Years ago, I was hired into the IT Leadership Development Program for a multinational manufacturing corporation. These kinds of programs are not uncommon for larger organizations, serving as a means to bring in fresh talent and expose them to different functional areas over time, all while fostering the growth of skills and business acumen. My program, just like others that exist in corporate America, was a 2-year commitment where you, as the enterprising college graduate, rotate across four functions within an IT department. The aim of such programs is that new hires gain experience across technical areas that would’ve have encountered otherwise, eventually settling into a role that fits their skillset and meets a business need. Specifically for the one I went through, a parallel focus was placed on mentorship, where a senior people leader in IT would help shepherd you through your first couple of years.

I underwent four rotations during my time in that development program: (1) networking, which was what I enjoyed most, (2) SAP development, (3) security, and (4) business intelligence/analytics. Networking was something I had studied and practiced in my college classes but I had never been involved in much security work or business analytics in my internship, let alone ever seeing something as monstrous as a global SAP deployment. The networking toil of troubleshooting, hands-on pulling of cable and racking-and-stacking equipment was something I enjoyed. I had some fantastic mentors on that networking team who were also incredibly generous with their time and, fortunately for me, very understanding when it came to working with rookie network admins like myself. But, that six-month rotation onto the Security Team was when I caught the security bug and started looking into security-related trainings.

The security world boasts a cornucopia of certifications on top of a seemingly endless amount of trainings, ranging from free or low-cost to full undergraduate degrees. Among that sea of available training courses, the SANS Institute stands out. I’ve been eyeing an opportunity to jump into a SANS course ever since.

So, when I had the chance to sign up for one, you can bet I jumped right to the front of the line!

Here, I’ll share insight of my SANS training, my study efforts, and my experience with taking the GCIH exam.

Important: What this post is *not* about

Anyone and everyone aiming to earn a certification of any kind hops into Google and types the phrase, “how to pass gcih exam” (lowercase and everything, amirite?). I know I’ve done this for every certification I’ve earned, plus the ones I’ve never even attempted. For me, I’m either looking to tips ‘n tricks or simply doing some research into what the materials and exam entail.

But, there are some people out there who are looking for the easy way out.

This blog post, my friends, is not an easy way out. Nothing in this article you’re about to read will disclose anything that I’m not authorized to share.

The SANS Institute, just like any other legitimate certification body, has a strict zero-tolerance policy for the sharing of course materials or questions/answers from exams.

Any information I share about SANS training or the GCIH exam will all tie back to publicly available information, albeit dappled with insights formed through my own experience. Hopefully you’re not reading this looking for an easy way out, but, just in case it needs to be said, you won’t find anything like that here. This SANS course was wonderful and I only wish to help future students learn from my experiences.

Now, on to the fun stuff, I say! Huzzah!

Why I pursued the GCIH

Selecting the right SANS course for me

In my current work as a security engineer, I find myself bouncing constantly from one thing to another, just like most other security professionals I know. Most of my day-to-day fun involves running security operations, so you never know what you’re going to run into (which is both really cool and really terrifying at the same time). I’ve come to realize that the typical work tasks are the easy part, but, for security pros, incidents demand that you’re ready to execute at your highest level of excellence.

I’ve long been fascinated by incident response, asking myself such questions as:

• What is incident response best practice? Or, is there more than one way to handle an incident in the best way?

• How do high-functioning teams tackle incident response efforts?

• Why is incident response something that most organizations struggle with?

• What skills are required to be a top-notch incident response professional?

When I got the chance to take my first SANS training, the SEC504 course, Hacker Tools, Techniques, and Incident Handling, I was drawn to it right way. The syllabus, detailed here on the same page, outlines a strong mix of the theoretical and the practical.

Even before signing up for anything or putting money down, you can see exactly what you will be learning when you take the SEC504 course. Under the “Course Syllabus”, each “section” shows you a full day’s instruction or focus, including whether or not there are hands-on labs involved.

I love and appreciate this level of transparency. When you are requesting that your employer pay for your training, you need to bring receipts (literally). Anyone who has requested training from an employer knows that the more information you have, the better. SANS does a fabulous job of arming you with well-articulated reasonings to help you justify why your employer should invest in you by purchasing this course.1

For me, as someone with some security and IT experience with an interest in incident response preparedness, this seemed like a great way for me to jump into something I’m interested in while exploring things I wasn’t too proficient at, like attack techniques.2

The GCIH certification

Most SANS courses have a certification based directly on that course’s material. Whenever this is the case, SANS tells you so at the top of the main information page, like here for SEC504:

“Why isn’t it called the, ‘GIAC Certified Incident Handler Certification (GCIH)’ course instead?” I thought the same thing! I mean, does the class itself boost your resume, or the certification? The certification. I remember wondering why the class doesn’t focus on the certification, like most of the security training world does for things like Security+, CISSP, etc.

However, I came to realize that the separation between course and the associated certification is much, much better. When you take a SANS course, the entirety of that course is focused on the material.

The material of any given training should focus primarily on theory, concepts, context, and giving you hands-on practice, not on just passing the exam.3

And SANS did a great job of that based on my SEC504 experience.

Joshua Wright, course author of SEC504 and the instructor who taught my class at SANS Boston, rarely mentioned the exam and I loved this. I’ve taken other week-long trainings before that were geared more towards something like, “Alright, so here’s how you’ll pass the exam… Remember these tips ‘n tricks for the exam,” while my SEC504 experience was more akin to, “We’re more concerned with helping you learn these concepts and making sure you understand how to apply them.”

The result? I was a more confident student because I felt like I was gaining knowledge and skills, not just a paltry toolbox for passing a test.

By separating out the course from the associated credential, every SANS student, whether they are pursuing a certification or not, stands to gain equally from the material presented.

To be in-person or not to be in-person… that is the question

Should “in-person” be hyphenated? I have no clue. Hyphenate the planet!4

There are both in-person and virtual (“OnDemand” as listed by SANS—they don’t include a space, so don’t judge me) options when selecting a course. I selected to learn in a physical classroom with the instructor and other learners

I chose in-person because:

• I wanted to minimize distractions

• Traveling to new places, even if you’re spending 99% of your time in a classroom, is really fun.

• When learning, I like being in the same room as the teacher.

  • I’ve done live trainings where I’m a remote learner but there’s an in-person group, too. It seemed as if the in-person crowd was much more intimate, which I prefer.

  • Being able to interact with a teacher in the flesh, eye contact and all, is so much of a difference in my experience when learning.

• I get energized by those learning around me!

  • All walks of life will likely be in your classes (management, executives, foreign government workers, tech company employees, security people, non-security people, etc.)

  • It’s motivating to me when I’m around other serious students. You can ask each questions and meet/get to know new faces.

While I chose that option for myself, the SEC504 course did have a remote cohort learning at the same time. Here are some things to be aware of with SANS’ live, virtual class:

• The instructor teaching the class has a camera and microphone setup, so all students can see them, the slides/screenshare, and hear them clearly.

• Designated chat apps, set up by SANS for students, is available to all for discussion and live asking of questions.

• In SEC504, there was a designated Teaching Assistant. This person was highly qualified and able to help with answering of technical questions, assist with labs, etc.

• Students attending remotely means that they can experience the live course from anywhere in the world.

SANS OnDemand

No, you eagle-eyed reader, “OnDemand” is not missing a space! That’s how SANS has branded their online learning option.5

After completing the six-day SEC504 class I had the OnDemand course made available to me as part of my learning package. Just like the experience of in-person learning with SANS, this was my first time taking in their virtual material.

I was quite surprised by the quality of the OnDemand instruction! Particularly:

• *Zero difference in the amount of content or caliber of content!

  • I was in class for every minute of instruction while in-person and also watched the entirety of the OnDemand course. If anything, the OnDemand content held more detail than what I experienced live.

  • It gave me confidence that the virtual SANS experience could be just as powerful as the in-person one.

• High quality sound and video. The instructor is mic’d up at all times and, at least to me, understandable and clear.

• Screen sharing is also clear, as are presentation slides.

  Thanks so much for reading! I write this free of charge for all. Subscribe to show support and get notified of future posts.

  Subscribe

  
  

Studying & Procrastination

Studying has long been my nemesis. I’d like to assume, or, rather, choose to believe, that everyone else is like me and has difficulty studying on most days.6 Not being good at studying has less to do with being a good or bad student and more to do with motivation. If you don’t feel compelled to study or aren’t driven to study, then what’s the point? Why pretend to study if you’re not really getting anything done?

I have never been the best student. Go back in time and ask my 4th grade teacher and she’ll tell you the same.

Where I find success in learning new things is by separating out the motivation requirement and replacing it with discipline. I then couple discipline with the thing that I do best in this world: procrastinate.

Next I’ll breakdown how I studied and why I feel that procrastination is something to embrace.

Studying

Study Materials

For the GCIH exam I relied solely on the official study materials provided by SANS as part of the SEC504 course. These materials included:

• Printed course books

  • For SEC504, I believe they totaled over +1,000 pages.

  • Digital copies are also made available to students.

• OnDemand course videos

  • You may access course videos through the browser or through the phone app.

  • I found the phone app incredibly helpful as you can listen to just the audio or watch the videos like normal.

• Virtual machine (VM) files

  • These were compressed, yet still quite sizeable. SANS gives you a heads up that you’ll need over 100 GB of hard drive space and they’re not kidding.

  • There were supplemental materials included, too, but the vast majority of what you download and install is VMs.

That was it! I didn’t see the need in purchasing or looking up additional materials not produced by SANS.

To be honest, I’ve had great luck with the official course materials for certifications. If the certification body (SANS, Cisco, CompTIA, etc.) publishes an official study guide (almost all of them do, by the way), then you know that you hold all of the information that could be found on the exam itself.

Study Approach

1. Watch or listen to the entire course via OnDemand.

   1. I did this while shooting hoops, vacuuming, working out at the gym, and raking leaves. If you’re able to learn something from a podcast while performing another activity, then this could be a great for you, too.

   2. The virtual course was incredibly rich with detail. It felt as if I was back in the in-person class.

   3. The videos helped me realize what topics I was familiar with and, more importantly, which ones I was not familiar with. I’d be mowing grass or something, listening, only to stop midway through Joshua Wright speaking through my headphones. “Alright, so I definitely have no clue about pivoting…”. Those kinds of mental notes were so helpful.

2. Practice the hands-on labs.

   1. I personally didn’t have to get the GCIH certification. I was more concerned with actually being able to do what’s covered in the material. The labs were my favorite part!

   2. In Joshua Wright’s SEC504, he’s prepared a variety of labs ranging from bite-sized labs all the way to lengthy, meaty labs that involve multiple systems. In this case, there was bonus material included with each lab as well additional tips ‘n tricks in the labs themselves.

   3. I cannot emphasize enough how important it is for you to gain familiarity with the material through hands-on work.

3. Create an “index” for use during the exam.

   1. GIAC exams are notoriously open book. However, if you believe that you can waltz into an exam unprepared, believing you will be able to lookup every answer, you are dreadfully wrong. Those 4 hours go by faster than you may think. There’s simply too much material for you to not prepare at all. Do you think, without studying, that you can find a given answer amidst 1,000 pages or more?

   2. If you’ve never heard of an “index” in this way, here, an index refers to a document you create that tells you where a particular topic, keyword, tool, or command is discussed within the SEC504 books. This is the trick to helping guide you as you thumb through materials come exam time. You can print this out and take it into the exam with you.

   3. This took several hours. I didn’t do a marathon session of index creation. I chiseled away at it, bit by bit, thumbing through every page of the course material.

4. Take a practice exam *WITHOUT* an index. Yes, that is my advice!

   1. Why you should try the practice exam without an index:

      1. You’ll quickly get a taste for how prepared you actually are. When you hit questions you don’t know how to answer, what do you react? Do you get frustrated or anxious or anything like that? It’s critical to train your mind and body for how to handle situations where you’re uncomfortable (not knowing something) and are under pressure (time constraints + many more questions, possibly).

      2. You may be familiar with a topic or tool, but how much can you execute from memory? It’s like being on stage in an acting rehearsal and going off-book for the first time. There’s a massive gap between having your next line on the tip of your tongue versus knowing the lines and being able to perform when the time comes.

   2. I took the first practice exam without and index, knowing I wasn’t fully prepared at all. I’m not kidding when I say that those 4 hours went by faster than I could count while also being extraordinarily difficult to fight through.

      1. I did excellent with the written portion by looking everything up, yet I chewed up tons of exam time leaving no time at all for the several hands-on questions (aka CyberLive in GIAC parlance).

      2. What was funny was how the hands-on portion felt like my most confident section, but I ran out of time leaving some questions unanswered. This was a valuable lesson in both preparedness and time management.

   3. Unless you’re just wicked smart (“wicked smaht” for my New England friends),7 you want to be well aware of your strengths and weaknesses. There’s no need to fool yourself into preparedness. Just take the time to prep and be willing to learn where your weaknesses lie, knowing you can then improve those areas.

   4. Seriously, this is perhaps the best thing that I did and I learned so much.

   5. I passed by the skin of my teeth and that was without completing a handful of CyberLive questions at the end. This showed me how much more I needed to study and how unprepared I truly was.

5. Take the 2nd practice exam a few days before the exam, this time *with* your freshy minted index.

   1. Don’t take a practice exam the day before and definitely not on the same day. Even if you don’t take advantage of the full 4-hour time period, completing an entire practice exam requires lots of mental exertion. You’ll be tired, both mentally and physically.

   2. Taking it close to the exam allows you to treat it as a dress rehearsal for the real deal, while also giving yourself time to rest before the big test.

Procrastination

If you somehow are magical and do not procrastinate, (1) I don’t know how on Earth you do it, and (2) I know you’re most definitely not me. Growing up, I’d always heard mention of procrastination as a negative thing. I know I interject humor throughout these posts8, but there are potential positives to procrastinating! I love Psychology Today’s articles, including this one where they explore how procrastination can be a good thing.

Now that I’ve sold procrastination as an important skill, let me complain about why I hate it sometimes. Motivation is not permanent and us humans are biologically engineered to take the easy way out.

The couch and a Playstation sound like a lot more fun than reading those boring course books. Yes, of course you simply must rewatch all prior seasons of “Stranger Things” on Netflix prior to the series finale. Throwing back a brewski while watching the football players do football things is a heck of a lot more attractive than realizing you don’t know how to prevent name resolution in Nmap scans.

In my armchair-psychologist of an opinion, it’s about balance.

You should replace motivation in your studies with discipline instead. That way, it’s not about listening to your heart for when it’s time to get to work. No! You know that taking 20-30 minutes to practice labs or watch/listen to the course will help you more than doing nothing.

You’re not a machine, so you do require time to take your mind away from work, studying, or whatever else. Do non-security, non-study things: take a walk, play video games, lift weights, lay on the floor and count the ceiling tiles, soak in the glory that is The Great British Baking Show. Just like your body requires sleep, your brain requires rest, too. Procrastination can sometimes help steer you towards non-work activities as a means of balancing out your more brain-intensive activities.

Discipline is not easy, don’t get me wrong. And procrastination is something I struggle with, most definitely. As a tl;dr here:

• If studying is hard for you, chunk out your study efforts in small increments. This has been huge for me! Work to do something related to your studies for 15, 20, or 30 minutes, then walk away.

• Make time to do things for yourself, don’t try to force your efforts. Garden, bake a cake, hang out with friends and family, hang out away from friends and family, just do something that recharges your brain batteries. Treat yo’ self and refresh yo’ self.

Reframe “procrastination” away from something that’s purely negative and into something that, in moderation, can help you achieve greater success within your studies.

Procrastination is my best, natural talent, so let me know if you want any tips. :)

Taking the GCIH Exam

I chose to take my GCIH exam at a local testing center. It’s the same one that I went to for my Cisco CCNA years ago, so I was familiar with the location.

There are plenty of YouTube videos and Google results for choosing the best location for your exam, so I won’t go into that here. Personally, I wouldn’t spend too much energy worrying about what location to pick. Regardless of where you decide to go, you’ll be a larger room with multiple people and be using a PC with a standard keyboard/mouse at a tiny cubicle.

Exam Tips & Advice

Based on my experience with this exam and others in the past, here are my recommendations:

• Take off time from work for the test

  • If you’re able to, take the day off of work. The exam is 4 hours long and you’ll need to travel to/from the testing center. That alone is a full day!

• Select a time that works best for your daily routine

  • Seems obvious, I know, but it’s important.

  • Consider: when you go to bed, what time you normally wake up, when/if you can take off work, how to accommodate schedules or your partner or dependents

  • For the GCIH, I selected a time that was an hour-ish before my normal lunchtime. I knew that an appointment late in the morning would give me time to sleep, time to eat a breakfast, and time for my coffee to kick in and give me magical, caffeine-powered intellectual energy (not a thing).

• Schedule the exam far out enough for you to be sufficiently prepared

  • While you have permanent access to downloadable course materials and all of your printed materials, you have take your exam within four months!

  • Some people prefer to take such exams very soon after the course, while some (like me) prefer the flexibility of scheduling it out into the future.

    • A word of caution: Be UN-like me and don’t set aside the material for a long time after the class (which I did, unfortunately). Give yourself time, but keep the momentum with the material by picking an exam time that’s not too far out. If I had to do it again, I’d pick an exam like 1-2 months out from completion of the course.

• You can—and should—take breaks!

  • GIAC affords you 15 minutes of break time. This can be taken all at once or across a maximum of two breaks for a total of 15 minutes.

  • Honestly, I didn’t think I’d need them, but when I took a quick bathroom break about two hours in it felt amazing to stretch my legs.

General advice

• Practice the material—Practice. Practice. Practice.

  • Practice can be reading. Practice can be creating/memorizing flashcards. Practice can be running a lab. Practice can be creating colorful tabs to attach to your books. There’s endless room for you to be creative and figure out what works best.

  • The point, though, is that you’re doing something with the material. Doing something is always better than nothing, right? So, do it!

  • I didn’t use flashcards for this test, but I know that many find them highly effective.

• Strengthen areas of weakness, maintain areas of strength9

  • After you complete the course, immediately take note of where you’re weakest. This will be helpful as you’ll know what you need to work on more and what you may already be confident with.

  • For me, this was basically everything offensive: Hashcat, vulnerability exploitation (SQLi, SSRF, XSS, etc.).10

My main takeaways from this experience

The SEC504 course and the GCIH exam placed a glaring spotlight on my knowledge and skills as a security pro.

What I realized most was how much weight I had placed on theoretical knowledge versus practical knowledge. I knew what SQL injection was, in theory, but I hadn’t tried exploiting it before. I was familiar with the broader concepts of the incident response steps recommended by NIST, but I hadn’t considered how an organization could work to move away from a purely linear process to introduce greater flexibility. I knew was Metasploit was, yet I’d never really fired it up and used it before.

I’ve long been fascinated by hacking, so getting my hands dirty with some of the basic tools of the trade was just so, so fun. I loved it! I realized that the hands-on, practical portions of the course were my absolute favorite.

Overall, this experience was a blast.

Not only did I build some technical chops, I did so using offensive tools in a way that has bolstered my confidence as a security professional focused on defending others from harm. SEC504 doesn’t cover everything, not at all, but for me it was a big step in the right direction. I built upon existing theoretical knowledge and gained much more theory in new ways, all while solidifying a skillset I didn’t have before.