GCIA

Viewing 34 reply threads
  • Author
    Posts
    • #5964
      knwminus
      Participant

      Has anyone here taken and/or challenged the GCIA certification? There doesn’t seem to be much talk about it here on these boards and I am curious to see if anyone here has done it.

    • #37310
      SephStorm
      Participant

      I would take a look over at techexams.net, I know there was a recent topic from someone who took it.

      So can someone explian the differences between the GCIA, GCIH, and GPEN?

    • #37311
      tturner
      Participant

      I took it via SANS OnDemand and did the cert in spring of 2010. It’s a fantastic course/cert. What do you want to know?

      In a nutshell (I’ve taken all 3 but did not sit for the GCIH exam):

      GCIA – deep dive into packet analysis, hex math, intrusion analysis, yum. This is a blue team course. You will walk away seeing packet dumps in your head and tcpdump switches embedded on the inside of your eyelids.

      GPEN – network pentester skills – this is a red team course. It does cover pentest methodology but differs slightly from GCIH in that things like maintaining access and covering tracks are not covered (typically not part of a pentest). Awesome course, take it with Ed Skoudis if you can.

      GCIH – responding to attacks, understanding black hat mindset, and some nifty tricks for incident detection and response. Incident handling methodology is covered as well. this is a blue team course.

    • #37312
      caissyd
      Participant

      @tturner: What do you mean by “blue team” and “read team”? Is “red” focused on attack and “blue” team on defense?

    • #37313
      tturner
      Participant

      Exactly. SANS has a cyber guardian program that lays out their roadmap for blue team and red team members, obviously using SANS courses since that’s their business.  🙂

      http://www.sans.org/cyber-guardian/

      I haven’t done this program yet as I still require 2 of the baseline skills certs and 1 of the courses but I tend to focus more on red team activities. (took Sec504 but didn’t sit for GCIH, and never took the SEC508 or GCFA exam) The bonus here is that  completion of this program also qualifies you for the GSE exam. I’m determined to get there one day, but if you focus only on red team types of skills I think passing the practical for GSE may be a bit difficult. We have a few GSE’s on the boards who could probably talk more about that if you are interested. I know I am.

    • #37314
      knwminus
      Participant

      @tturner wrote:

      I took it via SANS OnDemand and did the cert in spring of 2010. It’s a fantastic course/cert. What do you want to know?

      I just wanted to know someones thoughts on the difficulty on the cert, ie could you have passed it without specific SANS courses. I plan on challenging 1 SANS exam by the end of the year and I think I want to do GCIA (since I do like networking/TCPIP and security). I will have about 4-5 months to study and compile notes for the exam. I have talked to a few people who have said that GCIA is one of the harder SANS exams. I just want to see if you echo that remark.

      I eventually want to do GPEN GWAPT (possibly) and GCFW as well with GPEN being the next on my list. That’ll probably be 2012 though.

    • #37315
      caissyd
      Participant

      I can’t talk for GCIA, but I did GSEC and GPEN without taking SANS courses.

      However, I took Pentesting With Backtrack (PWB) from Offensive-Security before trying GPEN. It doesn’t cover everything, but it covers a great deal of what you need for GPEN.

      But that being said, if I had the money, I would have taken a SANS course anytime…

      Last thing, the two practice exams helped me a lot get ready for both exams. When I “thought” I was ready, the practice exams help me focus my study and prepare my notes on areas I was a bit weak.

      So it is feasable, but harder…

    • #37316
      knwminus
      Participant

      Yea I read about you experience with GPEN (congrats for that by the way).
      The thing about pen testing certs is that there is a lot more of them and (IMO) it is “sexier” than IDS/IPS (blue team) stuff. There is not nearly as much information about IDS/IPS packet level analysis as there is about pen testing. I have been told the wireshark is a good start of the exam (I own the book) so I will read it and go from there.

      As far as practice exams, you can purchase more for like 99 dollars so I will probably pick up 1-2 in addition to the 2 you get when you register for the challenge. 

    • #37317
      tturner
      Participant

      I really like http://www.packetstan.com/ for packetfu. The authors Mike poor and Judy Novak are also course authors for the GCIA course.

      You could probably self study the GCIA if you used the right materials. I’d probably start with TCP/IP illustrated vol 1 and the Wireshark Network Analysis book by Laura Chappell. Richard Beitlich’s Tao of Network Security Monitoring would be good as well. You will want to get familiar with Snort and also download the TCP/IP cheatsheet at http://www.sans.org/security-resources/tcpip.pdf

      Many many questions will require that cheatsheet so get it for sure.

      The certification objectives are at

      http://www.giac.org/certbulletin/gcia.php

      I also used the following cheatsheets:

      http://packetlife.net/media/library/8/IPv6.pdf

      http://packetlife.net/media/library/12/tcpdump.pdf

      http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf

      http://packetlife.net/media/library/23/common_ports.pdf

      as well as printouts of the manpages for p0f, tcpdump, tshark, tcpreplay, snort, and other related tools

      I also used the http://www.sans.org/security-resources/idfaq/oddports.php list of well-known trojan ports and you may find other good resources at the SANS intrusion detection FAQ http://www.sans.org/security-resources/idfaq/

      There’s also tons of good IDS papers in the SANS reading room and I found some good resources at http://www.whitehats.ca/main/members/Seeker/ which is Guy Bruneau’s page there. he wrote parts of the GCIA course as well. he also wrote this post at SANS on installing SGUIL http://www.sans.org/security-resources/idfaq/slackware.php

      I could probably keep posting various links on barnyard, acid and other topics but this should get you started. Like mentioned before, the poractice exams are a very good indicator. I would personally recommend taking the course though. it’s really good and if you go the volunteer route at SANS you can attend a conference, get 4 months of ondemand and the cert for only 800.00.

    • #37318
      vadnaisk
      Participant

      Terrific links thanks so much for posting.

    • #37319
      knwminus
      Participant

      Excellent links.

      I am even more determined to go for it now!

      Now if someone could just give me $900 dollars.

    • #37320
      nothingelse
      Participant

      I completed the GCIA about 3 years ago (up for renewal soon) and I can say compared to the GWAPT that I recently took it was a bit harder.  It is a great cert to get you up to speed on “Packet Analysis” and identifying traffic patterns.  With that said SANS certs are open notes/books so in my opinion in kind of makes it easier than it should be.  You generally have 3 hours to complete 150 questions so you definitely can’t look up the answer to every question, but you may be able to get by on some of the more difficult questions by looking through the book. 

    • #37321
      rdm
      Participant

      I took the SANS OnDemand Intrusion Detection In-Depth.  I liked the class, learned alot and passed the test earlier this week.

    • #37322
      knwminus
      Participant

      nothingelse and rdm

      Do you mind telling what type of roles you guys are working in? Are you working in IDS/IPS analyst roles?

    • #37323
      rdm
      Participant

      @knwminus wrote:

      nothingelse and rdm

      Do you mind telling what type of roles you guys are working in? Are you working in IDS/IPS analyst roles?

      Right now I am the only sec guy so I do a large amount of different things.  I spend about a quarter of my time doing IDS and log analysis. 

    • #37324
      nothingelse
      Participant

      Yeah I worked as a Intrusion/Security Analyst for about 3 years.  I am now managing/mentoring a team of 17 analysts, but it is still part of my duties.  We actually require the GCIA at my company so all analysts have to obtain it after starting.  If that is the type of role you are looking for I would say that GCIA is a great start.  

    • #37325
      knwminus
      Participant

      I know I want to be a “security analyst” and eventually security engineer but I am not sure if I want to work with firewalls, IDS/IPS, systems, web applications or a mix of all of the above.  The GCIA seems interesting but so does GPEN, GWAPT, and GCFW. At the cost of 900-3500 a pop though, it is a bit out of reach.

    • #37326
      nothingelse
      Participant

      Yeah completely understand.  I honestly think that SANS is overpriced for what they provide.  I got lucky because my employer pays for our certifications since it is a job requirement and they believe in “continuing education”.  I would never pay SANS over out of my own pocket.  I don’t know what you employment status is, but If I were you I would try to find a place that does pay or somehow convince your current employer that it is a benefit to them as much as you  😛

    • #37327
      knwminus
      Participant

      I am gainfully employed but I know they wouldn’t pay 3k+ for a class (and I wouldn’t ask).
      More than likely I might try to challenge a cert or two but even that is starting to sound like a tough pill to swallow. 1k is a good amount of money. The OSCP looks awesome but it is 1k but at least that includes training and stuff. 1K just to challenge a test? Seems a bit pricey lol.

      I might just try to knock out the “cheap stuff”, MCTS, C|EH, SSCP, Elearn, offensive security and possibly learn security online. Then I’ll find an employer who will pay for the big stuff (SANS).

    • #37328
      tturner
      Participant

      I always go the http://www.sans.org/security-training/volunteer.php route. $800 for conference attendance + cert + 4 months of Ondemand + some of the best social networking opportunities at the conference, What it does NOT include is bonus materials like SIFT kit, Wireless hardware etc which you will have to pay extra for. For instance I think the SEC508 Forensics course as a volunteer winds up being around $1100 which is still way cheaper. For most courses though this is a non-issue since only a few tracks utilize these extra materials.

      For the record, when I did GCIA I did it via OnDemand and had never worked in packet analysis outside of troubleshooting network issues with Wireshark and some very basic work with tcpdump when pentesting.

    • #37329
      Methodikal
      Participant

      @tturner wrote:

      I always go the http://www.sans.org/security-training/volunteer.php route. $800 for conference attendance + cert + 4 months of Ondemand + some of the best social networking opportunities at the conference, What it does NOT include is bonus materials like SIFT kit, Wireless hardware etc which you will have to pay extra for. For instance I think the SEC508 Forensics course as a volunteer winds up being around $1100 which is still way cheaper. For most courses though this is a non-issue since only a few tracks utilize these extra materials.

      For the record, when I did GCIA I did it via OnDemand and had never worked in packet analysis outside of troubleshooting network issues with Wireshark and some very basic work with tcpdump when pentesting.

      I did it last year and I agree, it’s awesome! Best part is the networking. I met ALOT of bright people I still keep in contact with.

    • #37330
      knwminus
      Participant

      I might have to check that out  8)

      How do you jump into a analyst position? I mean from what I have seen, the entry bar is set pretty high.

    • #37331
      ziggy_567
      Participant

      I haven’t taken the actual test for the GCIA, but I can tell you that its the only practice test for GIAC exams that I’ve taken that I failed. I guess that either means that the test is harder or I’m pretty crappy at packet analysis. 😛

    • #37332
      knwminus
      Participant

      Hmmm. I have heard the test is a bear. That’s part of the reason why I want the official training and I don’t want to have to throw 1k up to the wind…..

    • #37333
      nothingelse
      Participant

      @knwminus wrote:

      I might have to check that out  8)

      How do you jump into a analyst position? I mean from what I have seen, the entry bar is set pretty high.

      I do a lot of the Technical Screening at my company so i will give you a quick breakdown of what we look for in our analysts.  It likely varies from job to job, but this will give you an idea.  

      Firm Understanding of general Networking  and protocols such as (TCP, UDP, ICMP, HTTP, HTTPS, FTP, SSH, SSL, DNS, SMTP etc..)

      Understanding of IP Addresses and Subnetting.  For example what is an RFC1918 address and what is special about it.

      Comfortable using Linux and various utilities such as (grep, awk, tcpdump, cat, tail, head, etc..)

      Firm Understanding of web attacks such as (SQL Injection, XSS, RFI, CSRF, directory traversal etc..)

      Good Understanding of Regular Expressions

      Good Understanding of how networks devices work such as routers, switches, hubs, bridges, Host Based and Network based IDS/IPS, Firewalls, Web Application Firewalls, Proxies etc..

      Some familiarity with nmap or other scanning tools

      Experience using Databases such as MySQL, SQL, Oracle

      Also as an Analyst you need to be able to pick up minor details.  It really is a job that requires a lot of attention to detail.  This is likely why people say that the test is tough.  SANS has a tendency to formulate the answers to the questions very similar so when you glance over them they all look the same, but there may be 1 minor detail that separates that answer from the rest like 1 octet may be different or the port number.  Stuff like that is what is the biggest hang up.  I hated it at first but after being in the position for 3 years I have learned that it is a necessity for you to be able to pick that kind of stuff out or you will easily miss attacks.

    • #37334
      knwminus
      Participant

      Excellent write up. Maybe I should do the WCNA as a intro to the GCIA topics.

      CEH, WCNA and Elearn as the el cheapo versions of GPEN, GCIA and GWAPT lol. Maybe that’ll fly.

    • #37335
      tturner
      Participant

      I’m doing GWAPT and SANS Metasploit course in April but I’ve been seriously considering WCNA after that. It’s either that or RHCE. I’m still interested in OSCP but Im thinking I’ll wait a bit on that as I’ve been focusing on the pentest stuff lately and need to round out a bit some of my core skills. I have the WCNA book and it’s really good stuff.

    • #37336
      knwminus
      Participant

      I’ve got it as well although I haven’t gotten into it yet. I have so many books on my “to read” list its insane.

    • #37337
      caissyd
      Participant

      @nothingelse: Great write up! Thanks, for your insight!

    • #37338
      kwkanter
      Participant

      I passed the GCIA back in November 2010 and can say it is a very nice certification. The classes will give you the knowledge to look at a network packet and find anomalies within them. The test was not that hard once you have taken the class as it does teach you all you need to work hands on. I took a local mentor session and would highly recommend them to anyone.

    • #37339
      WCNA
      Participant

      Packet analysis is my area of interest so I am looking at the GCIA after I take the CISSP exam. I’d love for an employer to pay for it though instead of me shelling out so much money but that’s unlikely to happen unless I change jobs. One of the reasons I took the WCNA was the cost of the exam was only 175 so for the total cost was quite reasonable.

      I went the Wireshark University route though because I really enjoyed the freebie courses Laura Chappell has. The Core 1 & 2 courses are almost as expensive as the All-Access pass so I went in for the whole shebang. She’s a great teacher and she really drums in the material and makes a somewhat difficult subject easy. Even though the CWNA exam was MUCH harder, I’m probably prouder of the WCNA (hence the forum name I chose) because it put a lot of missing pieces in my knowledge in place.

      The exam is half protocol and half wireshark knowledge. Now that I am reading Art of exploitation and the Malware cookbook, I see how very important knowing your protocols are.

    • #37340
      WCNA
      Participant

      So does anybody know anything about this GCIA book?
      http://www.amazon.com/Certified-Intrusion-Analyst-Certification-Preparation/dp/1742448402/

      What other GCIA material is out there?

    • #37341
      knwminus
      Participant

      Wow I wonder how worth while that book is. I really want to challenge the GCIA and I think the material mentioned in this thread and this book I am really starting to feel like I can do it.

    • #37342
      SephStorm
      Participant

      I haven’t read it, but I assume it does as about as well as the rest of the series. I first saw this one years ago:

      http://www.amazon.com/Security-Essential-Certification-Preparation-Certified/dp/1742442277/ref=sr_1_1?s=books&ie=UTF8&qid=1301706735&sr=1-1

      It looks like they all have low ratings.

    • #37343
      knwminus
      Participant

      AH. Well I am still on board with going for GCIA. I plan to do WCNA as a warm up some time after CEH. As I know you know SS. CEH is going up to 500 so I guess I am trying to stomach doing CEH 6 instead.

Viewing 34 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?