SANS SEC504 (GCIH) Review

There was one problem with this class…I didn’t want it to end. 6 days long and two months of supplemental studying only whet my appetite for what SANS has to offer. SANS SEC504 (GCIH) was the perfect sequel to the SANS SEC401 (GSEC) course I took over a year ago. In similar fashion you cover one book per day, but the books are only “yay” thick (a welcome reduction compared to 401):

picture of book thickness compared to pencil

Let me give you 5 reasons why this course is a must-do for any security professional.

1) John Strand: He took over authorship for this class from Ed Skoudis (his virtual big brother) and to say John has done the class justice is an understatement. He shares many firsthand experiences and even some tools in this course that were built by his own company, Black Hills Information Security (BHIS). For instance, on day 5 you get to “infect” yourself with a command and control bot that calls home using a common HTTP parameter. It’s amazing to see things from the perspective of a “bot herder” and to leave the course with a way to test your NGFW, IDS and maybe even your MSSP. Plus, he throws in there a bunch of little tidbits that are not part of the actual cirriculum. Thanks, John.

2) MP3s of the course: John was not the in-person instructor when I took this course, Kevin Fiscus was. Fortunately, Kevin understood the material about as good as anyone in the world, aside from the actual authors. However, the beautiful thing about every SANS course is that a week after it concludes, you’re provided MP3 audio files of a previous class. In this case, it was a session that John Strand taught. A quick download allowed me to listen to the course during my daily commute. In other words…two instructors for the price of one!

3) Incident Response Phases: Day 1 was our foundational day which sets the table for the following 5 days of intense instruction. By the conclusion of the course, you will be uttering the 6 stages of Incident Response in your sleep…Preparation, Identification, zzzzzz, Containment, Eradication, Recovery, Lessons Learned…zzzzzzzzzzzzz. The ZZZ’s are not there because it’s boring, but because after each and every threat you review during the week you then commence to review how to identify such an attack, prepare for it, contain it and eradicate it. Over and over again that formula is followed. Really awesome approach and a great way to learn.

4) Netcat Relays, Buffer Overflows and Format String Attacks: Day 3 was the most technically intense day of all and filled in a lot of gaps for me, and created some new ones. You will go to bed this night with a headache and wake up with a newfound respect for the tools that make complex attacks trivial to carry out today.

5) Day 6 Capture The Flag (CTF): If you’ve never participated in a capture the flag competition, this is the perfect way to start. You break up into teams and use many of the skills you have acquired throughout the week. So not only do you spend most of the week thinking like a bad guy, you then get to BE a bad guy and break into actual systems in a lab environment. As Kevin Fiscus said, “Don’t overhack this, guys!” Throughout the week you are given many “hints” and even if you are used to CTF competitions, you will learn a lot and realize that sometimes the easiest way in is through the front door…no backdoors required. But you’ll know how to create those too if you so choose.

I don’t want to make days 2 and 4 feel bad, those are great too. The bottom line is that offense should inform the defense and this course helps you to take a close look at the offense. This is not a penetration testing course, but you do walk the line throughout it with the goal of identifying and defending against common practices used by hackers today. Yes, you also look at some tools that they use, but understanding why they use such tools and how they work is more important. The course has a defensive theme woven throughout.

A pass on the exam is very achievable. Like every SANS course, it is open book. The questions are mostly straightforward, but a few of them were kind of sneaky. Others make you interpret screenshots and identify the type of attack you are dealing with. There were quite a few on my exam about the actual IR process and what steps should be taken within each phase. If you prepare well, you don’t have to worry about passing of failing. It’s more a matter of how well you will do. If you’re not in the GIAC Advisory Board, make it a goal to get 90 or better on this exam so you can  join the party. It is worth the effort. This was my second SANS course and my equation for success was the same: 1) Attend the course (online or in-person) and do all the labs while you’re there. 2) Listen to the MP3’s in your car. 3) Read each book, highlight key phrases and create a detailed index.

For this course, my index was 18 pages long and 821 lines. It is essentially an excel spreadsheet with 4 columns: Keyword/Subject, Book, Page, Summary/Info. I added several SANS cheat sheets to the back for reference and had the whole thing spiral bound at Staples for $5. Here’s a picture of mine, mostly blurred, so please don’t ask me to send you a copy:

GCIH Index Picture

One change I would suggest to SANS is to spend a little bit more time on identifying intrusion remnants on Linux computers. It is covered, but not to the extent I would have preferred. Don’t get me wrong, the 6 days were jam packed, so I’m sure the authors had to make some decisions along the way in terms of content. For instance, there was a lab on day one that walked you through looking for signs of intrusion on a Windows box. The equivalent steps were covered for Linux in the appendix, so I was able to go through that but on my own time. Memory analysis is covered in two different labs, which focused on the memory dump from a Windows machine. This is clearly the most common scenario most students will face, but in my environment there are a large number of Linux computers to deal with too. Fortunately, the skills I learned can be extended to Linux with a couple of quick Google searches.

Major Takeaways: Defend your user accounts because when the bad guys have valid credentials on your network, YOU ARE IN TROUBLE. If you can’t detect an insider, you can’t detect stolen credentials. Stop trying to be a hacker. Be a security professional. Treat your internal network like it’s hostile…because it is.

Oh, one more thing…YOU’RE WELCOME.

Did you take this course or another SANS course? Tell us about it in the comments below.

Thanks for reading and don’t forget to subscribe.

Breach Irony: Experian

Another breach, you say? Yawn.

How many this time? 10,000 records? 20,000? 1 Million?

No, those numbers are small potatoes. How about 15 million? Caught your attention yet? Probably not. But stay tuned from some breach irony!

Experian, was breached. They are a large credit check company. Perhaps you’ve used one of their websites before, namely freecreditreport.com, an Experian company. Have no fear if you did! You are likely unaffected by the breach, unless of course you are also a T-Mobile customer. You see, T-Mobile used them to credit check their potential customers, and those individuals make up the list of victims this time around.

GREAT NEWS THOUGH! If you are one of those poor saps, you have qualified for TWO COMPLETELY FREE YEARS OF CREDIT MONITORING by…ahem…am I reading this right??? Ahh, I love the irony…

Screen Shot 2015-10-01 at 11.34.09 PM

 

How many free years of credit monitoring have you accumulated? Share some details in the comments below.

Thanks for reading and don’t forget to subscribe.