GCIH passed...

After a slight false start concerning a registration mix-up at the test center, I got through the GCIH exam in two hours and a quarter and passed with a 96, which apparently is a lucky number or something because that's what I got on my last two GIAC exams. In any case, the questions were mostly straight-forward, but unlike my previous GCFW and GCIA exams, I had to reference printed materials much more frequently. I believe this is due to the sheer number of tools (bots, rootkits, etc.) which are covered in SEC504.

http://www.youtube.com/watch?v=erK0d8ZkZrk

This is my fourth SANS course / GIAC exam within a year (along with all the other certification studies), and quite frankly I'm burning out. A little rest period might be in order, especially with other things going on in life. SANS SEC504 is definitely a fun course and a solid introduction to the different phases of hacking attacks, their respective tools, and methods to prepare / identify them, all taught from the perspective of the corporate incident handler who must assess the situation and contain / eradicate appropriately. It's actually taught in a balanced manner from both the attacker's and defender's point-of-view.

Given the broad coverage range of the material, one should not expect to see a deep-dive into each of these tools. Some are given more attention than others. The instructor (Ed Skoudis) brings a lot of stories from the trenches to keep the topics in applicable context. You can tell he's been doing this kind of work for a long time.

On the final day of the course, there's a workshop to use the techniques you've learned over the previous days to break into box(es) and capture the flag(s). If you're doing this via OnDemand, you get an OpenVPN config to log into a remote lab and do the exercises.

I felt the GCIH exam was overall easier than the GCIA, but for me maybe a little tougher than the GCFW simply because I'm not as familiar with all these tools. Although concepts like alternate data streams, password cracking, and steganography aren't new to me, there was a particular area which I didn't comprehend easily due to the lack of a programming background: format string attacks. I think I'm still kind of hazy on this and I need to review it again.

When I first signed up for the course, I was thinking it would be more incident-handling focused. While the course arches over that process in course framework, the formal incident response process is mainly focused on in the first day. The rest of the week is dedicated towards the attack phases and the tools / methods / mindset (and how to defend against them).

I don't do incident response at work, but after taking this course I'm realizing that maybe I might enjoy this kind of work in the future. Like infosec in general, you need to be able to pull in skills from a lot of disciplines to accomplish the handling procedure appropriately. I feel I still have a long way to go in my career to up my skills in some key areas.

Summary: a solid introduction to understanding the general approach when dealing with security fires at work. I think the big takeaway is that you need to ensure you have the necessary policies, procedures, contacts, and management buy-in before you even get to the part where you can look for signs of issues on the network. Everything flows from there, and if it's the right kind of incident, you as a handler might end up in court testifying to help prove the case.

Find more posts tagged with

Comments

rogue2shadow

Congrats man! Good review. When do you think you'll be taking the GSE :P

Dakinggamer87

Congrats on pass!!

Bl8ckr0uter

Wow. Good job! You are really killing SANS certs

SephStorm

Very nice! It sounds like you went to one of the conferences is that correct?

jmu200

Dude, you are a machine! Congrats on passing!

Sound like you may have built up enough points with SANS for a free exam/training... What's next for you?

JDMurray

Congratulations on passing the GCIH exam and thanks for the excellent review!

ipchain

Congrats on the pass docrice, 96 does seem to be a lucky number for you! Thanks for the excellent review as well, I am sure it will be useful to those who would like to pursue this certification.

Like you, I ended up referencing quite a bit of printed material, but it was mostly laws. You are correct though, the sheer volume of tools we are exposed to in 504 is breathtaking. So, now for the million dollar question - What is next for you?

Are you going to take a break or go for your 5th SANS certification?

cybrwarrior

Congratulations!

docrice

rogue2shadow wrote: »

When do you think you'll be taking the GSE

Realistically, maybe two years or further down the line, but who knows. The GSE would be a monster to prepare for.

SephStorm wrote: »

It sounds like you went to one of the conferences is that correct?

I've taken all my SANS courses via OnDemand. While going to one of their conferences sounds really exciting and packed with all kinds of additional experiences, it also adds the travel expense as well as the need to take time off from work. Plus, I don't want to wait for a conference to happen. Better to just go through the course from the comfort of home whenever time permits. I miss out on the interaction with other students / instructors, however.

jmu200 wrote: »

Sound like you may have built up enough points with SANS for a free exam/training... What's next for you?

I need to take a 2-day short course and then ...

ipchain wrote: »

So, now for the million dollar question - What is next for you?

Are you going to take a break or go for your 5th SANS certification?

... I'd have enough points to do either the SEC617 for the GAWN or SEC542 for the GWAPT. That said though, I feel a bit burned out at the moment, so I might have to take some time off from cert studying. I've gone through 12 exams in the last year and a half, and that's a lot of material to naturally absorb, and the dust inside my head still hasn't settled yet.

ipchain

docrice wrote: »

... I'd have enough points to do either the SEC617 for the GAWN or SEC542 for the GWAPT. That said though, I feel a bit burned out at the moment, so I might have to take some time off from cert studying. I've gone through 12 exams in the last year and a half, and that's a lot of material to naturally absorb, and the dust inside my head still hasn't settled yet.

I hear you, 12 exams in 18 months ? That's crazy. It's indeed a lot of material to absorb, especially in only 18 months. Either way, good luck on future certification attempts.

docrice

I almost forgot about this... I have an unused GCIH practice exam (expires 10/18/11) that I can give away. Like my other thread (http://www.techexams.net/forums/security-certifications/65080-gcia-passed.html), perhaps a quiz related to the type of material covered by the GCIH might be a good way to run this.

For all the other GCIH holders here, I'm open to suggestions. It'd be a waste to randomly give it away as that in itself wouldn't benefit the forum. Inbox me or just reply to the thread with ideas.

ipchain

docrice wrote: »

I almost forgot about this... I have an unused GCIH practice exam (expires 10/18/11) that I can give away. Like my other thread (http://www.techexams.net/forums/security-certifications/65080-gcia-passed.html), perhaps a quiz related to the type of material covered by the GCIH might be a good way to run this.

For all the other GCIH holders here, I'm open to suggestions. It'd be a waste to randomly give it away as that in itself wouldn't benefit the forum. Inbox me or just reply to the thread with ideas.

Interesting...we may have to do some brainstorming here. Now that I think about it, I believe I have a GCFW practice exam I can give away.

/me puts on thinking cap.

Psyco32

Does your company pay for the training or are you doing an out of pocket?

docrice

In my case, I do most of my training out-of-pocket. It gets expensive for sure, but I can compensate by removing luxuries from my life such as ... movies, cable, food, and water.

Paul Boz

Well done again, buddy.

docrice

I'd like to give away my remaining GCIH practice exam via public quiz which reflects the SEC504 material. Unlike the GCIA quiz I did in the other thread, this time I propose a different approach. Hopefully this will benefit the forum in seeing how different people tackle the same problem. It's just an idea that I hope works out.

This is an open-ended question and interested candidates will submit a written process (by inboxing me) of how they will evaluate and investigate the scenario below. There is no "correct" answer. What I'm looking for is the reasoning behind your decisions and the resulting action within the incident handling process. Therefore, this won't be a "multiple choice" or "figure out the one right solution" type of quiz.

ACME Corporation runs a typical e-commerce business with a farm of web servers behind a load balancer for their home site. They are all located in the DMZ facing the Internet. The database servers which they talk to are located in another segment protected by the firewall.

Today your Operations team reports to you that they've noticed the website seems defaced and the daily reports of database access errors for the last couple of days indicate some unusual signs.

In addition, your IDS reports unusual outbound activity over port 80 from within your internal network where all the user workstations are located. Alert logs indicate this peculiar traffic is originating from three specific hosts.

Describe your steps and decision logic in handling these incident(s).

You get to tell a story and take creative liberties to some extent, but everything must be grounded in reality. No parallel universes or inversions of the space-time continuum.

After submissions are received (maybe a week or two after we start this), I'll post all entries up without the author reference to keep it anonymous (unless you want me to include it). Then we as a forum can collectively review the answers, sort of. I guess I'll reserve the final judgement. Grammar counts as the reporting phase of an incident requires proper presentation for the key stakeholders.

Chris:/*

Congrats on all your accomplishments.

stardotstar

I just finished the GSEC and am prepping for the GCIH now. Congrats on getting so many certs done.

I'm confused by this whole quiz thing... why not just give the practice exam to the first person who asks nicely and has a valid GIAC portal account?

docrice

I've given away GIAC practice exams in the past, but it's a little more fun to stir the pot, so to speak, and make it so folks can see what the material is really about. As someone who didn't have much exposure to SANS and GIAC some years ago, I had no way of gauging what the expectations would be like aside from what's described on the SANS website. In the end, it's about providing additional insight into the particular SANS experience.

docrice

I've totally forgotten about this, and since no one has submitted a quiz attempt, I'm just going to give it away. First one to PM me gets it (be sure to have a SANS portal account to transfer to). If I don't hear from anyone within a few days, I'll give it away on another forum.

docrice

...and it's gone. Those with eBay sniper skills gets the worm.

idr0p

Damn, i already passed my GCIH last month ^_^ i totally woulda had this though lol

docrice

Congratulations on your GCIH and GCIA. Two very distinguished accomplishments indeed.

idr0p

Thanks!,

I am currently studying for my GPEN and then going into GWAPT, CISA then OSCP. Long road to venture.

qdog007

Congrats on passing the GCIH. And thanks for the detailed review. I'll be taking this test later on this year.