A colleague sent me this study plan, and I was so excited to dive in!
Here’s Katie’s intro to her plan:
There are many ways to learn. While some people prefer to have a live instructor in a course, others are great at doing self-study. I teach SANS FOR578: Cyber Threat Intelligence, which is a great course if you want to learn about cyber threat intelligence (CTI), but I realize not everyone can afford it.
Here’s the good news: if you are committed, you can learn a lot of the same concepts that paid courses teach, but on your own. It won’t be the same, but you can still learn a ton if this learning style works for you. I wanted to share a self-study plan to help out anyone who wants to take the initiative to learn about CTI. There are lots of great resources out there, but I realize as you’re starting out that someone saying “go look at all the things!” isn’t that helpful because you’re not sure where to look. My goal is to bring together free resources I’d recommend studying and provide a minimal framework and question to help tackle them.
optional paid resources that can supplement the free learning that just took place!
This plan is very thorough and will take quite a while! My plan is to take it step-by-step and work my way through from beginning to end. I created a study notebook, and it’s already filling up with the nuggets I’m learning.
I considered publishing my study notebook here, either as I go through each resource or at the end, but quickly thought better of it. There’s a lot of value in going through the resources and I don’t want to take that opportunity away from anyone! I will, however, post updates on how my study is going and post any extra helpful nuggets I learn along the way.
Today I started reading Psychology of Intelligence Analysis by Richards Heuer, and it’s fascinating!
If you’re interested in Cyber Threat Intelligence, this study plan is a great resource that I’d definitely recommend!
“Easy!” you may think. Nope, not easy! There are two factors at play here. One is time, and the other is the amount of content covered. The GSEC exam is 180 questions with a 5 hour time limit. That’s roughly a minute and a half per question. After reading the question and answer choices, that doesn’t leave a lot of time to choose or find your answer! There is so much content in the books that finding the answers in the books is not easy. This is where a good index comes in! But if you look up every question, you will run out of time, so you really do have to know the information well even though it’s open book.
The GSEC just got a facelift, and I think I was part of the last group that had the old version of this exam.
The books I have are dated 2020. If your books are dated after 2020 then you probably have the newer version of the exam, in which case your prep might be a little different. That said, I think I would have prepared pretty much the same way for the updated exam. The main difference I’ve heard is there may be some hands on (performance-based) questions on the new exam while the one I took was all multiple-choice.
There are already so many great posts out there describing how to create an index and prepare for the exam. Here are a couple of my favorites:
Have I mentioned the family motto of the family I grew up in? My brother-in-law pointed it out and it is so true it’s scary. “If it’s worth doing, it’s worth overdoing.” To which my mom replied, “If it’s worth doing, it’s worth doing right.” Haha so my family tends to go a little over the top! That may or may not apply to my index…
After I finished the week-long SANS SEC401 course, it was time to study. I started by reading all of the books cover to cover, with an excel spreadsheet open as I went that would eventually become my index.
Index Creation
The excel file for my index started out very simple. Three columns:
Book.Page – I chose to have this info in one column, but you could easily do a column for the book and a column for the page.
Term/Keyword/Command – This is where I may have gone a little overkill (see family motto above!). Instead of one entry for each topic, I thought of all the ways I might want to look it up and made a separate entry for each. Since I knew I’d be sorting the index alphabetically, I wanted as many options as possible to find the details I was looking for.
For example, under Threat Agent they talked about Nation State Actors, so I added one entry for “Threat Agent – Nation State Actor” and another entry for “Nation State Actor (type of Threat Agent).” You get the idea. There were a few things I had more than two entries, when I saw more than two ways I might be looking for the same content. It didn’t take much extra time, as I copied and pasted the page and description, and I felt like it was useful come exam time.
Description – some people leave this out, but I wanted details in the index so in this column I added the related definition or description.
Book Prep
When I started each book, I prepped the book first:
Since the books all look so similar, I used a sharpie to write the book number on the front cover, and that ended up really helping as I was moving from book to book during the exam.
I flipped through the book and made a Table of Contents (TOC), noting each section and the page number it started on. I don’t know why these books don’t already have a TOC, but that stuck out to me during the course so I knew I wanted one to reference. In the end, I printed the TOC and appended it to the back of my Index. Here’s an example of what my TOC looked like:
I also wrote the Modules and their starting page number on a sticky note to put on the front of the book as a quick reference.
Finally, I used little post-it tabs and an extra-fine point sharpie to create tabs for each module in the index.
I marked each Lab’s start page in the Workbook with a sticky note as well!
So Much Reading
Then I started reading. As I read, I highlighted important terms or definitions/concepts on the pages and added any terms or info I felt might be notable to my index.
Example of index entries:
As I mentioned above, I duplicated entries with every different way I thought of that I might want to look up each topic. I also put everything that seemed notable in the index, so it ended up being so long! More on that later…
As I went through each book, every time I came to a lab I went to the lab workbook and worked through that lab. I also highlighted and indexed the lab workbook, and I’m glad I did because I definitely used it during the exam!
It took me about the equivalent of a full day to work through each book—a little more for the longer books. The instructor suggested one week for each book after the course, then another week for practice exams, and I think that was great advice on the timing.
Index
Once I’d gone through all the books, it was time to format my index.
First I ran a spell check—lots of typos when I was typing quickly! Then I alphabetized by topic and added a row before each new letter to mark the transition.
Then I did a print preview and it was SO many pages! I didn’t want to pay too much for the printing, so I adjusted the font size etc until I felt like it was manageable for my eyes but also made the most of each page.
I also printed out the SANS cheat-sheets that were included in the course, as well as all the book TOCs, to add to the back of the Index.
Pretty much all of the posts I read about creating a SANS index recommended using the index for a practice test before finalizing it, so I printed my Index to PDF so I could use it for a practice exam.
Practice Exams
I felt like the practice exams were so helpful in preparing for the actual exam!
Since it’s a long exam, make sure to block out the full 5 hours for the practice exam. I would recommend replicating the exam environment as much as possible. There are 15 minutes of break time built in to the exam, so you can use the restroom or grab a drink of water, but you do have to finish any questions you skipped before you can start the break. If you skip quite a few questions to come back to later, keep that extra time in mind as you plan your breaks!
I kept a little notepad nearby as I took the practice exams, and made a note of two things.
How many questions I looked up—I just made a tic mark for each question I looked up, and at the end I could assess what ratio of the questions I looked up vs just answering on my own. I thought knowing this in relation to how long it took me to take the practice exam would help me with timing on the actual exam.
Any topics I didn’t feel confident in—I made a note of the topic of each question I had to look up, and any question I answered on my own that I wasn’t 100% sure I had the right answer.
After the practice exam, I used this info to review the material and revise my index.
At this point, you have a choice. Take the second practice test, or go straight for the actual exam. My goal was to score over a 90% on the exam, so I opted to use the second practice test. (If you don’t use it, please consider gifting it to someone who is prepping for the same exam!)
Final Index (aka Your SANS Masterpiece)
After the second practice exam, I finalized and printed my Index. I printed mine on my home printer then assembled it as follows:
A simple cover page
Printed Index (this ended up being 80 pages, and I printed it front and back so it used 40 pieces of paper)
SANS handouts from the course as well as a few other relevant SANS cheatsheets I found on their web site
The course book TOCs that I made
Once it was assembled, I took it to Office Depot and paid about $5 to have it spiral bound with a clear cover. Then I used more post-it tabs to mark where each letter of the alphabet started, and the handouts and TOCs. Isn’t it beautiful?!
I may be a little biased because of all the time and brainpower that went into its creation! 😉
The Exam
My SANS class was in May. I originally scheduled my exam for the first week of July, but when I only had a week until the exam I pushed it back one more week because I wanted a little more time. I was so nervous that my prep wouldn’t be good enough!
I ended up taking it the second week of July, and the day before my family left on a 3-week road trip across the country. (100% would not recommend, packing last minute to drive from Texas to California with stops in Utah, Washington state, and Oregon was a tiny bit stressful! Did I mention I have 6 kids? I’m sure I could create a whole nother post with details on the logistics of road trip prep if this were a different kind of blog!)
Anyway, the testing center was great and it went as smoothly as it could be. I did take almost the full 5 hours, and ended up looking up about 1/3 of the answers, but I scored a 94% and couldn’t be happier with that outcome!
I was really glad I had such a thorough index, and I feel like the detail I put into it helped really internalize the concepts in the course—which is the point of the whole exercise, right? I ended up referencing some part of everything I included in my index—the SANS handouts, info I’d indexed from the labs, etc—during the exam.
Have you taken a GIAC exam? What would you recommend or not recommend from your prep experiences?
These are my favorite challenges and experiences of this challenge:
Linux Primer
I love the linux command line. It’s fun. Not to mention if my kids walk through the room and see me in linux they’re always like, “Mom’s hacking again!” which of course makes me laugh, and also makes me feel like a pretty cool mom.
The lights and the vending machine in the UnPreparedness Room
I enjoy cryptography, even though I haven’t done much of it yet. It’s probably my math background, I have taken a lot of math classes and really enjoy math. And the problem solving involved in these was just fun!
Soundtrack
Have I mentioned I loved the soundtrack for this challenge? My favorite song though was Ninjula’s You’re a maen one, Mr Grinch. So much energy!
I’m fascinated by the idea that through a little device you can manipulate id cards. The Proxmark3 seems like an awesome tool. This HID/ProxCard Cheat Sheet could come in handy some day.
Scapy
Really any specific way to change a packet is new and fascinating to me! I knew it was possible but to see it in action was pretty cool.
Things in this challenge that were mostly or completely new to me
S3 Buckets
I don’t know a whole lot about how Amazon Web Services works. I’ve just started learning about EC2 instances, but haven’t gotten very far yet. I love learning about how everything works together in the cloud and look forward to learning more about S3 storage buckets and ways to secure them.
Tmux
The idea of multiple terminal sessions being accessible in one window kind of blows my mind, not gonna lie.
Regex
Regular Expressions is a concept I’ve come across before but never in this much detail. I actually was working on a script the other day where I ended up using regex and it was so helpful! I still am a baby when it comes to using it, but I learned a lot through the process in this challenge!
Redis
I still feel unsure of what exactly redis is used for, but at least now I’ve had a little exposure to build on next time I come across it!
Lookup Tables
I have to say I’m proud that my natural way to fix the vending machine was basically a lookup table. I’ll have to look into methods for lookup tables in more detail next time I come across a polyalphabetic cipher. I’m sure there was a way to automate this, or at least I’d like to think python could have saved a lot of time here, I just don’t know enough about it yet to make it happen!
Things I learned about hacks and challenges during this challenge
Taking Notes
I took notes right from the start, but as I progressed through the challenges I realized my note taking was definitely lacking. I tweaked my notes along the way, but still as I wrote this up I found there was so much missing from my notes and had to revisit the challenge and walk through it quite a bit a second time to get the details I missed. In the end, here are the things I learned about taking notes:
Take all the screenshots. I took quite a few screenshots along the way, but I wished I had taken more… or differently. What I would change for next time? Take a screenshot of the full badge at the beginning. Take a screenshot of each room before interacting with it.
Track the dialogue better. I started just making notes of the gist of what the elves said. Then I realized their specific words were probably more important, so I started typing their comments word for word, but quickly decided there had to be a better way. After looking through a little more closely, I realized their dialogue was in the chat window! Wish I had paid attention to that from the start. Copy and paste is so much easier than copy typing!
Take notes in a way that will support a write-up. This write-up took forever because I didn’t do a great job of typing up all my thoughts along the way. Most of my notes were in the form of screenshot or short phrases, which was good but I definitely could have done better.
Stop and Smell the Roses
I have a feeling I missed a lot. I was so focused on the specific objectives and didn’t notice as much as I could have about the environment, the narrative, storyline, etc. I heard people mention a few Easter Eggs and man I want to see what I was missing!
I guess what I’m trying to say is I learned that challenges like this are more than just about the objectives. They can be so much fun too!
For real though. KringleCon3 and the Holiday Hack Challenge, I can’t even tell you how awesome. It’s the perfect combination of geeking out, having fun, listening to a great soundtrack, watching short talks to give me tips, stalking discord, taking notes, and learning by doing.
I didn’t get a chance to start on this until later in December, but it’s been SO much fun and I’ve gotten a little over halfway through so far. (Still a few more days before I need to stop and write it all up…)
And it looks like they do it every year, so it’s definitely going on my calendar for every December because I’ve loved it so much.
It’s on my list to look at the write-ups from last year too. I’m new to the write-up thing so it will be such a good resource!
Time to complete the trifecta! I started studying for this one as soon as the holidays were over, and I’m excited to really dig in. Here’s are the resources I’m planning on using:
Professor Messer and Jason Dion both have great material, and in my opinion they complement each other well. I like the depth that Professor Messer goes into, and how closely his videos follow the course objectives. And I like how simply Jason Dion explains the concepts. My strategy for this one will be to listen to the Udemy videos in the car or other times when I want something to listen to, and watch Professor Messer’s videos at the computer while taking notes (because I’m very much a visual learner and taking notes helps my comprehension a ton).
I wanted to finish by the end of the year, and when December came I realized I would need to take the exam before the kids finished school–because once they’re home all day every day, and with my husband planning on being home most of the days during the break as well, I want to be able to be present for the festivities! So I scheduled the exam for the day before their last day of school.
Then life got unpredictable, of course, and I ended up having way more work to do for my husband’s business (I’m his admin and tech support for all the business things). Test week crept up on me and I didn’t feel ready! So I added Jason Dion’s Udemy course and extra practice exams (The courses were on sale for $10 each and for me it was so worth it!) to my list of resources, doubled down on all the practice tests–going through them afterwards to see what I missed, which helped me learn a ton–and went through the exam objectives to make a good list of the things I was weak on.
I was kind of surprised how helpful it was to read the sections in the textbook on the things I struggled with. Subnetting was hard to really get down with the videos, but going through that chapter in the book brought it home for me! I was still consistently failing the practice tests the first time through, so on test day I was super nervous.
But guys, as I went through the test I was surprised at how many answers I just knew. And a few I worked through carefully, and one or two I ended up guessing. And it felt so good to get the Congratulations message!
Then I celebrated with some In-N-Out on the way to get the kids from school. ‘Cause what’s an achievement without a little celebration after?!
I’ve been seeing teasers about SANS Community CTF for a while, and the idea of a free CTF is intriguing. I have loved the tiny exposure I’ve had to Hack the Box, but really besides that this is all new to me.
They had a free community CTF in October, but I chickened out on that one. Well, I saw the registration for this one go live and decided I would just try it. I almost didn’t because I felt like I would bomb 100%. Well, I’m so glad I pushed through that and just signed up anyway!
I really liked the format. It was a bunch of Challenges, categorized as Easy, Medium, or Hard. (There might have been an Extreme category too?) They were also named with a convention that kind of told you if it was a networking challenge, or binary files, or cryptography, etc. You were awarded a certain amount of points for each challenge (based on difficulty) and could track your progress on the dashboard.
Beyond that, I got the impression that SANS doesn’t want people to publish write-ups for these challenges so I’ll keep my notes on it private. But I’m working on a GitHub repo to keep useful tools all in one place, so check it out and I’m so open to feedback on format for that one, it’s a work in progress for sure!
There were a few challenges that were fairly easy to figure out, but for the most part I was learning new things as I went and lots of trial and error! I got about halfway through the challenges, which I was pretty proud of as a total beginner. Also, I didn’t finish last so go me! 😉
If you’re ever looking for a fun CTF keep your eyes open for these! I’m hoping they’ll continue them in 2021.
Getting ready for the Network+ exam next! I have to say, I’m glad that I started with A+. I feel like it was broad and foundational, making it easier to jump in to the more specialized network topics.
Have you ever used Macros or Scripts in Microsoft Excel? I recently learned there is similar functionality in Google Apps, using Google App Scripts.
I recently had someone tell me she wanted to populate a Google Doc template with the submission from a Google Form, using an Add-on. However, she was restricted from installing Add-ons to her Google account based on HIPAA requirements. As I researched a workaround, I stumbled on Google App Scripts and dove in to find a solution for her specific problem. As I learned, I saw the potential for so many applications and projects for someone who uses Google tools heavily and wants automated solutions.
I’m fascinated by the idea of Virtual Machines in the cloud.
Amazon Web Services has a free training course for their entry level cert, so that’s on my list for sure! I’ve gone through the first module already and have played around with an EC2 instance (linux!) and it’s pretty cool. But there’s so much I don’t know about how it works and all the things you can do with it!
