Hey Guys and Gals,
So, fairly recently (April 2014), I’ve passed the SANS GIAC Certified Incident Handler (GCIH) exam, and I wanted to write a quick review of the course. If you are thinking about taking the course, hopefully this will help a bit. This was my first SANS course, and even though I was fairly familiar with SANS I never took any courses because they are rather expensive, and not something I could pay for out-of-pocket. I have heard from others that the training is high quality, and worthwhile, but was skeptical because that was a lot of money to spend on a training course, so how can it really be worth it? So late last year, through my current job, I’ve got a chance to take the GCIH, so finally I would find out first hand. I chose the GCIH, because the topics interested me and my job is essentially Incident Handling, so it made sense to start here. So, did I think it was worth the money, after it was all said and done? Absolutely, and here is why.
First, there is a lot of information covered in this course, and I mean A LOT. Even though I was familiar with a lot of the concepts covered, due to my day to day work, this expanded on them quite a bit. I expected them to cover a lot of topics, but not in any sort of decent depth. Instead, not only was the amount of material covered huge, it went into quite a lot of detail on each topic. At the very least, it was deep enough to provide a foundation on the topic, so that I can use it as a jumping off point to go even more in depth on my own, and not be completely lost. I could build on what they have taught me. Some of the topics covered included the ones listed below, and is by no means a complete list. Also, keep in mind each of these are basically sections, that have a large number of sub-sections to them. I just didn’t want to list all of them here.
- Incident Handling Process
- Six Steps of Incident Response
- Gaining Access
- Password Cracking
- Web App Attacks
- DoS/DDoS Attacks
- User and Kernel Mode Rootkits
- Covering Tracks in Unix and Windows
Next, I wanted to mention the course structure. Sure, the material itself is good, but that doesn’t get you far if it’s not presented well. This, to me, was one of the most impressive things about the course. It was structured really, really well. Course is broken down into several major sections (5 in this case), and each of those has a number of smaller sub-sections. Most of those sub-sections also included section quizzes as well, that allowed you to review and test your understanding of the topic. Topics flowed naturally from one another, and built onto what you had learned already by that point. This freed you to focus entirely on learning the material, instead of having to fight with the way the information is being conveyed.
Finally, I wanted to talk about the instructor for this course, Ed Skoudis (@EdSkoudis), and of http://www.counterhack.net. Ed was an absolutely fantastic instructor. I enjoyed his lecture so much, that I am almost a bit worried that he set my expectations for other SANS courses a bit too high, and that they might not live up to the standard he has set with the GCIH. I mentioned earlier how important course structure is, and having a quality instructor is just as important, if not more so. This was made even more clear, due to the fact that I’ve worked, and still work with some extremely knowledgeable people that are just not very good at actually teaching others what they know. Make no mistake, being able to teach complicated subject matter, like this, is a massively important skill in itself. Ed was able to do just that, and do it in a way that is entertaining. His clever use of metaphors, and ability to relate the subject to a real world example, from incidents he has worked really helped the material stick. Comparing Neo, from the Matrix, to a kernel-mode rootkit means I will never look at the Matrix movies the same way again! Brilliant, I tell you! I really want to take some of the other courses he teaches, in the future, as I’ve thoroughly enjoyed the GCIH.
Hopefully, this provided a bit of insight into the GCIH, and SANS courses in general, and helps you make the right decision if you are thinking of taking a course. If it wasn’t evident from the above, I very much enjoyed the course, and feel like the money was well spent. To anyone considering taking the GCIH, I highly recommend it.