.

My SANS GCIH experience

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Oct 26, 2012 10:28 am

My SANS GCIH experience

Bonjour les amis  ;),

I want to share with my experience with SANS 504 course and exam. This spring I applied for few work/study opportunities with SANS. Among them was a local one, community SANS Ottawa – SEC504 Certified Incident Handler.
When I got the approval from SANS I wasn’t anymore a permanent employee, I was a contractor. I hesitated for a couple of hours if I should go or not, and the drawback was the loss of $$$ caused by the absenteeism from work. Finally, I decided that the experience of a live SANS course worth more than the buck loss.

The course was between 11 – 16 June, in Gatineau, a suburb of Ottawa (different province, but still Ottawa’s suburb  ::)). The instructor was Adrien de Beaupre. Adrien is an old fox, if I may say so. He is in the security industry for a long time, he is an incident handler with SANS, and he saw a lot during he’s career. He has tons of experience in incident handling and penetration testing.
I can say that the fact that he was the teacher contributed 10% to my decision to go to the course, and I was right about it.

So, on a hot Sunday afternoon we prepared the classroom and all the material for the course. Monday morning I’ve put on my red apron, and I distributed the books to the students. I can say that the whole administrative process went without problems.

Being a local event the class was very small, circa 22 students. Most of them were from different governmental agencies – army, blue eyes, government itself… (last time when I saw so many skinheads in one room was when I was in the navy  :) ). The advantage of this crowd was that they were disciplined, no smart-asses, no troubles during the course. Their problem is that their patrons don’t pay for the exam, so they’ll only do the course. In my opinion, this is very bad, because there is a lot more to learn after the six days of the live course. Not doing the cert will not motivate/force them to continue studying.

Here are some notes I made during the class:

Day 1
Very interesting topics and most of the students participate in the discussions. Now I convinced myself that Adrien really knows how to teach and to make things interesting.

Day 2
I am very familiar with the scanning tools like Nmap and Nessus, so this day wasn’t so impressive for me.
Par contre, I had colleagues that were really, really excited, and one even told me “This course perfectly fits my needs. Now I can defend against my CIO different portscans, because I run Nmap and I know how it works.” This really impressed me.

Day 3

Things are becoming interesting. Now I can see the difference between GPEN and GCIH. GCIH talks a lot about how to prepare against incidents and how to detect some of them.
All the students are excited about the course. Most of them are overwhelmed by material, but are happy about it.

Day 4

Things are really interesting. I like that they don’t insist so much on the offensive part, but there is a lot of defensive.

Day 5
For me this is the most complicated/interesting day. Rootkits… (I will study deeper in this subject after this class.)
Nice and interesting exercises.
Most of the other students are lost. They are browsing the internet, have a tunnel vision…  8)

Day 6
Capture the Flag
I made team with three other guys. Our background was very different, from the novice in the offensive stuff (but very motivated) to the more experienced ones. The challenge was interesting, and we had to apply what we have learned during the class. Of course that my team won  :P

After this wonderful experience I continued studied on my own. Because of home renovations I didn’t had too much time to study at home. I listened to the mp3s, and I watched some videos for the more complicated subjects. Luckily, I wasn’t that busy at work, and I did find some time to study, and to go through the OnDemand questions.

As I previously said about these questions, after my GWAPT experience, they really help someone to study harder. If you are able to pass all the OnDemand questions without the aide of books you are ready for the exam. Many of the OnDemand questions are very tool oriented, but this is not a bad thing; it will make you study more.

I learned a lot, even for the subjects where I was more knowledgeable (like Nmap or Nessus). Every time you listen to the mp3s you discover something new. Ed Skoudis is also an excellent teacher, with a lot of experience, and with wonderful teaching skills. He knows how to hook a class.


This course was a beautiful experience, and, more important, it motivated me to become an even better defender. It is my opinion that it is incomparable easier to be a pentester than to be a defender. Worst, it is very hard to take real proactive measures in an enterprise. Exception will be some shiny useless boxes, that a vendor sold your boss as “the next thing”  :o . In the next year I’ll concentrate more on the defensive studies, before going back to pentesting.



After I passed all the OnDemand questions without the use of the books, and after I put post-it on my books, I was ready to sit for the exam. I did the two practice exams the day before the exam, without the aide of the books, and I did pretty well at them.

I scheduled the exam for a Saturday. Sitting for the exam in a Saturday afternoon was an excellent choice for me because I was able to have a good sleep, and there is no rush. The test center was all right, and there weren’t too many takers.

I can say that I really liked the exam. The questions were common sense; I didn’t saw many tools related questions, like the ones on the OnDemand. The questions on the exam tested the knowledge relative to the subject itself. There were many questions where you could use the books to get the answer, if you really wanted to be sure that you don’t do stupid mistakes.
But, you don’t need the books to pass the exam. Probably you need them to get a very high grade. My favourite questions were the ones where they gave you a real situation and ask about your reaction to this problem. You’ll see some of these on the practice exams. As an example you’ll have a dump of traffic and you’ll have to recognize the type of event, and to propose the countermeasure. Those were really interesting, and very pertinent to the subject tested itself.

So, after 3 hours of intense concentration I finished the exam with a score of 96%, which made me really happy  ;D .

All this experience left me with a warm feeling, and I barely wait to sit for my next exam.

Thank you SANS for this opportunity!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Oct 26, 2012 10:33 am

Re: My SANS GCIH experience

Congrats on your pass, and thanks for the writeup!

Haven't looked much into GCIH (time, money, etc, have kept it lower on my list of things to look into, along with most other SANS courses...)

But nice to get a perspective on it.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Fri Oct 26, 2012 10:42 am

Re: My SANS GCIH experience

Great job!
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Oct 26, 2012 1:14 pm

Re: My SANS GCIH experience

Congratulations alucian! SANS courses are so addictive...
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Oct 26, 2012 1:28 pm

Re: My SANS GCIH experience

tturner wrote:Congratulations alucian! SANS courses are so addictive...


I can see from your signature  :)

Thanks!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Oct 26, 2012 3:00 pm

Re: My SANS GCIH experience

alucian wrote:
tturner wrote:Congratulations alucian! SANS courses are so addictive...


I can see from your signature  :)

Thanks!


Congrats alucian.......I think certs in general are addictive :)
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Fri Oct 26, 2012 7:58 pm

Re: My SANS GCIH experience

Congrats!!! I take my GCIH test in 10 days.
GCFA, GCIH, GCIA, GWAPT, CISSP, CEH, GSEC
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Oct 26, 2012 10:35 pm

Re: My SANS GCIH experience

I agree that the certs are addictive, but I also like that they bring you material benefit$$$  ::)

That's an extra reason to keep studying.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sat Oct 27, 2012 12:14 am

Re: My SANS GCIH experience

Congrats, good job.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Sat Oct 27, 2012 11:54 am

Re: My SANS GCIH experience

Good review! maybe i'll eye the GCIH after the current course im taking in a few weeks.
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Oct 29, 2012 12:28 am

Re: My SANS GCIH experience

Hey, congratulations! That's a great score.

Back to the OSCP now?
The day you stop learning is the day you start becoming obsolete.
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Oct 29, 2012 6:35 pm

Re: My SANS GCIH experience

ajohnson wrote:Hey, congratulations! That's a great score.

Back to the OSCP now?


I do not know if I'll go back to the OSCP for the moment. Probably that I'll try GCIA as it will help me in my current contract. Also, I'll have to finish studying for SEC575.

I'll go back to OSCP next year, for sure. I am wondering if they'll have a new version.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software