A colleague sent me this study plan, and I was so excited to dive in!
Here’s Katie’s intro to her plan:
There are many ways to learn. While some people prefer to have a live instructor in a course, others are great at doing self-study. I teach SANS FOR578: Cyber Threat Intelligence, which is a great course if you want to learn about cyber threat intelligence (CTI), but I realize not everyone can afford it.
Here’s the good news: if you are committed, you can learn a lot of the same concepts that paid courses teach, but on your own. It won’t be the same, but you can still learn a ton if this learning style works for you. I wanted to share a self-study plan to help out anyone who wants to take the initiative to learn about CTI. There are lots of great resources out there, but I realize as you’re starting out that someone saying “go look at all the things!” isn’t that helpful because you’re not sure where to look. My goal is to bring together free resources I’d recommend studying and provide a minimal framework and question to help tackle them.
optional paid resources that can supplement the free learning that just took place!
This plan is very thorough and will take quite a while! My plan is to take it step-by-step and work my way through from beginning to end. I created a study notebook, and it’s already filling up with the nuggets I’m learning.
I considered publishing my study notebook here, either as I go through each resource or at the end, but quickly thought better of it. There’s a lot of value in going through the resources and I don’t want to take that opportunity away from anyone! I will, however, post updates on how my study is going and post any extra helpful nuggets I learn along the way.
Today I started reading Psychology of Intelligence Analysis by Richards Heuer, and it’s fascinating!
If you’re interested in Cyber Threat Intelligence, this study plan is a great resource that I’d definitely recommend!
“Easy!” you may think. Nope, not easy! There are two factors at play here. One is time, and the other is the amount of content covered. The GSEC exam is 180 questions with a 5 hour time limit. That’s roughly a minute and a half per question. After reading the question and answer choices, that doesn’t leave a lot of time to choose or find your answer! There is so much content in the books that finding the answers in the books is not easy. This is where a good index comes in! But if you look up every question, you will run out of time, so you really do have to know the information well even though it’s open book.
The GSEC just got a facelift, and I think I was part of the last group that had the old version of this exam.
The books I have are dated 2020. If your books are dated after 2020 then you probably have the newer version of the exam, in which case your prep might be a little different. That said, I think I would have prepared pretty much the same way for the updated exam. The main difference I’ve heard is there may be some hands on (performance-based) questions on the new exam while the one I took was all multiple-choice.
There are already so many great posts out there describing how to create an index and prepare for the exam. Here are a couple of my favorites:
Have I mentioned the family motto of the family I grew up in? My brother-in-law pointed it out and it is so true it’s scary. “If it’s worth doing, it’s worth overdoing.” To which my mom replied, “If it’s worth doing, it’s worth doing right.” Haha so my family tends to go a little over the top! That may or may not apply to my index…
After I finished the week-long SANS SEC401 course, it was time to study. I started by reading all of the books cover to cover, with an excel spreadsheet open as I went that would eventually become my index.
Index Creation
The excel file for my index started out very simple. Three columns:
Book.Page – I chose to have this info in one column, but you could easily do a column for the book and a column for the page.
Term/Keyword/Command – This is where I may have gone a little overkill (see family motto above!). Instead of one entry for each topic, I thought of all the ways I might want to look it up and made a separate entry for each. Since I knew I’d be sorting the index alphabetically, I wanted as many options as possible to find the details I was looking for.
For example, under Threat Agent they talked about Nation State Actors, so I added one entry for “Threat Agent – Nation State Actor” and another entry for “Nation State Actor (type of Threat Agent).” You get the idea. There were a few things I had more than two entries, when I saw more than two ways I might be looking for the same content. It didn’t take much extra time, as I copied and pasted the page and description, and I felt like it was useful come exam time.
Description – some people leave this out, but I wanted details in the index so in this column I added the related definition or description.
Book Prep
When I started each book, I prepped the book first:
Since the books all look so similar, I used a sharpie to write the book number on the front cover, and that ended up really helping as I was moving from book to book during the exam.
I flipped through the book and made a Table of Contents (TOC), noting each section and the page number it started on. I don’t know why these books don’t already have a TOC, but that stuck out to me during the course so I knew I wanted one to reference. In the end, I printed the TOC and appended it to the back of my Index. Here’s an example of what my TOC looked like:
I also wrote the Modules and their starting page number on a sticky note to put on the front of the book as a quick reference.
Finally, I used little post-it tabs and an extra-fine point sharpie to create tabs for each module in the index.
I marked each Lab’s start page in the Workbook with a sticky note as well!
So Much Reading
Then I started reading. As I read, I highlighted important terms or definitions/concepts on the pages and added any terms or info I felt might be notable to my index.
Example of index entries:
As I mentioned above, I duplicated entries with every different way I thought of that I might want to look up each topic. I also put everything that seemed notable in the index, so it ended up being so long! More on that later…
As I went through each book, every time I came to a lab I went to the lab workbook and worked through that lab. I also highlighted and indexed the lab workbook, and I’m glad I did because I definitely used it during the exam!
It took me about the equivalent of a full day to work through each book—a little more for the longer books. The instructor suggested one week for each book after the course, then another week for practice exams, and I think that was great advice on the timing.
Index
Once I’d gone through all the books, it was time to format my index.
First I ran a spell check—lots of typos when I was typing quickly! Then I alphabetized by topic and added a row before each new letter to mark the transition.
Then I did a print preview and it was SO many pages! I didn’t want to pay too much for the printing, so I adjusted the font size etc until I felt like it was manageable for my eyes but also made the most of each page.
I also printed out the SANS cheat-sheets that were included in the course, as well as all the book TOCs, to add to the back of the Index.
Pretty much all of the posts I read about creating a SANS index recommended using the index for a practice test before finalizing it, so I printed my Index to PDF so I could use it for a practice exam.
Practice Exams
I felt like the practice exams were so helpful in preparing for the actual exam!
Since it’s a long exam, make sure to block out the full 5 hours for the practice exam. I would recommend replicating the exam environment as much as possible. There are 15 minutes of break time built in to the exam, so you can use the restroom or grab a drink of water, but you do have to finish any questions you skipped before you can start the break. If you skip quite a few questions to come back to later, keep that extra time in mind as you plan your breaks!
I kept a little notepad nearby as I took the practice exams, and made a note of two things.
How many questions I looked up—I just made a tic mark for each question I looked up, and at the end I could assess what ratio of the questions I looked up vs just answering on my own. I thought knowing this in relation to how long it took me to take the practice exam would help me with timing on the actual exam.
Any topics I didn’t feel confident in—I made a note of the topic of each question I had to look up, and any question I answered on my own that I wasn’t 100% sure I had the right answer.
After the practice exam, I used this info to review the material and revise my index.
At this point, you have a choice. Take the second practice test, or go straight for the actual exam. My goal was to score over a 90% on the exam, so I opted to use the second practice test. (If you don’t use it, please consider gifting it to someone who is prepping for the same exam!)
Final Index (aka Your SANS Masterpiece)
After the second practice exam, I finalized and printed my Index. I printed mine on my home printer then assembled it as follows:
A simple cover page
Printed Index (this ended up being 80 pages, and I printed it front and back so it used 40 pieces of paper)
SANS handouts from the course as well as a few other relevant SANS cheatsheets I found on their web site
The course book TOCs that I made
Once it was assembled, I took it to Office Depot and paid about $5 to have it spiral bound with a clear cover. Then I used more post-it tabs to mark where each letter of the alphabet started, and the handouts and TOCs. Isn’t it beautiful?!
I may be a little biased because of all the time and brainpower that went into its creation! 😉
The Exam
My SANS class was in May. I originally scheduled my exam for the first week of July, but when I only had a week until the exam I pushed it back one more week because I wanted a little more time. I was so nervous that my prep wouldn’t be good enough!
I ended up taking it the second week of July, and the day before my family left on a 3-week road trip across the country. (100% would not recommend, packing last minute to drive from Texas to California with stops in Utah, Washington state, and Oregon was a tiny bit stressful! Did I mention I have 6 kids? I’m sure I could create a whole nother post with details on the logistics of road trip prep if this were a different kind of blog!)
Anyway, the testing center was great and it went as smoothly as it could be. I did take almost the full 5 hours, and ended up looking up about 1/3 of the answers, but I scored a 94% and couldn’t be happier with that outcome!
I was really glad I had such a thorough index, and I feel like the detail I put into it helped really internalize the concepts in the course—which is the point of the whole exercise, right? I ended up referencing some part of everything I included in my index—the SANS handouts, info I’d indexed from the labs, etc—during the exam.
Have you taken a GIAC exam? What would you recommend or not recommend from your prep experiences?
The following courses on LinkedIn Learning were awesome! Check your local library for access to LinkedIn Learning courses, it’s a great way to get amazing content for free!
Wireshark: Functionality by Lisa Bock – This one went into more detail about what you can do in Wireshark and how to get the most out of its functionality!
I’ve learned that there’s a lot of detail in each packet, and a tool like Wireshark can help unlock the magic! If you haven’t tried it out, I’d definitely recommend it.
