SANS GIAC Certified Incident Handler (GCIH) Course Review

by Otakun
Categories: Network Forensics, News
Tags: ,
Comments: 2 Comments

Hey Guys and Gals,

So, fairly recently (April 2014), I’ve passed the SANS GIAC Certified Incident Handler (GCIH) exam, and I wanted to write a quick review of the course. If you are thinking about taking the course, hopefully this will help a bit. This was my first SANS course, and even though I was fairly familiar with SANS I never took any courses because they are rather expensive, and not something I could pay for out-of-pocket. I have heard from others that the training is high quality, and worthwhile, but was skeptical because that was a lot of money to spend on a training course, so how can it really be worth it? So late last year, through my current job, I’ve got a chance to take the GCIH, so finally I would find out first hand. I chose the GCIH, because the topics interested me and my job is essentially Incident Handling, so it made sense to start here.  So, did I think it was worth the money, after it was all said and done? Absolutely, and here is why.

Topics Covered

First, there is a lot of information covered in this course, and I mean A LOT. Even though I was familiar with a lot of the concepts covered, due to my day to day work, this expanded on them quite a bit. I expected them to cover a lot of topics, but not in any sort of decent depth. Instead, not only was the amount of material covered huge, it went into quite a lot of detail on each topic. At the very least, it was deep enough to provide a foundation on the topic, so that I can use it as a jumping off point to go even more in depth on my own, and not be completely lost. I could build on what they have taught me. Some of the topics covered included the ones listed below, and is by no means a complete list. Also, keep in mind each of these are basically sections, that have a large number of sub-sections to them. I just didn’t want to list all of them here.

  • Incident Handling Process
  • Six Steps of Incident Response
  • Reconnaissance
  • Scanning
  • Gaining Access
  • Password Cracking
  • Web App Attacks
  • DoS/DDoS Attacks
  • User and Kernel Mode Rootkits
  • Covering Tracks in Unix and Windows
  • Steganography

Course Structure

Next, I wanted to mention the course structure. Sure, the material itself is good, but that doesn’t get you far if it’s not presented well. This, to me, was one of the most impressive things about the course. It was structured really, really well. Course is broken down into several major sections (5 in this case), and each of those has a number of smaller sub-sections. Most of those sub-sections also included section quizzes as well, that allowed you to review and test your understanding of the topic.  Topics flowed naturally from one another, and built onto what you had learned already by that point. This freed you to focus entirely on learning the material, instead of having to fight with the way the information is being conveyed.


Finally, I wanted to talk about the instructor for this course, Ed Skoudis (@EdSkoudis), and of http://www.counterhack.net. Ed was an absolutely fantastic instructor. I enjoyed his lecture so much, that I am almost a bit worried that he set my expectations for other SANS courses a bit too high, and that they might not live up to the standard he has set with the GCIH.  I mentioned earlier how important course structure is, and having a quality instructor is just as important, if not more so. This was made even more clear, due to the fact that I’ve worked, and still work with some extremely knowledgeable people that are just not very good at actually teaching others what they know. Make no mistake, being able to teach complicated subject matter, like this, is a massively important skill in itself. Ed was able to do just that, and do it in a way that is entertaining. His clever use of metaphors, and ability to relate the subject to a real world example, from incidents he has worked really helped the material stick.  Comparing Neo, from the Matrix, to a kernel-mode rootkit means I will never look at the Matrix movies the same way again! Brilliant, I tell you! I really want to take some of the other courses he teaches, in the future, as I’ve thoroughly enjoyed the GCIH.

Final Thoughts

Hopefully, this provided a bit of insight into the GCIH, and SANS courses in general, and helps you make the right decision if you are thinking of taking a course. If it wasn’t evident from the above, I very much enjoyed the course, and feel like the money was well spent. To anyone considering taking the GCIH, I highly recommend it.

– Otakun



  1. Tej says:

    Hello Sir,

    I am also planning to appear for GIAC

    I am preparing from this book:http://www.amazon.com/Certified-Incident-Handler-Certification-Preparation/dp/1742448399
    Will this be adequate to clear the examination.
    I already have my CISSP certification.
    Any other training at a good price if you can recommend?

    Tej Gandhi

    • Otakun Otakun says:


      I took the class when preparing to take the GCIH, and from what I can tell this book isn’t reviewed too well. It’s also from 2011, which means a fair bit of it is outdated information at this point. SANS updates the materials and the questions on a regular basis, so quite a bit would have changed at this point. I would look at the list of tools and concepts covered by the current GCIH (all of this is available on their website) and play around in a lab with the tools. Make sure you understand what they do, how they work, etc. The best way to remember a lot of this stuff is to just get your hands on it and play around. Also, having an index for any SANS test is a must. There is simply too much information covered to remember it all. Some of it is also very specific things like exact commands, switches, etc. so having those somewhere easy to reference is key.

      As far as other training, honestly I personally at this point am focusing purely on SANS as they offer the best training out there, but I know it can be fairly cost prohibitive. There are some very good, more affordable certifications out there depending on what you are looking to specialize in. For example, for Pen testing the Offensive Security certifications are excellent. https://www.offensive-security.com/information-security-certifications/

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Friday