Self-Study SANS SEC503 GCIA

So, I’ve recently passed the GIAC Intrusion Analyst (GCIA) exam after 7 months of hard self-study as I was unable to attend a SANS SEC503 training course. I’m writing this blog to explain my study methods as there isn’t much information out there for people that do wish to self-study. I do however thoroughly recommend attending an official SANS course if you can as the experience you receive is second to none. If like me you can’t then hopefully this blog will help you in your goal to achieving GCIA certification.

Training material

By far the most useful book I found was Network Intrusion Detection 3rd Edition by Judy Novak and Stephen Northcutt. This contains invaluable information and every single chapter covers an exam topic in detail. No joke, I must have read this book possibly 6 times cover to cover.

https://www.amazon.co.uk/Network-Intrusion-Detection-Voices-Riders/dp/0735712654/ref=sr_1_1?ie=UTF8&qid=1496415743&sr=8-1&keywords=network+intrusion+detection

Applied Network Security Monitoring by Chris Sanders and Jason Smith is another book which is full of useful content. The sections I specially targeted were relating to flow analysis with SiLK, signature based detection using Snort and Suricata along with concepts of Bro.

https://www.amazon.co.uk/dp/B01N3MEO80/ref=sr_1_1?ie=UTF8&qid=1496416056&sr=8-1&keywords=applied+network+security+monitoring

Practical Packet Analysis again by Chris Sanders offers some excellent reading. Specifically, I used this for in-depth working knowledge of Wireshark and understanding packet captures. It also contains some excellent content on protocol analysis and real-world scenarios. Chris really knows how to interact with his readers and explains stuff really well, follow him on Twitter @chrissanders88

https://www.nostarch.com/packetanalysis3

TCP/IP illustrated is a great choice if you don’t have in-depth knowledge of the networking protocol suite. Personally, I didn’t read this book as I had previous Cisco based knowledge but lots of other people have recommended this publication.

https://www.amazon.co.uk/TCP-IP-Illustrated-Transactions-Protocols/dp/0134457102/ref=sr_1_1?ie=UTF8&qid=1496416477&sr=8-1&keywords=tcp+ip+illustrated

All of the above are not only excellent training material for the GCIA exam, but they cover many other InfoSec related topics which will suit you well as a Cyber Security Analyst or other similar roles. Read these books over and over again until you thoroughly understand the content and have a deep level knowledge. I eventually signed up to Safari books which I found to be a cost effective way of having immediate access to some great content.

https://www.safaribooksonline.com

Hands on Experience

If you’re lucky enough to be currently working in a Cyber Security role then you’re already onto a winner with real world scenarios and hands on experience daily. If not then you need to look at building a home lab environment which I won’t go into in this blog. Get used to operating Snort, Suricata and Bro, create your own signatures and test them using Scapy. You’ll need to be comfortable with this and have the ability to craft packets and identify errors in signatures. Transfer data between your VMs, generate lots of packets and capture using Wireshark and TCP Dump. You can then deep dive into the analysis using Wireshark, SiLK and Bro. Practise extracting files from the PCAP and be pretty awesome at pulling statistical data and identifying anomalies. Make sure you practise the ability to identify protocol related information from IP headers and deep dive into other headers specifically TCP, UDP and ICMP.

Stuff to take into the exam

The single most important thing to remember is that the exam is open book. Take as much content in with you as you can but make sure you have lots of protocol information sheets to hand. Here is a handy list of what I took in with me:

1. Network Intrusion Detection 3rd Edition book
2. IP Header Diagram
3. IPv6 Header Diagram
4. TCP Header Diagram
5. UDP Header Diagram
6. ICMP Header Diagram
7. DNS Header Diagram
8. Common TCP Dump commands
9. Common Wireshark commands
10. SiLK cheat sheet
11. Useful commands for Snort, Suricata and Bro
12. A list of common protocols and ports

Some excellent sites for reference material that I used are:

https://www.securitywizardry.com/index.php/tools/packet-headers.html

http://packetlife.net/library/cheat-sheets/

The official SANS practise exams are fantastic and without a doubt are an invaluable training tool. You should receive 2 free practise tests once you book your exam so don’t waste them. Treat them like the real test, lock yourself away in a room for 4 hours and try them with the open book format. I tried the first test immediately after booking the exam and it highlighted a number of topics that required additional study time. Make it count, use the feedback to see where your knowledge is weakest and hit those study books again. I then did the final practise test a few days before the exam which got me in the right frame of mind.

Hopefully this blog has provided some useful information which you can use to self-study and get that GCIA certification. Go for it, give it a try, study study study, practise practise practise and give it a go. If you need any help or advice, don’t be afraid to tap me up on Twitter @portunreachable

Good Luck..