreilly.com/catalog/9780596005283

Also, here's another book that arrived on my desk today: Amazon.com: The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols…

I have a feeling that's going to be one I make use of for quite awhile.

Bl8ckr0uter

Paul Boz wrote: »

No, I just prefer to use a structured learning environment and redhat is fun to learn. Perhaps if I achieve the GSE I will look into the SANS Linux certification.

GCUX?

I really want that certification. The low number of takers (and even fewer golds) really draw me to that one. The GCFW looks pretty cool as well. If I ever get some money I would like to do GSEC GCFW and GCUX. Possibly a few others if I had the time/money/will.

Bl8ckr0uter

dynamik wrote: »

Wow, I was just lamenting how I wish there were more advanced LPI resources available (most books only cover LPIC-1, the 101 and 102 exams).

I cannot believe I completely forgot about this: Linux Professional Institute (LPI) exam prep : Overview I'll definitely be getting the new O'Reilly book in a couple of months too: LPI Linux Certification in a Nutshell, Second Edition - O'Reilly Media

Also, here's another book that arrived on my desk today: Amazon.com: The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols…

I have a feeling that's going to be one I make use of for quite awhile.

Hells yea on the new O'Reily book. As soon as it comes out, I will pick it up.

NightShade03

Paul Boz wrote: »

redhat is fun to learn.

Well you should be shot for saying that

I do like red hat although going through the RHCE study material at the moment is not fun in the slightest. There exam is awesome with the hands on approach but all the study guides are huge and all over the place because of all the topics they entail.

@dynamik - I have that LPI book and although good, it is dated. If you just are using it for learning then you are right it's a great resource, however from an exam perspective there are better resources out there.

dynamik

I grabbed the wrong link: LPI Linux Certification in a Nutshell - O'Reilly Media

New version is coming out in June. Although, it looks to be about half the size and only cover the first two exams

NightShade03

Ah yes I actually contacted O'Reilly about re-writing the LPI in a Nutshell book, but when they wrote back they said they didn't want to focus on anything past LPIC-1 anymore.

The best LPIC-2 (both exams) reference, that is actually updated, that I have found is:

The LPIC-2 Exam Prep

It covers like 85% of the material on the exam, and the rest you should be able to look up or figure out at that level.