SANS 503 and GCIA Thoughts

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them.

In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago.

I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about filters, improved my familiarity with Wireshark quite a bit and got a more in depth look at a lot of correlation and analysis topics that I learned about in SEC 401.

I had a harder time studying for this exam than any of the previous GIAC exams I’ve taken as I often felt mentally exhausted. It’s tough for me to know what percentage of that was from the material itself and what percentage was the 17 certifications in under two years pace I’ve been on but I still wanted to mention it.

I had heard that the GCIA was one of the more difficult SANS exams, saw that the passing score was only 67% and was honestly a little worried about the test. The practice exams drained me mentally but my scores were well above passing so I scheduled my test. I started the exam with a good score but on a slower than acceptable pace. My pace got quicker and quicker and I ended up finishing with a score of 92 and an hour left.

A few tips for anyone taking the GCIA exam:

  • I know I’m Mr. Index and I had a good one for this exam too but I used my index less on this test than I ever have before. You still absolutely need to make one (and make sure you include the packet header spreadsheet included on the course VM and a common port cheat sheet) but a lot of the questions required you to understand and apply concepts and analyze hex in addition to the normal syntax questions. Use lots of tabs on the books for this one my friends.
  • On the cover of my index I put what question I should be on at the one hour mark, two hour mark and three hour mark. I would recommend you do the same if you’re at all worried about time but don’t overreact if you’re behind pace early. I was 5 or 6 questions off the pace at the one hour mark but like I said earlier I ended up having an hour left at the end. You’ll end up performing the same sort of packet analysis repeatedly and will likely speed up quite a bit.

The 503 doesn’t have the sexiness of the hacking courses or the forensics courses but I enjoyed the class and it was a very important one for me as I really needed to work on my packet analysis skills. Next up on my to-do list is assembly language for reverse engineering and exploit development.

15 thoughts on “SANS 503 and GCIA Thoughts

  1. Great write-up on the SANS 503 course and the GCIA exam. Your evaluation of the course / test was exactly what I was looking for. I also enjoyed reading your perspective on the other courses you took. Do you typically attend any security conferences that you recommend?

    • Thank you for the kind words 🙂

      Most of my trainings have been with SANS through the work study program due to the immense cost savings. I’d like to attend some of the other conferences like Blackhat and Derbycon but I’m not sure I’ll be able to this year.

      Once I’m done with my GPEN I think my next class will be an online exploit development class with Joe McCray.

      • I would highly recommend checking out the Corelan stuff for exploit development. I took this class at DerbyCon in 2013 it was the BEST exploit dev class I have taken.

        I noticed you were doing GPEN. OSCP has started showing up in job requirements / preferences in infosec postings on Monster.. for what it’s worth.

        • I was actually all signed up and ready to go to Corelan at Derbycon last year and had to cancel at the last minute. It all worked out ok but it would have been awesome.

          I enjoyed the SEC560 and got my GPEN but the OSCP is high on my to do list. The only thing that’s stopped me so far is time. I really would rather not sign up until I can devout a few hours each evening to it but I may just have to bite the bullet one of these days.

  2. Thanks for posting this, Matt. I just completed the SEC 503 course yesterday and loved the course overall. I am now studying to write the exam, hopefully within the next few weeks (thus, lots of studying ahead). Your insight has been very helpful and appreciated.

    • Awesome! Even though I don’t look at packets on a daily basis that was still one of the most useful classes I’ve ever taken.

      Good luck on the exam! Understand the concepts and get very comfortable with dissecting a packet (be able to step through them, recognize when one protocol is wrapped around another etc.) and you’ll be in great shape.

  3. Holy smokes! 17 certifications in 2 years?!?!?! Thats amazing. I just finished the bootcamp and am about to tab, take the practice exams, then go ahead and knock out the exam. Congrats, and I’d be super happy if i’m even able to get 10 in the next couple of years.

    • I never once said that my pace was smart 😉 It was very grueling but it definitely helped me reach my self imposed goal to be well rounded.

      I hope you got as much from the class as I did. I’ve recommended the course quite a few times as it really helped me develop my low level packet analysis skills. The skills have also come in handy in just about every other area of infosec I’ve dabbled in as well.

      Check out Jon Turner ( @z4ns4tsu ) on twitter. About a month back he posted a link to some packet header work sheets he made to prep for his GSE test that I wish I would have had for my GCIA.

      Good luck!!!

  4. I just took the class and love it but need access to a more streamlined study guide if it exists. Anyone know of any?

    • Not really. Make sure you have a solid index and are VERY comfortable walking through a packet’s hex bit by bit.

      One thing that’s always helped me was taking screenshots of my practice tests when I’m not 100% sure of an answer. I’ll paste them into a word doc and they become good little study aides on improving my areas of focus.

  5. Nice writeup! I am taking the exam in 3 weeks and a little behind the pace in my studies so far. Was wondering if you would be willing to share your cheatsheet/index with those of us that are always looking to see how others did their indexing 🙂

    • AS an update 🙂
      I passed my GCIA as well. The chief support tool I used was doing an index of the current books. And you were correct….If you know the packet header structures and can look at the hex of the packets you are most of the way there. I found it VERY interesting that in my version of the GCIA the tools that were specifically called out were SNORT and BRO. There were a few questions on those, but for the most part this was strongly leaning towards the basic understanding.

  6. I enjoyed your post on your SEC503 experience. I too am an index believer. Just curious if you’d be willing to post yours. We all learn differently and probably create these things very differently, so I’m always looking for a better way, if yours is better, or if I can even pick up tips and/or techniques from you, that would be awesome too.
    Thanks for the consideration.

  7. Can you give more insight as to the wording of the questions on the exam? Also what tools were emphasized the most?

Leave a Reply

Your email address will not be published. Required fields are marked *