Which GIAC certification?

MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
I know I'd like to attempt a GIAC exam sometime this year, but I keep hopping around between which one I'd like to scoop up. At first, I was thinking I'd just go with a GSEC, but I really don't know if a foundations security cert would be of any value, as I have already passed the SSCP, Security+, and CCNA: Sec.

I really would like to find a more medium-level cert that can get me in the direction of red team or blue team. I was thinking that either the GPEN or GCED could be interesting, but it seems that neither have much weight in job postings. GCIA or GCIH could also be beneficial, but I don't know if either of those would be the right choice. I'd really like to start looking to relocate for a fed position starting in Spring 2015 following graduation and a CISSP associate status.

From any of you that have taken these exams, which would you recommend? I'm thinking either GCIA or GCIH for the popularity alone.

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Well, which is it for you? Red team or blue team?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Lots of choices here, and it'll depend on what interests you and your immediate career goals. I've gone through SANS training and GIAC examinations quite a few times at this point but I'm still dazzled by the number of other courses I could tackle. So much to learn, so little time...
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    YFZblu wrote: »
    Well, which is it for you? Red team or blue team?

    I think red team is really where I'd like to be, but my skill set would be easier to sell on a blue team, as currently my primary focus is security development.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The GCIH is actually a good balance when it comes to understanding attacks and the associated defensive countermeasures. It's also a classic, well-known GIAC certification (at least when it comes to infosec certs) so this might be an ideal choice for you. I don't know anyone who took SEC504 and came away disappointed.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    How would you compare this to the GCIA?

    Also, it's probably important to note that I won't be able to attend any official training. Any test I take will have to be prepared for using self-study methods.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Instead of talking in GIAC certification terms, I'll use SANS course references. In this case, 503 covers materials related to the GCIA cert while 504 covers GCIH.

    These two are very different with 503 concentrating on packet dissection, protocol behavior awareness, pattern detection, evasion/insertion tricks, and tactics and other logistics related to intrusion detection and finding anomalies. 504 covers the process of incident preparation, methods of identification, containment, eradication, going through recovery steps, and doing a lessons-learned post-mortem. On top of that, it spends a good majority of time looking at the other side of the equation by examining the attack vectors and how it relates to the blue-team incident handling process.

    Are you merely looking to add the certifications to your resume? I think most employers will value the credentials more if you've obtained the training behind it (or at least have proficient hands-on experience in the subjects). SANS course materials tend to be solid, structured packages in themselves and while the knowledge isn't proprietary, it's difficult to find non-SANS material that covers the same thing in one or two books.

    There's a sticky at the top of the forum that lists some recommended non-SANS reading resources that you can check out which will cover a good amount of the same topics, but it'll be spread out over many books. There are some GIAC certs which can probably be obtained by reading a somewhat-equivalent book (like Hacking Exposed: Wireless Second Edition is good for GAWN). Others might not be as straightforward.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    I am looking for some resume padding, yes.

    Although I do have some valuable security experience, it's not much that could contribute to my next role. I believe I have a very good foundation on which to build, but lack the specialized knowledge required for red team or blue team work. This is why I thought that self-study that aligns with either of these (GCIA, GCIH) courses would be a good direction to head.

    Having reviewed the non-SANS reading material, I think I may head towards the GCIA. Not having direct course-taught experience, it'll probably require more of a firm grasp on the subject matter, but that's something I'm willing to commit to.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    In some ways, I think the GCIA may be more doable for you since the subject matter is relatively narrow. You'll need to start with TCP/IP behavior, understanding headers and the fields within them, reading hex values with the layer 3 and 4 headers (and converting to decimal and vice versa), look for patterns, etc.. You should also have some lab-time with Snort. Dissect some PCAPs and see what you can find:

    http://pen-testing.sans.org/holiday-challenge/2013

    Depending on your networking background, there may be a bit of a learning curve. I'm not sure if I would've tackled some of this on my own without the SANS course, but certainly not an impossible thing for you to do.

    Follow the syllabus and you should have a good idea. I think the course got updated recently so I don't know what's new.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    Most of my networking experience falls within the bounds of what I learned during my CCNA training. From what I see of the material, the subject matter doesn't look too challenging. It also falls within my interests which will help to keep me motivated. I'll look into the material further.

    This is also open book as well, right? How many books/notes did you take with you to the exam?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    http://www.giac.org/exams/preparation

    GIAC certification exams are open book format, but not open internet or open computer. Candidates are allowed to bring an armful of hardcopy books and notes into the testing room, leaving all other personal belongings such as wallets, purses, hats (and other head coverings), bags and coats outside of the testing room. Weapons are not allowed on testing center premises. Please leave weapons (guns, knives, etc.) at home or stored securely in your vehicle. An erasable noteboard and pen will be provided for you. Workstation space may be as limited as 4 feet (1.2 meters) wide, so please plan accordingly.

    Electronic devices (laptops, PDAs, thumb drives, software applications, phones, calculators, cameras, etc.) are strictly forbidden. You will be provided with an onscreen calculator, should you need one during the test. Candidates are not able to access anything stored electronically during the exam (.pdf or Word documents, Internet websites, etc.). The testing process only allows one connection out to the GIAC Exam Engine. It will not allow connections to private web pages, so any material posted to private web pages is not accessible during GIAC exams. We recommend that you print any study guide materials and bring them as hard, paper copies.



    I would not consider the CCNA an adequate prep for the GCIA at all. The CCNA course materials I've reviewed hardly get into the subject of TCP/IP at any real depth. I recommend the Wireshark Network Analysis and Nmap books as much better reference sources to study from.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    Thanks for your help so far. I think this is a good enough starting point. I really wish I could convince my employee to pocket the training...
Sign In or Register to comment.