Ics515 (grid)

Hey all,

I recently enrolled in ICS515 on demand. I had been searching for a review of the course online and there is literally nothing. Also nothing on the GRID exam (probably because only 81 people have passed it according to GIAC). I know I can't be the only one interested in the course given that there is so much emphasis on Industrial Cybersecurity and Critical Infrastructure Protection so I decided to start this thread and will update it periodically as I progress thru the class.

I received access to the course lectures and audio files almost immediately after enrolling. For those who haven't taken a SANS course online, the course material is presented as a series of slides with occasional videos of how to do the labs thrown in. They don't video an actual class and put it up for you to watch (although maybe that is how vLive works). The course booklets are printed on screen but no page numbers and you can't cut and paste. The audio lectures are audio from an actual class. There are slight differences between the two so sometimes you get a little more coverage of an area.

Besides the online material you also get physical copies of the course books and a usb key with any virtual machines or lab material you may need. In this course you also get a CybatiWorks plc training kit. The instructor for the OnDemand course is Robert M. Lee, president of Dragos, so the material is being presented by a real subject matter expert. He is also the presenter on the audio.

So far I a about 4 modules into day 1 and the material is good. I am about to start my first lab. This seems like it might be a repeat of a lab I did at DefCon but that's OK I am not a Controls Engineer so all the practice I can get helps. I have a pretty good familiarity with ICS/SCADA systems but they are one of those things where you never know enough because there are so many variations.

Find more posts tagged with

Comments

636-555-3226

Thanks for the post! I'm actually thinking of taking this next year, and there's zero info out there outside of SANS/GIAC (the GIAC cert is new, so that's why there aren't many people with it). I'm well-versed with the SANS approach, but I greatly appreciate any feedback regarding the actual course contents!!!!!

cshkuru

I am slowly grinding away at this. The class is interesting but not as fast paced as ICS410, also I have to keep stopping because I am trying to bust out time at work and that is hard somedays.

spiderjericho

cshkuru wrote: »

I am slowly grinding away at this. The class is interesting but not as fast paced as ICS410, also I have to keep stopping because I am trying to bust out time at work and that is hard somedays.

Any updates? Wanted to know the quality of the material and if you took the exam?

cshkuru

Update - I finished the course. I am currently indexing and reviewing. My exam is scheduled for mid Feb, which was the first Saturday I could get at the testing center.

I have to say that this course was not exactly what I expected, but it was a good course. It is very much a threat intelligence course with an ICS focus rather than an ICS course with a threat intelligence focus, if that distinction makes sense. The emphasis is on the threat intelligence and monitoring not on the ICS systems themselves. I am not complaining mind you it was just a little different that what I was expecting going in.

aw_rana

Hey,

I attended ICS515 back in November and still have to write my exam before last week of March.

I am very much in agreement that this course is more focused an IT threat and forensic management with ICS slant. I actually gave this feedback at the end of our course. Still, it was very valuable information taught in the course.

How are you preparing for the exam? Please do share your exam experience, once completed. I am planning to write mine by Mid March.

cshkuru

Update - I had to reschedule my exam. I just was not ready so I pushed it back to the end of the month. I am thinking about buying another practice exam. we'll see next week.

cshkuru

Just took the eaxm- I really did not feel ready for it but this was the last day I could schedule before my 4 months was up (I actually have until the 3rd but couldn't find a workable slot). I passed, but I don't know how I just felt completely unprepared as I was taking the exam. Here is what I can tell you without breaking NDA - know the phases of the Intelligence Life Cycle by heart. Also know how to read and write YARA rules and the phases of the Active Cyber Defense Cycle. It was a tough test, far tougher, in my opinion, than the CISSP, even taking into account the difference in time and number of questions, or the GICSP which is the other GIAC cert i have.

clubyte

cshkuru wrote: »

Just took the eaxm- I really did not feel ready for it but this was the last day I could schedule before my 4 months was up (I actually have until the 3rd but couldn't find a workable slot). I passed, but I don't know how I just felt completely unprepared as I was taking the exam. Here is what I can tell you without breaking NDA - know the phases of the Intelligence Life Cycle by heart. Also know how to read and write YARA rules and the phases of the Active Cyber Defense Cycle. It was a tough test, far tougher, in my opinion, than the CISSP, even taking into account the difference in time and number of questions, or the GICSP which is the other GIAC cert i have.

Thanks for the update. I just finished this class last week and am currently preparing for the cert. Did you create and index or anything, or did you just study the books/labs?

cshkuru

I did the course materials and labs, then read the books again as I indexed. I probably should have done the labs again. My index was done in the following format. I also listened to the audio repeatedly as I drove to and from work, probably 4 complete times thru.

Subj: Book: Page: Tool: Protocol: Comments:

After I indexed I sorted on the tools and protocols and gave them each their own section. In the comments I either put in a short description or common command formats. I also put in the index, a copy of the purdue model, a copy of the diamond model, a copy of the acdc cycle and a short write up of various ics protocols and common function codes etc. All told my bound index was about 28 pages (14 front and back).

jachockey012

cshkuru said:

I did the course materials and labs, then read the books again as I indexed. I probably should have done the labs again. My index was done in the following format. I also listened to the audio repeatedly as I drove to and from work, probably 4 complete times thru.

Subj: Book: Page: Tool: Protocol: Comments:

After I indexed I sorted on the tools and protocols and gave them each their own section. In the comments I either put in a short description or common command formats. I also put in the index, a copy of the purdue model, a copy of the diamond model, a copy of the acdc cycle and a short write up of various ics protocols and common function codes etc. All told my bound index was about 28 pages (14 front and back).

Would you be breaking NDA if you shared your index? I am not trying to use it on the test I am building mine right now and would like to opportunity to see a different style because what you described is not how I am doing it.

I understand that a major portion of sans courses is the ability to index, so if you dont want to share publicly thats fine.

cshkuru

jachockey012 said:

Would you be breaking NDA if you shared your index? I am not trying to use it on the test I am building mine right now and would like to opportunity to see a different style because what you described is not how I am doing it.

I understand that a major portion of sans courses is the ability to index, so if you dont want to share publicly thats fine.

I am not against sharing indexes, but unfortunately I don't have mine any more. I don't generally keep the index after the exam is over.

Ptey07

A bit of a long shot, and i know many are against but im currently studying the grid now, is there anyone willing to share an index so i could add to mine, i know its the part of sans however i always struggle with it and did so with my last sans