My SEC504 & GCIH Experience //

How it all started

I'm lucky enough to be one of the many participants in the Cyber Discovery program run by the SANS institute, and funded by the UK Government. Through this program I have had the opportunity to complete many interesting and engaging cyber security challenges, and even participate in exciting and informative face-to-face events. Although, due to the COVID-19 pandemic, the final 'Elite' portion of the program was online this year, I still had the chance to complete a SANS course free of charge due to my performance in the earlier stages.

A difficult choice

Two options were presented as to which SANS course I could pick - SEC504 or FOR500. I enjoy many aspects of cyber security, so this was a difficult choice for me; both exciting incident handling and complex forensic analysis seemed like great skills to develop. However, after much deliberation, I chose to take the SEC504 course and thus the GIAC Certified Incident Handler exam. This is because I felt it had a wider breadth of content, and that it would introduce me to more topics within the cyber security world.

SEC504

Watching the SEC504 webinars through SANS' "Live Online" program was a great experience. It was extremely engaging, and there were always teaching assistants on hand to help with any questions or queries we had. Our instructor, Steve Anson, did a superb job of delivering such a large amount of knowledge in the short space of time we had.

This course taught me so many new things about cyber security incident handling, from how to deal with the first sign of a security incident to performing analysis of what the attacker might have done. It was full of interactive, hands-on labs which were quite challenging and allowed you to explore the tools at your disposal. We covered a mix of red team and blue team tools/methods, and so whilst one day might've covered memory and network forensics, another was crafting payloads to exploit vulnerabilities in the provided docker containers. Another great feature was that you can do the labs time and time again - in the new SEC504 course, they don't require a VPN connection and are all local. They also get constant updates from the creators which improves the experience massively.

The exam - GCIH

Whilst certainly the most nerve-racking part of the process, the exam offered me an opportunity to show what I had learnt from the great course that I had taken only a month beforehand. Thankfully, we were provided with two practice tests in order to better understand the types of questions that would be asked. These were really useful, and allowed me to focus my preparation on the topics that I found more challenging.

In order to prepare for this exam, I created an index of the content covered in the SEC504 class books. I found this to be a useful way to recap all the different topics and re-read the information. I placed index flags at the start of each topic and numbered them for easy access. Also, printing my index in both alphabetical order and by topic seemed to help quite a bit. Doing this helped me to feel far more confident and prepared about taking the exam and greatly helped me to retain the knowledge I had learnt.

Because of the COVID-19 pandemic, I chose to do my exam online through ProctorU. I was very nervous about this, especially with how invasive the procedure seemed. However, my proctor was really nice and guided me through the process well. It was smooth and quite enjoyable. Also, it meant that I had more space to spread out my collection of books than I might've done at a Pearson VUE test centre. I highly recommend this option to anyone taking a GIAC exam in the future.

Results

Because I took the course only shortly after it was updated, I was enrolled in the beta examination. This meant that I didn't know the passing score or how well I'd done until about a month after taking the exam. However, it did mean that if I failed I could've taken the 'released' version of the exam at no additional charge. Normally, you would get your results immediately after finishing the exam as well as breakdown of which areas you did better on. I was very anxious about what score I would get for that month.

On the evening of the 9th of October, I was relieved to receive emails stating that I had passed, but moreover that I had achieved a score eligible for the GIAC Advisory Board! The GIAC Advisory Board is an invite-only email forum for those who receive 90% or more in a GIAC examination. I achieved 93% in GCIH - a score that I am certainly proud of.

Afterthoughts

The Cyber Discovery program has brought me so much, and this year's iteration of CyberStart Elite has been inspirational. I am so grateful for the opportunity and hope to continue to participate in years to come. Being able to take such a highly valued course and achieve an industry leading certification is wonderful, and I hope that I will be able to take more of such courses in the future.