How I passed: GIAC Certified Incident Handler (GCIH) and SANS SEC504
Today I’ll be reviewing SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and its accompanying certification, the GIAC Certified Incident Handler (GCIH). SEC504 is a 6-day course that teaches step-by-step processes for incident response, how attackers undermine systems, detection and response strategies, and how to discover holes in computer systems and networks before the bad guys do.
The course leads up to the GCIH exam, which tests the knowledge needed to manage security incidents by understanding attack techniques, vectors, and tools, and how to defend against and respond to such attacks when they occur.
Exam Information
The GCIH covers a wide variety of topics, such as:
- Covering Tracks on Hosts and Networks
- Domain Attacks
- Drive-By Attacks
- Endpoint Attacks and Pivoting
- Incident Handling and Digital Investigations
- Memory and Malware Investigations
- Network Investigations
- Password Attacks
- Physical Access Attacks
- Reconnaissance and Open-Source Intelligence
- Scanning and Mapping
- Web Application Attacks
The exam has a range of 100–150 questions (with some lab-based) and is four hours long, with one 15-minute break allowed whenever the candidate chooses to take it. The minimum passing score is 70%, and the exam can be taken in-person at a Pearson VUE test center or (temporarily, due to the pandemic) virtually via ProctorU. The most significant difference I noticed between GIAC exams and the exams from other certification programs that I have attempted is that GIAC exams allow open books and hand-written notes.
SANS SEC504
The SEC504 course (GCIH), along with SEC401 (GSEC), make up SANS’s Core Techniques curriculum. I accepted the opportunity to take SEC504 before receiving an invitation to take SEC401. I plan to go back and obtain GSEC later, though, since the GSE (one of my long-term goals) requires both certifications anyway.
The SEC504 course is six days long, and each day covers roughly one of the six provided books. Each day focuses on a general component of hacker techniques and incident response:
- The incident response process,
- OSINT, reconnaissance, and scanning,
- Vulnerabilities and exploitation,
- Detection, defenses, and recovery,
- and a Capture-the-Flag (CTF) challenge.
Mike Murr held our course on September 14th — 19th through SANS Live Online instruction. While all of the SANS instructors are very knowledgeable, Mike is one of the authors of this course, so his experiences and stories directly related to the topic made classes very enjoyable. Classes ran each day from around 8 AM to 5 PM.
The final day was the CTF challenge, where students were divided into teams and directed to attack a vulnerable infrastructure containing a flag scattered into many pieces. The first team to assemble the flag and message it to the instructor won the course challenge coin, a fun and unique feature of all SANS courses. My team didn’t win the CTF, but there are always more to come!
How did I pay for the exam?
I discovered SANS courses and GIAC exams a year and a half ago while being introduced to the SIFT Workstation in my computer system forensics class. The price for a SANS course and its accompanying GIAC certification is around $7,000, which can seem overpriced. However, it seems more reasonable after you account for the many very qualified faculty that SANS has hired and the cost to fly these instructors worldwide for classes held almost every week (pre-pandemic, anyway). Their reputation and inclusion on the DoD 8140 certification list also ensure that they can charge such amounts for these classes and still have a high demand.
Fortunately, for students like myself and others who might not work for a company with a budget for such training, SANS provides a way to make the experience significantly more affordable. The (fantastic, in my experience) Work Study program can reduce the price by $5,000 for most week-long courses. The discount is essentially in exchange for assisting with the set-up, room monitoring, and tear-down of in-person events or the moderation of online events. Since I took my class during the pandemic, this was an online event that required me to be present in the virtual room about an hour before the course started, ensure audio and video quality, and answer common course administration questions. It isn’t a difficult job and is definitely worth the discount, in my opinion. I also had a bit of downtime to converse with Mike, who is a fascinating person and someone I’d like to meet in person someday. I might make a new post about applying to the Work Study program soon.
Although better than the regular cost of the exam, $2,000 is still not a small expense. Fortunately, RIT CyberCorps was willing to cover the remaining charges as part of my training and certification allowance. I understand this path is not available to everyone, but it is essential to realize these certifications are generally paid for by companies to train their employees. The Work Study program is already a considerable discount, and it is fantastic that SANS has chosen to offer it. I suggest asking if your company provides training funds and (if applicable) if they allow interns to take advantage of them. Outside scholarship programs might be willing to apply funds to training programs as well.
While researching ways to make the exam more affordable, I discovered that SANS has a (presumably paid) Teaching Assistant position. The TA assists answers course questions alongside the instructor and helps students with the labs throughout the class. I think this would be an exciting position to look into in the future.
Testing with ProctorU
If you are testing at a Pearson VUE test center, I wrote about my previous experience with them when I took the CompTIA A+ exam. With GIAC, though, I strongly caution you to visit the test center before testing or take the exam from home so that you can ensure adequate desk space for your references. Desk space would be a problem in most of the test centers I have attended.
GIAC’s exam scheduling process starts on their website, rather than directly on the proctor’s website like other programs. After confirming some necessary contact information, GIAC will pass you through to Pearson VUE or ProctorU (whichever one you selected) to select an appointment time. The appointment needs to be made at least three days in advance because GIAC needs time to configure the virtual machines used for the session.
ProctorU uses webcam monitoring, microphone monitoring, and a browser extension for Chrome and Firefox that records desktop activity. A ProctorU employee will use LogMeIn Rescue to remotely connect to your PC and run a shell script to check for forbidden hardware and applications before releasing the exam. The employee will continue monitoring during the exam, and most normal browser operations (printing, copy/paste, etc.) will be disabled.
How I studied
Excluding the full-day classes that I took from September 14th to the 19th, I spent eight weeks studying and reviewing the material in each of the seven books provided with the course and taking the two practice exams. Since I was on an internship program, this was usually while going to or from work and during lunch.
Since GIAC will only test your knowledge of the course contents, the only resource you will need are the provided books. Any supplemental materials come on a USB drive for in-person classes, whereas virtual classes download these resources from SANS’s website. The resources include a PDF (and therefore searchable!) copy of the book, virtual machine files for the labs and CTF, and a few handy legal-size cheat-sheets that I highly recommend printing for the exam. I am aware of other books sold by third parties for GIAC exams, but I can’t speak to their accuracy and recommend against purchasing additional resources.
The books showed up on the second day of the course after being overnighted from GIAC’s publisher in Texas. They are simple, spiral-bound books of varying thickness, the biggest of which will be the lab book since GIAC feels the need to print out the entire virtual lab wiki. The biggest annoyance I had with the books (other than that of deforestation) is that SANS didn’t hook the spiral bindings at the ends, so I spent a bit of time re-binding a few books after their bindings came off in transit.
The GIAC Index
I spent most of my study time reading and categorizing each page of the books into what the internet refers to as “the GIAC index.” Using an index is a surefire way to pass a GIAC exam — remember, it is open-book, which means minute details are testable. Like an index in a traditional book, making a GIAC index allows you to keep track of each page's main concepts and quickly reference them for any challenging questions on the exam. There are so many strategies available online for how to create an index. I ended up modifying one particular approach that I liked.
Staples can print and bind small books like this with same-day pickup or standard shipping (extra). I’m sure there are alternatives such as Office Depot or online bookbinders that can provide similar services. The cost to bind my index (30 pages, about half in color because I included some diagrams our instructor drew) at Staples was about $12. Printing and binding my index was incredibly convenient both in terms of time on exam day and because I didn’t have a university computer lab with free printing readily available like I usually do.
How I scored
I am a fourth-year computing security student at RIT in upstate New York, so I already had a significant amount of exposure to most GCIH topics from classes, clubs, red/blue competitions, CTFs, internships, and other certifications. This amalgamation of experiences is what I believed aided me the most, as GIAC’s scenario-based questions cover a broad scope of needs and use cases.
I spent 3.5 of the allotted 4 hours on the exam. GIAC runs its exams like Cisco and most other certification programs (except CompTIA), in which each answer is final and cannot be changed or reviewed after submission. I have always believed this strategy is to provide versatility to the exam authors, who therefore don’t have to worry about potentially giving away the answer to one question in another’s text.
Unlike Cisco, however, GIAC allows candidates to skip unanswered questions. You can return to these skipped questions any time, but you won’t be allowed to take the provided 15-minute break until you answer them. There is also a limit to the number of questions you can skip.
The lab-based questions are at the end of the exam. GIAC once again uses a strategy similar to Cisco in which they present candidates with an actual virtual machine that you use to answer multiple-choice questions. I prefer this to CompTIA’s somewhat-finicky simulations, which restrict features, grade the actions taken, and generally seem unrealistic from a usability standpoint (to me, at least). While I can’t discuss the questions’ actual content, I found most of the questions straightforward.
I scored much higher on the actual exam than I did the two practice exams that GIAC provided through the SEC504 course, at about 98% instead of 91% and 92% for each practice exam, respectively. However, since I was finishing the practice exams with about an hour and a half to spare, I decided to take more time on each question during the actual exam and always check a reference if I had one in my index (more on that later).
Whereas Cisco provides score percentages for each section of the exam and CompTIA lists the exam objectives where you incorrectly answered questions, GIAC uses a five-star rating system. On the practice exams, I reviewed any sections for which I scored three stars or less. While my high score on the actual exam surprised and delighted me, I still only scored three of five stars in the network attacks and reconnaissance sections, which indicates that I should have studied those sections more.
The practice exams display any incorrect answers along with their explanations. Oddly, reading these explanations still counts as part of the overall time to complete the practice exam, and the practice exams can’t be reviewed or re-taken after they are closed. However, GIAC does sell additional practice exams for around $170 apiece if you find these necessary.
Good luck with your studies!
GCIH is one of GIAC’s core certifications, which means it validates foundational security knowledge on detecting, responding, and resolving computer security incidents. It is one of the three (at minimum) certifications required before attempting GIAC Security Expert, a very well-regarded credential in the security industry and one of my future goals.
Since this was my first GIAC certification, I didn’t have the opportunity to get GSEC first, another GSE-required exam. Unfortunately, I won’t have time to pursue it while back at school this spring (not to mention that SANS/GIAC is still expensive for CyberCorps even with the discount, so it’s unlikely they will approve another course for quite some time). I hope to convince my co-op employer to cover the training costs for me next summer.
I intended for this post to help other college students who would like to take SANS courses and obtain GIAC certifications understand the time and financial commitments and how to ease both of them. Good luck with your exam, and please reach out if you have further questions!
I do not use affiliate links, nor do I earn compensation for any products I endorse in this post. These are the resources I used to pass this exam and my honest reviews of them.
