GCIH passed...

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
After a slight false start concerning a registration mix-up at the test center, I got through the GCIH exam in two hours and a quarter and passed with a 96, which apparently is a lucky number or something because that's what I got on my last two GIAC exams. In any case, the questions were mostly straight-forward, but unlike my previous GCFW and GCIA exams, I had to reference printed materials much more frequently. I believe this is due to the sheer number of tools (bots, rootkits, etc.) which are covered in SEC504.

http://www.youtube.com/watch?v=erK0d8ZkZrk

This is my fourth SANS course / GIAC exam within a year (along with all the other certification studies), and quite frankly I'm burning out. A little rest period might be in order, especially with other things going on in life. SANS SEC504 is definitely a fun course and a solid introduction to the different phases of hacking attacks, their respective tools, and methods to prepare / identify them, all taught from the perspective of the corporate incident handler who must assess the situation and contain / eradicate appropriately. It's actually taught in a balanced manner from both the attacker's and defender's point-of-view.

Given the broad coverage range of the material, one should not expect to see a deep-dive into each of these tools. Some are given more attention than others. The instructor (Ed Skoudis) brings a lot of stories from the trenches to keep the topics in applicable context. You can tell he's been doing this kind of work for a long time.

On the final day of the course, there's a workshop to use the techniques you've learned over the previous days to break into box(es) and capture the flag(s). If you're doing this via OnDemand, you get an OpenVPN config to log into a remote lab and do the exercises.

I felt the GCIH exam was overall easier than the GCIA, but for me maybe a little tougher than the GCFW simply because I'm not as familiar with all these tools. Although concepts like alternate data streams, password cracking, and steganography aren't new to me, there was a particular area which I didn't comprehend easily due to the lack of a programming background: format string attacks. I think I'm still kind of hazy on this and I need to review it again.

When I first signed up for the course, I was thinking it would be more incident-handling focused. While the course arches over that process in course framework, the formal incident response process is mainly focused on in the first day. The rest of the week is dedicated towards the attack phases and the tools / methods / mindset (and how to defend against them).

I don't do incident response at work, but after taking this course I'm realizing that maybe I might enjoy this kind of work in the future. Like infosec in general, you need to be able to pull in skills from a lot of disciplines to accomplish the handling procedure appropriately. I feel I still have a long way to go in my career to up my skills in some key areas.

Summary: a solid introduction to understanding the general approach when dealing with security fires at work. I think the big takeaway is that you need to ensure you have the necessary policies, procedures, contacts, and management buy-in before you even get to the part where you can look for signs of issues on the network. Everything flows from there, and if it's the right kind of incident, you as a handler might end up in court testifying to help prove the case.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • rogue2shadowrogue2shadow Member Posts: 1,501 ■■■■■■■■□□
    Congrats man! Good review. When do you think you'll be taking the GSE :P
  • Dakinggamer87Dakinggamer87 Member Posts: 4,016 ■■■■■■■■□□
    Congrats on pass!! icon_thumright.gif
    *Associate's of Applied Sciences degree in Information Technology-Network Systems Administration
    *Bachelor's of Science: Information Technology - Security, Master's of Science: Information Technology - Management
    Matthew 6:33 - "Seek the Kingdom of God above all else, and live righteously, and he will give you everything you need."

    Certs/Business Licenses In Progress: AWS Solutions Architect, Series 6, Series 63
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Wow. Good job! You are really killing SANS certs icon_thumright.gif
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Very nice! It sounds like you went to one of the conferences is that correct?
  • jmu200jmu200 Member Posts: 11 ■□□□□□□□□□
    Dude, you are a machine! Congrats on passing! icon_cheers.gif Sound like you may have built up enough points with SANS for a free exam/training... What's next for you?
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Congratulations on passing the GCIH exam and thanks for the excellent review! icon_thumright.gif
  • ipchainipchain Member Posts: 297
    Congrats on the pass docrice, 96 does seem to be a lucky number for you! Thanks for the excellent review as well, I am sure it will be useful to those who would like to pursue this certification.

    Like you, I ended up referencing quite a bit of printed material, but it was mostly laws. You are correct though, the sheer volume of tools we are exposed to in 504 is breathtaking. So, now for the million dollar question - What is next for you?

    Are you going to take a break or go for your 5th SANS certification?
    Every day hurts, the last one kills.
  • cybrwarriorcybrwarrior Registered Users Posts: 3 ■□□□□□□□□□
    Congratulations!
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    When do you think you'll be taking the GSE

    Realistically, maybe two years or further down the line, but who knows. The GSE would be a monster to prepare for.
    SephStorm wrote: »
    It sounds like you went to one of the conferences is that correct?

    I've taken all my SANS courses via OnDemand. While going to one of their conferences sounds really exciting and packed with all kinds of additional experiences, it also adds the travel expense as well as the need to take time off from work. Plus, I don't want to wait for a conference to happen. Better to just go through the course from the comfort of home whenever time permits. I miss out on the interaction with other students / instructors, however.
    jmu200 wrote: »
    Sound like you may have built up enough points with SANS for a free exam/training... What's next for you?

    I need to take a 2-day short course and then ...
    ipchain wrote: »
    So, now for the million dollar question - What is next for you?

    Are you going to take a break or go for your 5th SANS certification?

    ... I'd have enough points to do either the SEC617 for the GAWN or SEC542 for the GWAPT. That said though, I feel a bit burned out at the moment, so I might have to take some time off from cert studying. I've gone through 12 exams in the last year and a half, and that's a lot of material to naturally absorb, and the dust inside my head still hasn't settled yet.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ipchainipchain Member Posts: 297
    docrice wrote: »
    ... I'd have enough points to do either the SEC617 for the GAWN or SEC542 for the GWAPT. That said though, I feel a bit burned out at the moment, so I might have to take some time off from cert studying. I've gone through 12 exams in the last year and a half, and that's a lot of material to naturally absorb, and the dust inside my head still hasn't settled yet.

    I hear you, 12 exams in 18 months ? That's crazy. It's indeed a lot of material to absorb, especially in only 18 months. Either way, good luck on future certification attempts.
    Every day hurts, the last one kills.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I almost forgot about this... I have an unused GCIH practice exam (expires 10/18/11) that I can give away. Like my other thread (http://www.techexams.net/forums/security-certifications/65080-gcia-passed.html), perhaps a quiz related to the type of material covered by the GCIH might be a good way to run this.

    For all the other GCIH holders here, I'm open to suggestions. It'd be a waste to randomly give it away as that in itself wouldn't benefit the forum. Inbox me or just reply to the thread with ideas.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ipchainipchain Member Posts: 297
    docrice wrote: »
    I almost forgot about this... I have an unused GCIH practice exam (expires 10/18/11) that I can give away. Like my other thread (http://www.techexams.net/forums/security-certifications/65080-gcia-passed.html), perhaps a quiz related to the type of material covered by the GCIH might be a good way to run this.

    For all the other GCIH holders here, I'm open to suggestions. It'd be a waste to randomly give it away as that in itself wouldn't benefit the forum. Inbox me or just reply to the thread with ideas.

    Interesting...we may have to do some brainstorming here. Now that I think about it, I believe I have a GCFW practice exam I can give away.

    /me puts on thinking cap.
    Every day hurts, the last one kills.
  • Psyco32Psyco32 Member Posts: 104 ■■■□□□□□□□
    Does your company pay for the training or are you doing an out of pocket?
    2014 GOALS
    > GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    In my case, I do most of my training out-of-pocket. It gets expensive for sure, but I can compensate by removing luxuries from my life such as ... movies, cable, food, and water.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Well done again, buddy.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'd like to give away my remaining GCIH practice exam via public quiz which reflects the SEC504 material. Unlike the GCIA quiz I did in the other thread, this time I propose a different approach. Hopefully this will benefit the forum in seeing how different people tackle the same problem. It's just an idea that I hope works out.

    This is an open-ended question and interested candidates will submit a written process (by inboxing me) of how they will evaluate and investigate the scenario below. There is no "correct" answer. What I'm looking for is the reasoning behind your decisions and the resulting action within the incident handling process. Therefore, this won't be a "multiple choice" or "figure out the one right solution" type of quiz.

    ACME Corporation runs a typical e-commerce business with a farm of web servers behind a load balancer for their home site. They are all located in the DMZ facing the Internet. The database servers which they talk to are located in another segment protected by the firewall.

    Today your Operations team reports to you that they've noticed the website seems defaced and the daily reports of database access errors for the last couple of days indicate some unusual signs.

    In addition, your IDS reports unusual outbound activity over port 80 from within your internal network where all the user workstations are located. Alert logs indicate this peculiar traffic is originating from three specific hosts.

    Describe your steps and decision logic in handling these incident(s).


    You get to tell a story and take creative liberties to some extent, but everything must be grounded in reality. No parallel universes or inversions of the space-time continuum.

    After submissions are received (maybe a week or two after we start this), I'll post all entries up without the author reference to keep it anonymous (unless you want me to include it). Then we as a forum can collectively review the answers, sort of. I guess I'll reserve the final judgement. Grammar counts as the reporting phase of an incident requires proper presentation for the key stakeholders.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    Congrats on all your accomplishments.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • stardotstarstardotstar Registered Users Posts: 2 ■□□□□□□□□□
    I just finished the GSEC and am prepping for the GCIH now. Congrats on getting so many certs done.

    I'm confused by this whole quiz thing... why not just give the practice exam to the first person who asks nicely and has a valid GIAC portal account?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I've given away GIAC practice exams in the past, but it's a little more fun to stir the pot, so to speak, and make it so folks can see what the material is really about. As someone who didn't have much exposure to SANS and GIAC some years ago, I had no way of gauging what the expectations would be like aside from what's described on the SANS website. In the end, it's about providing additional insight into the particular SANS experience.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I've totally forgotten about this, and since no one has submitted a quiz attempt, I'm just going to give it away. First one to PM me gets it (be sure to have a SANS portal account to transfer to). If I don't hear from anyone within a few days, I'll give it away on another forum.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    ...and it's gone. Those with eBay sniper skills gets the worm.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • idr0pidr0p Member Posts: 104
    Damn, i already passed my GCIH last month ^_^ i totally woulda had this though lol
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Congratulations on your GCIH and GCIA. Two very distinguished accomplishments indeed.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • idr0pidr0p Member Posts: 104
    Thanks!,

    I am currently studying for my GPEN and then going into GWAPT, CISA then OSCP. Long road to venture.
  • qdog007qdog007 Banned Posts: 16 ■□□□□□□□□□
    Congrats on passing the GCIH. And thanks for the detailed review. I'll be taking this test later on this year.
Sign In or Register to comment.