Monday, July 13, 2015

Tackling the GIAC GCIA!

Well, it’s that time again.  Time to tackle yet another certification.  The last certification I took was the GIAC GSEC which was chronicled in depth in a previous journal.  In that post, I went over briefly on the idea of are certifications worth it to someone.  After the GIAC experience I had last year, I couldn’t wait to get back into the saddle and conquer another GIAC class.  This time, a co-worker and I were approved to take on the GIAC GCIA training and exam.  What follows is another adventure into the wonderful world of SANS.

You mean I get to travel?!

The last time I was able to go to a SANS event, it was held locally.  By locally, I mean in my state of residence, Texas.  Roughly translated, a little over 250 miles.  This time I was approved for some major travel expenses, which made me feel all warm and fuzzy.  This year I was able to go to the SANS conference in Reston, VA.  One hassle free Virgin Airlines ride and we got on our way!  This was my first time in Virginia.  My trusty co-worker and I made our way to the hotel and checked into our rooms ready to wake up, get badged up, and submit our lives to the one and only Mike Poor.

I blame Mike Poor!

Upon entering the classroom, our awesome facilitator handed us our bag of books, which was different from my first time at a SANS conference where we received our books at check-in, and made our way to our seats.  We picked them strategically… you know, not at the very back, but not first row.  Others made their way in and filled the seats.  You could just feel the aura of nerd permeating through the rows of tables.  Finally the class started and we were introduced to the man, the myth, the legend, Mike Poor.  Many have said Red Bull runs through this man’s veins.  I’m not sure if that’s true, but the energy drink company may sponsor this guy due to the amount of cans he went through during the week.  Although he may not have visual wings, this man is high-powered octane and will keep you engaged. 

Like the GSEC and, I assume, any other SANS class, we went one book a day.  This material was very new to me.  Day one I kept up and understood the majority since it was a lot of TCP/IP concepts and also included IPv6.  Day two was slightly different but I held on.  It wasn’t so much of lack of understanding, more so than lack of sleep which kicked in the last hour or so of class.  Day three is where I started getting “deer-in-headlight” face when the topic of IDS/IPS evasion and other traffic analysis topics came up towards the latter half of the day.  The workbook definitely filled in the gaps and solidified the concepts covered in class. Day four… what can I say about day four?  It was the best of times.  It was the worst of times.  We were introduced to Snort and Bro.  In the past, I was introduced to these two tools, but never got to play with them in their full capacity.  Each package went over their own operational lifecycle, so by the time you got to the end of Snort, it was like Mike hit the repeat button but it was all for Bro.  That was morale crushing.  Necessary in the grand scheme of things, but my mind just did not want to get back in the game after half time.

But wait! Didn’t you say it was the best of times?  Sure, but let’s take a step back for a moment and go over a topic I find unbelievably valuable at these conferences; SANS@Night.  These are bonus sessions in which the instructors give an hour long talk about a certain topic.  When I did the GSEC class, I found myself at these talks every night.  Up until day four, I was in the room as well.  What stopped me from going on night four?  Mike Poor.  He invited my co-worker and me to go eat at a Korean BBQ place somewhere in the area.  Let me be the first to say, when you are invited to go to dinner with a minimum of five SANS instructors, you go.  The evening was an epic event that will not soon be forgotten.  However, co-worker and I had to cut our invite short since it was getting way too late.  The rest of the party were out until sometime the following morning.  I can only speak for myself, but I was destroyed and had to depend on sugar and caffeine to get me through the next day.  For this, I blame Mike Poor.  What is most impressive, Poor came to the class and didn’t skip a beat.  He taught the class with the same intensity he had the past few days.  That man is a beast or part cyborg! 

The last couple of days went off without a hitch.  I must say I was confused on a lot of the material but picked it up with the included workbook exercises.  The final day came forcing all of us to utilize the skills we all gathered throughout the week to recount the steps a nefarious hacker took within a honeypot.  This was a very exciting exercise as we were split up in teams and divided the tasks among individuals.  I was not expecting much in the area of results from my area since everyone else seemed way more experienced than me, but surprisingly enough I nailed my portion of the investigation including finding a photo of the perpetrator with some Google-fu.

Ugh… Indexing… Again

Indexing? Do I really have to? In short, yes.  Much like the GSEC experience, you get a ton of pages with no way of knowing where anything is which necessitates the need for an index.  However the biggest difference between GSEC and GCIA is the amount of topics covered.  Whereas GSEC is a broad spectrum of information security knowledge, GCIA is more focused on a specific set of concepts, tools, and commands.  Because of this, your index will be significantly smaller than GSEC. 
My previous experience in indexing really helped out. But I deviated in my study method.  I went through each book and took meticulous notes by hand in a spiral first.  That’s right. I went through the books twice.  In hindsight, I feel I could have done this study portion without this first step.  But I can’t say it hurt.  I am able to maintain knowledge better if I write stuff out by hand rather than blindly typing stuff into a Word or Excel document.  It’s just the way I work. 
Round two of hitting the books included indexing which was not as detailed as my first phase notes, nor my GSEC index.  But I did get the main sections I included in my GSEC version (Book Index, Tools, Commands, References).  I added header charts I found over at and a hex, dec, bin chart that definitely helps making quick work of conversions found in those practice exams.

Am I Ready?

GIAC gives you two practice exams to see if you are on target.  My first practice exam emulated my GSEC experience.  The biggest difference was how often I used material to double check my work.  I hardly found myself reaching for the index or books.  This can be a very good thing.  For the first half, I was hitting a solid 90+% score.  But something happened.  Mental fatigue and wanting to figure out what I was going to do later that evening.  The increase of bone head mistakes and just wanting this to be done dropped my score.  I passed, but I learned a ton about the necessity of maintaining concentration.  I also found areas I needed more work in such as DNS and strangely Wireshark fundamentals (I think this is due to the aforementioned distractions).  The second practice exam was better, as you’d expect.  But that damn DNS category still got me.  I did get five stars on Wireshark (At least the embarrassment of that went away).  Other than that one aspect, I pretty much got it.  I’ll go ahead and schedule the exam and let you know how it goes in the next section.

It’s Time

So in the last section, I left off with two practice exams down and this feeling of just wanting to get this over with.  I scheduled a week out at my testing facility of choice.  DNS was a weak spot for both practice exams so I had that nagging me all week and I really concentrated on trying to that sorted.  Two days before the exam I felt I was ready and didn’t want to study any more.  I just couldn’t force myself to get those books out again.  I took the days off despite my wife’s words of wisdom.  Something about locking me out of the house if I failed the exam because I didn’t study those two days.  The night before I went through the books again and firmed up the loose ends I had.  Before I went to sleep, I made sure I put all the material I was to bring in the bag from the SANS convention I got back in Reston, VA.  I had dreams of the exam.  Yes, I was the paranoid about it.  Oddly enough, it wasn’t about taking the exam, it was about missing my scheduled time and not even getting to sit for the thing!  I woke up the next morning groggy.  In addition to the horrible dream, my dog found her way on to my pillow and a canine tail was laying on my face.  Looking at the clock, I realized I had overslept but only by about 30 minutes.  Definitely enough time to get to the testing facility.
So with all the worry about waking up late and the traffic due to construction, I get to the facility 2 hours early.  The people there know me and consider me an expert tester (mainly due to the certs you obtain through WGU).  They were nice enough to just put me in the hot seat immediately.  The first few questions did not phase me.  Then the DNSish questions came…. I plowed through them.  Around a quarter into the exam, I was hitting 90+ on the accumulated score.  I think I’m going to be able to get this thing done without issue!  Or at least that is what I thought.  Half way, I’m down to 83%.  I wouldn’t say panic hit me, more than disappointment.  I took my break and regrouped.  Went outside with one of the proctors and walked around a bit.  Warmed up too; it’s cold in that room!  Getting back to the test, I fought through that thing and stayed pretty consistent.  In the end I ended up with an 84%.  Not too bad keeping that score and not dipping below the lowest checkpoint score of 83. 

Your Thoughts?

I’ll be the first to say, this exam is a definite challenge.  The practice exams provided seem to be exam preps for the Sec503, not the actual exam.  What do I mean by that?  I feel the actual exam seemed to be more targeted/focused instead of the “relaxed” content of the practice exams.  I can’t get into too much detail due to NDA, but details matter in this exam.  Overall, this was a great experience and welcome anyone who is willing to give it a shot.