SANS challengers group

Bl8ckr0uter

Besides myself, there is at least two other people here who want to challenge a SANS cert in the coming months. I want to know if anyone is interesting in starting a group for those challenging certain certs. My main focuses would be GCIA and GCFW but GWAPT and GPEN also look very tempting. I basically think it would be a cool area for people to keep track of their study materials and suggest study material, like which books they are mapping to what objectives and etc. Possibly even swap notes (not ****, notes they created for the test) and suggest websites and etc. Just a thought. What do you guys think?

Bl8ckr0uter

Here is what I have so far:

Amazon.com: The Tao of Network Security Monitoring: Beyond Intrusion Detection (9780321246776): Richard Bejtlich: Books


Amazon.com: Extrusion Detection: Security Monitoring for Internal Intrusions (9780321349965): Richard Bejtlich: Books

Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks (9780596518165): Chris Fry, Martin Nystrom: Books

Amazon.com: Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (978189393999: Laura Chappell, Gerald Combs: Books

Amazon.com: The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference (0689145704709): Charles M. Kozierok: Books

Download details: TCP/IP Fundamentals for Microsoft Windows

Amazon.com: IPv6 Essentials (9780596100582): Silvia Hagen: Books

Snort :: Docs
Manpage of TCPDUMP

The material for the SCNS also looked promising but it would seem that a person here said that it was crap. There are also a bunch of old books on snort out there but I think that it would be better to just read the user guides and such. Realistically I think 300-400 hours of labbing and reading would be required to challenge one of these certs. I was thinking of labbing up at least 3-4 snort/ids boxes and searching the internet for interesting pcaps.

I am going to try to see if the people from SNORT will let me review some of their training materials for the snortcp.

ibcritn

Awesome! I am in and I will contribute information soon.

GIAC GPEN is my goal, but I am also interested in GCFW

Bl8ckr0uter

ibcritn wrote: »

Awesome! I am in and I will contribute information soon.

GIAC GPEN is my goal, but I am also interested in GCFW

Awesome! I am glad to see someone is on board. Hopefully we can get a few more people and this group can really take off.

docrice

I might be game for the GCIA. It seems to be a very "core" GIAC cert. If my employer won't be willing to support me for the 503 course, I'll have to consider challenging it since doing it out-of-pocket might not be feasible. I think swapping study notes would be great for cross-reinforcement. Since the GCIA is a bit more narrowly-focused than other GIAC certs (like say the GCFW), it's probably more feasible to challenge it.

Bl8ckr0uter

docrice wrote: »

I might be game for the GCIA. It seems to be a very "core" GIAC cert. If my employer won't be willing to support me for the 503 course, I'll have to consider challenging it since doing it out-of-pocket might not be feasible. I think swapping study notes would be great for cross-reinforcement. Since the GCIA is a bit more narrowly-focused than other GIAC certs (like say the GCFW), it's probably more feasible to challenge it.

Awesome. How much IDS/IPS experience do you have?

I do see what you mean about the narrow focus. Some of the certs seem pretty all inclusive (like GCED). The WCNA should help you towards that goal (that's one of the reasons why I'm going for it).

docrice

Oddly enough, I have almost no real experience with intrusion detection even though I've worked with firewalls and VPNs for years. Part of the challenge for me regarding the GCIA is to learn my header offsets and hex so it's second nature. I have a practice test for it in my SANS portal queue that I'm going try my hand on to see how badly I'm able to fail it right now.

The GAWN is also a big consideration for me. I took a practice test for it a few weeks ago and got a little under 70% so I know where some of my weak spots are. I might challenge that one as well. If anyone's also interested in the GAWN, it'd be great to share notes.

Bl8ckr0uter

docrice wrote: »

Oddly enough, I have almost no real experience with intrusion detection even though I've worked with firewalls and VPNs for years. Part of the challenge for me regarding the GCIA is to learn my header offsets and hex so it's second nature. I have a practice test for it in my SANS portal queue that I'm going try my hand on to see how badly I'm able to fail it right now.

The GAWN is also a big consideration for me. I took a practice test for it a few weeks ago and got a little under 70% so I know where some of my weak spots are. I might challenge that one as well. If anyone's also interested in the GAWN, it'd be great to share notes.

Why would you go after GCFW if you have so much experience with firewalls?

GAWN looks pretty hardcore

docrice

I may have some experience with firewalls and VPNs, but that doesn't make me well-versed with the tricks involved in attacking them. I've gone through most of the OnDemand GCFW course so far, and I have to admit it's not as heavy as I expected it to be. It did, however, provide me a lot of additional insight on some areas. That by itself makes it valuable and there are some things I will immediately apply in my work environment after the holidays. In the end, the GCFW would be nice to at least validate my existing knowledge.

The GAWN (based on my practice exam) isn't so bad if you have existing wireless experience. For example, if you know 802.1X pretty well, that should help greatly.

Bl8ckr0uter

Interesting. I hope you do go for the GCIA. It would be great to have a different perspective on the objectives.

Chris:/*

I will be doing the G7799 and hopefully solidify my subject for my GSEC Gold paper.

Bl8ckr0uter

Chris:/* wrote: »

I will be doing the G7799 and hopefully solidify my subject for my GSEC Gold paper.

The g7799 looks like CISSP. You should do very well. I also look forward to seeing your GSEC gold paper.

Chris:/*

Bl8ckr0uter wrote: »

The g7799 looks like CISSP. You should do very well. I also look forward to seeing your GSEC gold paper.

Thanks, yeah G7799 covers the same information just from an auditing perspective. I am currently researching "Production Honeypots and Honeynets" for my GSEC Gold Paper. Thanks for the support.

Bl8ckr0uter

Chris:/* wrote: »

Thanks, yeah G7799 covers the same information just from an auditing perspective. I am currently researching "Production Honeypots and Honeynets" for my GSEC Gold Paper. Thanks for the support.

Honeypots and Honeynets oohh sexy

I have always been curious about who actually deploys honeypots on production networks. Probably only the big, big boys and the government.

Chris:/*

A lot of ISPs do as well as you pointed out the big boys. Only the big boys can afford the lawyers that are the added expense when dealing with them.

Bl8ckr0uter

Chris:/* wrote: »

A lot of ISPs do as well as you pointed out the big boys. Only the big boys can afford the lawyers that are the added expense when dealing with them.

Now I am really curious....

Why would you require extra lawyers for a honeynet? I mean to me it seems like a proactive measure for making learning about and (eventually) defending yourself against attacks. Maybe I am missing something. Guess I'll have to wait for the paper lol. Has your thesis been approved yet?

Chris:/*

No my thesis has not been approved yet I am doing the pre-research into the domain so I can speed up the actual research for the specific topic.

Honeypots can be configured to be intelligence gathering, IDS/IPS or even aggressive. In addition they can be considered a form of entrapment if not configured properly. There are a large number of very dynamic problems to consider before an organization ever implements one. This is why many groups just avoid them because they could even create an avenue for hackers to launch attacks from or a major legal hassle.

L0gicB0mb508

I'll throw my hat in the ring. I hope to challenge GPEN sometime in the near future.

Bl8ckr0uter

L0gicB0mb508 wrote: »

I'll throw my hat in the ring. I hope to challenge GPEN sometime in the near future.

Awesome lol. I wondered when you where going to show up.

L0gicB0mb508

Bl8ckr0uter wrote: »

Awesome lol. I wondered when you where going to show up.

lol don't I always?

Bl8ckr0uter

L0gicB0mb508 wrote: »

lol don't I always?

Yes unfortunately.


Do you have a target date in mind? Also do you know what material you are going to use? The OSCP class should have given you a head start.

L0gicB0mb508

Bl8ckr0uter wrote: »

Yes unfortunately.


Do you have a target date in mind? Also do you know what material you are going to use? The OSCP class should have given you a head start.

I don't have a target date in mind at this moment. I'm kind of playing it by ear. I may actually put in my training form today since I'm just sitting around. I will use the SANS self study material. I don't think I'm going to do OnDemand just due to cost. I have some other stuff I want to do with my training budget as well.

Bl8ckr0uter

L0gicB0mb508 wrote: »

I don't have a target date in mind at this moment. I'm kind of playing it by ear. I may actually put in my training form today since I'm just sitting around. I will use the SANS self study material. I don't think I'm going to do OnDemand just due to cost. I have some other stuff I want to do with my training budget as well.

Isn't the self study stuff like 3k?

L0gicB0mb508

Bl8ckr0uter wrote: »

Isn't the self study stuff like 3k?

Yeah after running the numbers I may as well do OnDemand. It's only like $400 more. I should still have enough left over to do my CISSP and maybe CEH.

ipchain

Good luck guys. A friend of mine is also doing the GPEN, in fact his exam is next month. I've asked him how does it like it and he is loving it so far.

GPEN is something I would definitely look at in the near future.

Bl8ckr0uter

L0gicB0mb508 wrote: »

Yeah after running the numbers I may as well do OnDemand. It's only like $400 more. I should still have enough left over to do my CISSP and maybe CEH.

I keep forgetting you are a baller, there is no way I am paying 3k for a class right now

I might justify taking the oscp and elearn courses but even the oscp is pretty high.

L0gicB0mb508

Bl8ckr0uter wrote: »

I keep forgetting you are a baller, there is no way I am paying 3k for a class right now

I might justify taking the oscp and elearn courses but even the oscp is pretty high.

I'm not baller. I would never pay that much money for a course. My company will throw down the cash for it, that's the difference. I paid for the OSCP course out of my pocket and that was a bit steep for my personal budget lol.

Bl8ckr0uter

L0gicB0mb508 wrote: »

I'm not baller. I would never pay that much money for a course. My company will throw down the cash for it, that's the difference. I paid for the OSCP course out of my pocket and that was a bit steep for my personal budget lol.

Oh. Well I just need an employer who would do that lol

ibcritn

L0gicB0mb508 wrote: »

I'm not baller. I would never pay that much money for a course. My company will throw down the cash for it, that's the difference. I paid for the OSCP course out of my pocket and that was a bit steep for my personal budget lol.

How much is the OnDemand? I was unsure if I was going to push for it as I have a 6k limit and I have already eaten up about 2.5k between CEH/CISSP.

I have the GPEN class from 2009, but not sure if I should grab the more updated Ondemand stuff.... sadly, it will be out of my pocket as my 1 graduate level class is eating up 4k

docrice

The cost of the SelfStudy courses and OnDemand bundles are here:

https://www.sans.org/registration/register.php?conferenceid=208

Bl8ckr0uter

Does anyone know exactly what the online bundles and assessment gives you (for 399)?