I haven’t updated in a while, but I wanted to focus on knocking out the GCIH after the course and had a ton of other things going on, so, here you go. I’ll try to make up for it with an annoying amount of detail.

The SANS SEC504 – Hacker Tools, Techniques, Exploits, and Incident Handling (https://www.sans.org/course/hacker-techniques-exploits-incident-handling) is the most recent SANS course I’ve taken, and the first time I’ve taken one in person. Drinking from the firehose in person is very different from watching the OnDemand at home, overall great experience.

I’m in no way a stranger to different types of education. I’ve done a bunch of classes in different topics, have a BS, a few classes into an MS, have done a pile of self-study certifications, and nothing compared to the experience of a 6 days on-site SANS course. Let’s just say I slept well that week!

Taking a few steps back, I work in infosec and my department is not exactly what I would consider well-staffed. Because of that, I (along with many others in my field I’m sure) have to wear many different hats. Incident response is just one of the tasks that is on my plate and what I’ve done so far has been just what seemed like a logical process. I’ve heard John Strand mention the PICERLL model many times on podcasts but didn’t spend a lot of time digging into it otherwise. Most of my experience is on the blue team side so this class was right down my alley!

My current workplace is pretty free with training time, but, training funds… not so much. Because of that I’ve been applying to the SANS Work Study program (https://www.sans.org/work-study/) and this was the first time the event date, class and location all worked together and I was all in. For those not familiar with the program, you essentially agree to work the live event as a facilitator in exchange for a huge discount on the training and exam. You show up a day or so early, do a bunch of setup, bundle together training materials, get promotional stuff ready. But overall, it was nice just hanging out with people in the field, talking about nerdy infosec stuff and everyone understands you! I work in a small department, that’s a big deal to me, one of the other facilitators called it a free therapy session which was funny but pretty accurate. You can gopher whatever the instructor needs during the day and help students with some issues but I had a smaller class so there weren’t too many technical issues.

I really enjoyed the behind-the-scenes aspect of doing Work Study. One interesting thing that I realized, the surveys are taken very seriously. For anyone who has been to an event, you know you get them for every day of class, every SANS@Night talk, etc, and I just sort of assumed they were all tossed in a box for some later date. Nope, the quality control those is serious. The facilitators take every one, sort them by scores, run them through a spreadsheet, scan every one. Then, every comment is given directly to the instructors after every class and they all go straight to SANS corporate as well. I’ve never seen a company take then so seriously. But, as someone else at the event mentioned, “when you pay this much for the training, you want to feel like you are getting the best experience.” So yes, SANS training isn’t cheap, at all, but if you can swing it, or are lucky enough to get picked for Work Study, then the quality of the whole event was fantastic.

My 504 class was taught by Kevin Fiscus (https://www.sans.org/instructors/kevin-fiscus), he was a great instructor. It was refreshing to be able to walk up after class and ask about nearly anything security related and to get a useful answer. It shows that the instructors don’t only know to teach their one course but have a well rounded background and also work in the field. I’ve taken vendor product training (I’m looking at you, Cisco!) where the instructor is teaching only to the lab, but even questions like “well I want to set it up like X” or “What if I use the other option on the dashboard instead?” were usually met with answers telling you to just stick to the lab and it’ll go fine. As an added bonus for doing Work Study, I also had the OnDemand access included, which was taught by John Strand, the course creator, and it was very helpful to not only get two perspectives on certain topics but be able to refresh on certain topics while creating my test index at home later.

The first day we covered incident response. It seems like a small portion of the class but phases of IR are covered as part of each of the other days through the week by learning how to recognize the tools that attackers will use when you’re doing IR. This portion of the course covers many areas that many people likely forget in the preparation phase, other departments that you need to involve and even interfacing with law enforcement. One thing they really hit home is the need for management support, this might sound obvious but from a tech side, we see things and might think “shut it down!” but in a big corp, that’s an awesome way to get fired, whether you made the right call or not.

Each day had a number of different labs. Mixed feedback on “not enough labs!” to “labs are awesome!” came back, so I guess somewhere right around the correct amount of labs. All the full labs come on a USB stick so even if you really break your local environment, you can just extract them again and start fresh. the future labs don’t rely on the past ones either so restoring is no big deal. I think we’ve all played around in labs and broken something and then realized we had to rebuild half an AD infrastructure just to run the next command. Pointing out the quality control again, but all the labs just work. I know they’re supposed to work, but, too many times labs aren’t perfect. I imagine most people in this field have followed different tutorials, it always seems like the tool has updated, or you’re missing a dependency, or an exploit doesn’t have the same options as the screenshots you’re looking at. None of that going on here. Turns out that’s why they don’t use Kali Linux in the image but instead build their own Linux VM loaded with the specific tools and versions that are used in the labs. Kali might update and suddenly you have 30% of the class with essentially a broken lab and now the class is behind.

The one lab we had as part of day 1, but we got to on the morning of day 2, wasn’t what was we typically think of as a lab. It was a table top exercise. The timing was perfect as I was tasked with doing a table top exercise at work and had already been researching something different for the exercise this year. I had come across the idea a few weeks before the class (https://www.blackhillsinfosec.com/dungeons-dragons-meet-cubicles-compromises/) and thought it sounded fun and different but didn’t imagine doing it in my workplace. So, we did a mock table top in class using that exact same methodology with a bunch of mostly strangers. We didn’t have a 20 sided die but we used a phone app to do a pseudo-random roll for 1-20. Turns out it was really fun! The idea was that in reality, not everything works perfectly every time without hiccup, because that’s who real life works.

After that exercise I changed my own table top plan at work and picked up a 55mm die (nothing for scale) that was nice and big so everyone in the room could see it. We had a ransomware exercise and it was great to answer, “nope, I rolled, you tried to pay it, and failed, so what do we do next?” I’m not a D&D guy so I discounted the idea a bit at first but in actual practice it’s a great way to inject some reality and force people to find workarounds in real time.

The remaining four days covered attacker tools and techniques specifically. Tons of tools, some I’ve used, some I’ve never even heard of but all were very cool to see. We followed the whole attack lifecycle from OSINT, recon, scanning, all the way to exploitation and covering your tracks. Again, the labs are really helpful here, you get copies of all of them including video walkthroughs so doing them again at home helps to learn the tools and for test prep.

For day 6, the CTF, that was really a lot of fun. I’ve done some simple vulnerable VMs before and other labs but never really against someone else in real time. No, I won’t give tips outside of what I was told which was “don’t try to overhack” aka, don’t ignore the simple things and try to over-engineer something crazy when there are far faster and easier ways to go about it. Also, bring food, don’t be the teammate who decides to go out to lunch in the middle of the competition. And, SANS will email and remind you, but if you don’t have an Ethernet port, bring an adapter with you, or you can’t participate.

Day 7-8, as our instructor suggested, go home and unplug. Depending on your past experience level you just took in a ton of information and have earned a few days of being lazy!

Now, for the test prep itself. Everyone talks about the index, and the importance is not something you want to ignore. Sure, you are supposed to actually know the material going in, but the depth of some of the questions are definitely something you could be looking up as part of your regular job, the same holds true for the index. I followed Leslie Carhart’s guide (https://tisiphone.net/2015/08/18/giac-testing/) for index creation, this is just one of many great resources on her blog. The tabs in my books weren’t such a mess before or during the exam but after passing I stuffed them all back into my bag and happily ate entirely too much and didn’t unpack them for a few days!

I often see people online asking how long the index is supposed to be, that’s 100% up to what you need on there and totally personal to your learning style. I saw some people say theirs was 80 pages, others said they had five. Figure out what you need to reference, and the practice tests will help iron out out well your plan works.

I took the first practice exam with made a ton of changes to my index afterwards. I had a feeling when I was creating it that I’d be looking up terms in different ways, and it was confirmed as soon as I started trying to use it. I made a few more tweaks after the second exam. After all the colors and tabs, I didn’t end up really referring to them at all, I’d just grab the right book, then go to the page, but everyone has a different method. The testing center was at a local community college and they gave me a big corner cube with a wrap around desk where I could spread out the books and whiteboard, I couldn’t have been happier with the setup.

Overall it was a really positive experience. Lots of work but totally worthwhile, if your workplace is understanding (they should be, you’re getting training to do a better job!) and you have the time and the funds, totally recommended.