After years of trying to convince employers to send me to a SANS class, I was all set to do the SEC504 in St. Louis back in March. It was all paid for, I had the hotel booked, and was all set for it. Then COVID-19 hit and a week before all work travel was cancelled by my office. Luckily SANS was adjusting for this and gave me a voucher good for a year to take the course.
I had planned on waiting until things settled down to take SEC504, which is for the GCIH cert, in person even though SANS started offering Live Online versions. I always have learned better when being at a class, especially since my focus can get pulled away at home. I love my family, but even with an office to disappear in, I can hear the 4 year old yelling, my wife yelling back, you know, the life of having a youngling around. Still, as the summer wore on, I started to realize that I might just have to do it through an online version, and the Live Online intrigued me. Luck would have it that an instructor of the course whom I knew was teaching it near the end of July. I had taken a beginners PowerShell scripting class from Mick Douglas through the Brakeing Down Security slack a few years before, knew his style and that I could learn from him. I also had kept in touch with him through social media, so before signing up I figured I would ask him some questions about Live Online. Mick, is a great guy and loves helping others out. Through our conversations I found out that not only was he teaching through the Live Online platform and loved it, but had also taken a class through it. Off his recommendation, I applied my voucher and set myself up for the class with a certification exam voucher included. I also ordered a semi-noise reduction headset with mic that did not break the bank, so I could cut down as much noise as possible.
The experience of the class was awesome. Mick had told me that it was easier to get questions asked and answered with the Live Online since it was not just the teacher with a GoToMeeting session open, but also a Slack channel where we could ask questions as we went along without hurting the pace of the class. I also was part of the newest version of the class. The new version had about 70% of the class rewritten and updated. The incident Handling part on day 1, which is the longest day of the course, was not just a look at blue team ideas, but put together the foundation of the rest of the class. They also added in a section at the end called the Linux Olympics to get people who might not be as familiar with Linux, more familiar with its commands. Everything was self contained in the materials and VMs that you get as part of your class materials.
Throughout the course I took notes on a pad of paper. The next morning I would type those notes back out into a One Note notebook I set up to help me remember the items I thought needed to be noted. This method allowed me to remember stuff the next day, helping to commit to memory by first writing, then going over and typing before the next days section.
The final day of the course is a CTF, where you divide up into teams to compete for a SANS SEC504 challenge coin. Normally I feel with an in person class, you hang out for dinner and maybe a drink after class each day, get to know one another and through that pick out who you want to team with. That is the shortcoming of the Live Online as many of us didn’t really talk with each other or get to know each other much over the course of the week. That said, I wound up on the one team of thee against the other teams of four people. That did not phase us as we divided up sections, talked over our zoom connection constantly, making sure to help each other as needed, and blew away the other teams using this method.
SANS SEC504 Challenge Coin
Things from here get a little squirrely due to the revamp of the class and exam. The GCIH exam attached with the class at this point was still considered Beta, and was being publicly released in October(October 10th to be exact). I got an e-mail saying I would be able to take the exam in October, and my Practice exams would not be available until then also. This was not acceptable to me, as I would have no way of testing my indexing for two months, and scared me that with the way my mind works, I would have too much time to forget things. A couple of e-mails and they actually had made a mistake and I was on the Beta Exam list. No harm, no Fowl, except I now had 4 weeks to prep and take the exam(It took about a week or so to get put into the Beta Exam). I had been studying during that time, but not at the hard pace that I would need for a short turnaround.
I highly recommend reading Lesley Carhart’s Better GIAC Testing with Pancakes blog post, as this was the basis for the indexing system I used. I found that the color coding of tabs made going through things fast and efficient overall. Changes I made to the system included Large tabs for the books themselves, and smaller tabs for the sections. I did not tab individual commands or items, as that would have cause the following issues for me. First too many tabs would have been there. Doing just the main section cut down on how difficult it was to see where I needed to start. The index itself gave me the exact page number inside the section. Second there are only so many colors on the tabs, so with too much you start tripling and quadrupling colors which then starts to get confusing.
Tab package I bought for indexing
Armed with this, I set about Indexing, using a highlighter to mark key things in each section of each book so it would pop out at me when I got to that page. The nice thing about indexing in this fashion is that I read every line of every book again, helping to retain and relearn portions. I used Excel with individual tabs to make the index for each chapter, copied that to a separate tab in the workbook to make the main index then copied into a two column format in a word document as recommended by Leslie. I had an index that was just over 6 pages long. At this point I spent the next week using the VMs I got as part of the class materials to do the labs again. Like with the class I did one books labs per day in the evening. Then I took my first practice exam.
That first practice exam was a mess for me. I was nervous and rushing at the start, forgetting to use my index. By the time I clamed down and finished I felt better, but found out that I would not get a score because of the Beta status of the exam. I figure I wound up with between a 60-70% score although I cannot give a real number on that and I tend to judge myself harshly. That being said, I did learn weak points and set about to correct them. One of the biggest takeaways I had, besides slowing down and using the index I built, was that I was missing command context at points. Lesley’s method says to not index the lab book, but going back over it, I realized many of the answers I could not find were sitting in there, so I set about indexing it and adding it to my master index for Practice Exam two.
The second Practice exam I was much calmer for as I was familiar with what was coming, from both the Lab questions they now had along with the Multiple Choice ones. I also made sure to keep a running tally of how many questions I got wrong so I could figure out my score at the end. Taking 3 of the 4 hours on it, I tallied up a score of 85% on this attempt. Considering Beta is used to determine the passing score of the exam I did not have complete confirmation of passing it, but going by the prior versions passing score of 73% I figured I was pretty good to go. Before I took this I also set up the actual exam date in person at a testing center.
Going through all this I still had to wait a few weeks before I found out what my score was. The waiting was driving me crazy even though I felt like I had easily passed it. When I received my scored the day before the exam went public, I was please to find I got a 93% and was also invited to the GIAC Advisory Board because I scored so high. That mean my personal goal of getting that invite was met and I accomplished all I had wanted to with the course and exam. What I learned in the class I was able to use within days of finishing the course back at the end of July, and still use now.
The question people, including myself, ask is are these classes worth the cost. Much of the material I learned in the class, could be learned through other means, but the connection between the different topics might not be there. If you can afford it, or get your employer to pay for it then yes I feel it is. If you cannot, then go through the syllabus on the SANS site and do some research on each day’s topic, you should find materials that go over the tools used. I found that having access to the instructor, TA and other classmates in the class setting worked fantastically. Would I take another SANS course? Most definitely if monetarily possible.
My Course is SANS on DEMAND so no one to teach but listen to the videos.
I am struggling even though I have the index, done in so much detail. My labs are the ones that are giving me nightmares.