Review: GCIH (GIAC Certified Incident Handler)
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling was the third course in my undergraduate certificate program at SANS Technology Institute. I was lucky enough to pass the final exam this past week on Jan 24th, and can now focus ahead on my fourth and final course of this program — which will be “SEC560: Network Penetration Testing and Ethical Hacking” starting Feb 8th. Like my previous certifications I thought I’d write up my thoughts on this course, but before I do that, like always, I have a few disclaimers. First, again, these are going to be my opinions and should be taken as such; I don’t know why reviews over certifications garner such strong responses, both by those who hold the cert and those who do not, but boy they sure do. Secondly, I did not pay for this course as the GI Bill took care of that, so I didn’t feel the sting of a $5,500 class and can’t really comment too much on that side of the course. Lastly, I took this course via the On-Demand version, which can be drastically different than in-person courses depending on how a student approaches it.
Oh! Additionally, from here on out I will be referring to this course holistically by its certification GCIH because it’s easier to type and I think most people who take a SANS course do so for the certification, which seems more appropriate. Additionally, I have had this review cleared by members of the SANS Institute following specific rules that I have outlined at the very end of this review.
Course Delivery
Like I mentioned, I took GCIH online via the On-Demand option. So for me the course was broken down into three different groups of materials: the on-demand videos, the physical books, and the labs. The videos and labs became instantly available when the course started and the books were shipped priority mail. For me personally, I do not mind On-Demand style training. It allows me to do the training whenever I can/want and I don’t feel too disconnected with videos. The videos were of good quality, all of which played in 720p and I never had an issue with buffering. To run the labs students must download either VirtualBox or VMware images of a Windows and Linux VM. Once downloaded everything can be done entirely from those two machines. If I remember correctly the VMs were about ~50Gbs at the end of the day. There was not too much of a difference between the videos and the books, the videos did have a few clips of the instructor demonstrating a tool/technique that were not included in the hard-copy books but nothing was shown that wasn’t included in a lab down the road. I understand that there are many people who prefer in-person rather than on-online and that’s fair, but for me it was good enough to understand and pass.
*The below picture is of the free, publicly available SEC504 Course Preview that anyone can access from SANS Institute ; You will have to create a SANS account but this shows the On-Demand Platform setup*
Course Content
Six books (and workbook) come with GCIH. I’ll give a brief synopsis of them as well as their accompanying labs.
Book 1: Incident Response and Computer Crime Investigations. This book covered the vast majority of the DFIR topics in this course. It hit on the incident response process as a whole first, prepping students to think like a responder with much more theory than anything else, then covered hands-on tactics like investigating possible threats in real-time, collecting evidence, and multiple forms of investigations (network, memory, malware, etc). Its labs focused on key skills like investigating open ports and connections, finding IoCs and looking at how malware affected a machine. For me, with absolutely zero experience in these topics, I really enjoyed this book. I found the labs to be interesting and exposure to brand new skillsets is always fun. This book also had an incredibly fun “Linux Olympics” lab which puts students up against the clock to complete many different tasks in a Linux system. It starts as simple as running key commands against files (grep, ls, cp/mv…) to creating and changing cronjobs, and finding hidden files across the file system(s). Someone with decent experience in Linux would probably get a “gold” (completing all challenges quickly) fairly easily but for someone with little-to-no Linux experience this would be a fun way to build up skills! A pretty enjoyable book overall.
Book 2: Recon, Scanning, and Enumeration Attacks. With the DFIR topics out of the way, book 2 moved onto the Red side of the house. GCIH approaches Red topics from the viewpoint of a defender, it doesn’t really want to teach students the hacker methodology in order to improve their skills, rather it teaches students the hacker methodology so they can identify it in the future (at least that’s the impression I got). Book 2 hits on the first few steps most hackers take with OSINT, scanning, and service enumeration. Students use different tools to conduct passive information gathering on IPs, websites, and organizations, and then more direct active techniques. There were only a couple labs here which ranged from using general steps like WHOIS searches to a couple specific tools for website and DNS enumeration.
Book 3: Password and Access Attacks. This was a really cool book for me because I was/am pretty new to password cracking in CTFs and challenges like that. It walks students through common password security setups modern-day organizations use, and the techniques hackers use to bypass said setups. Of course the labs here featured tools like John and Hashcat, but further than that there were some cool blue-team tools that can be used to help identify an organizations password compliance.
Book 4: Public-Facing and Drive-By Attacks. Moving past the immediate attack vector of passwords, book 4 opens up the topics of common exploitation frameworks, and web application attack methods. Here students are mainly focused on what could be described as ‘low hanging fruit’ attack vectors; one-step Metasploit payloads, simple OWASP Top 10 injections, etc. There were many labs in this book as this was the real ‘exploitation’ section of the course, nothing too crazy in terms of the difficulty of an exploit but still informative.
Book 5: Evasive and Post-Exploitation Attacks. Obviously following the initial exploitation phase this book was all about what hackers do once they get in. I actually found this to be really enjoyable because it hit on some topics that CTFs don’t typically cover, mainly pivoting and covering tracks on the network. It was fairly high-level but students do get exposed to pivoting mechanics like socks4proxy, and netcat pivoting, as well as clearing/editing/manipulating logs in different places on networks (both on Windows and Linux). There weren’t as many labs involving privilege escalation as I had hoped (mainly due to my constant struggle there in CTFs) but the labs they did have were enjoyable.
Book 6: Capture the Flag Event. Book 6 was just the course’s capstone CTF material. The capstone was a lot of fun and did a great job encompassing most/all of the course material in one big challenge.
Throughout the course I created an Index of terms which showed the term itself, a brief description, and the book/page that information was found. This was the same thing I did on GSEC prior to this. Once done I used the Voltaire tool to automatically turn my spreadsheet into a Word document, and had it printed out from my local Staples store. This strategy was recommended to me when I very first started the program by prior successful students. Specifically you can find this strategy with these two resources: https://www.youtube.com/watch?v=bHpkTArlXWc ; https://tisiphone.net/2015/08/18/giac-testing/
The Exam
The GCIH, like almost all GIAC exams, is an open-book, 100+ multiple-choice exam with a fairly long time limit; GCIH’s being four hours. Like GSEC the questions were more than a basic regurgitation of information found in many certification exams, instead they required an actual understanding of the material past just skin(or paper)-deep. However, unlike GSEC, GCIH did have some hands-on questions. GCIH is one of five GIAC certifications that include what they call ‘CyberLive’ in its exam. Which is a fancy way of saying it includes built-in VMs in the exam environment that students must open and accomplish tasks within in order to find the correct answer. In my opinion the CyberLive questions were really well done; I didn’t run into any issues with the VMs, and the tasks required to find the correct answer did require a good understanding (or at least a good Index) of the material to complete. Below is my scorecard from the exam, it’s hard to make out but ironically the sections I missed the most multiple-choice on were the same sections I missed zero CyberLive questions on.
Career Outlook
Only having this certification for one week there’s no real way I could have an idea on what impact GCIH will have on my career but there are a couple things I can speak about from basic OSINT. SANS identifies SEC504 as the second (and last) course in the “Baseline Skills: Core Techniques” section of their cyber security skills roadmap. As in, completing GCIH theoretically preps you to enter one of the three primary domains that SANS provides training for: Blue Team, Red Team, and DFIR.
Which means that at least in the circle of GIAC certified people they should recognize at least the basic implications of what this certification requires professionals to know/demonstrate. Further than that, for better or worse GIAC certifications remain in high-demand in the job market. Looking on LinkedIn a basic search of ‘GCIH’ in the United States spits out over 2,200 job postings:
I think that, like with many other organizations, simply having a GIAC certification can improve one’s resume and get your foot that much further into a job interview. That being said, at the end of this article I will include resources that I believe can cover much of the content found in SEC504 for people who are not able to foot the crazy SANS prices!
Summary
All-in-all I really enjoyed GCIH. The incident response techniques were all brand new to me and so I learned a lot there; and the hacking material did a pretty good job covering the methodology that hackers use to attack and exploit a network while keeping it at a low enough level for brand new students to understand. I do wish the hacking techniques went a little more in-depth as if this course really is made to set someone up to potentially go into SEC560/GPEN (like myself) I think there is going to be a heavy learning curve. Like I said with my prior post concerning GSEC, SANS courses are of the upmost quality and are well respected, but their prices are way higher than the average person can/could ever afford. If you are able to get funding for GCIH it’s definitely a good course, but perhaps just jumping straight into one of the more focused SANS courses (like GCIA for blue, GPEN for red, or GCFE for DFIR) would have a higher return on investment.
Resources you can use to mimic GCIH level of knowledge
Here I will list some resources that I believe if taken would put someone at the same (or higher) level of knowledge of a GCIH certified individual:
For the incident response portion here are two websites that have a tremendous amount of entry-level DFIR information/resources that someone could easily utilize to match (and even surpass) the amount of incident response material found in GCIH: https://dfirdiva.com/ ; https://aboutdfir.com/ . On top of that, I believe both of these sites have dedicated DFIR discords to hook up with other DFIR professionals — unfortunately I don’t have their links but I do think they’re out there. You could also look at the training on https://securityblue.team/training/ for some blue-team style experience!
For the hacker techniques portion I highly recommend looking at the FREE starter pass from INE: https://ine.com/pages/cybersecurity#trynow . This path preps students for the eJPT certification (the exam voucher still costs money though) and in that path you would learn most of the techniques found in GCIH. There are a couple things missing, specifically some of the lateral movement/pivoting topics in GCIH, but for FREE you’d be pretty dang close.
As far as impacting your resume with a cert goes, grabbing eJPT to showcase the hacking skillsets would easily show you’re at the same level of hacking as GCIH, and look at the SBT Level 1 certification for the other side of the house. SBT Level 1 isn’t necessarily a DFIR cert from what I understand, but I’ve heard some great things about their exam. I am not very knowledgeable on SBT and even less knowledgeable on DFIR certifications as a whole, so my apologizes there.
But that is my review, thank you for giving it a read!
Authorization for this Review
As I said at the beginning, I have had this review vetted by members of the SANS Institute. I am in accordance with five specific guidance points that were provided to me:
- Screenshots/Pictures of the inside of any SANS books is prohibited — I have not included any of said pictures.
- Information about specific exam questions or specific knowledge points to know i.e. “There was a question about setting up ____, so make sure to know that,” is strictly prohibited— I have only touched on over-arching topics of the course, which are freely available online via the DEMO course previously mentioned.
- Sharing Non-public parts of the SANS website(s) is prohibited — no information was shared.
- Refrain from anything that would violate a non-disclosure agreement — I have not violated any NDA stipulations.
- Refrain from the misuse of SANS/GIAC trademarks or copyrights — From my limited knowledge of the legalities of trademarks/copyrights, I have not infringed on any trademarks/copyrights.
