GIAC Certified Intrusion Analyst (GCIA) // SANS503 Review

If you’ve been following my feed a bit, you know I’ve been going pretty strong for the last four months into SANS503. More than half the blog posts I’ve had published on this site were dedicated to a tool introduced or covered in this course. Well, I cleared the exam and it’s probably in no small part due to blogging. Not that blogging or studying in public was the only thing that amounted to a successful exam but it surely did help in my opinion. In the following I’m going to reflect a bit on the SANS503 course and GCIA exam.

I know, the major drawback to SANS courses is cost, and I get that. Each 5-6 day course runs on the plus side of seven thousand dollars and a certification attempt is no small pocket change either. That aside, if we are just here to judge content, this was the best cyber related course I’ve taken and the best certification experience I’ve ever had. To put this into a little bit of context, I’ve taken 7 Cisco exams at the associate and professional level, 4 Juniper associate level tests and 3 CompTIA exams. I’ve subscribed to INE, CBT Nuggets, Pluralsight, Linux Academy and O’Reilly Books. This course bests everything I’ve done up to this point. Perhaps this is just a hint that I need to do more focused training and less video on demand type stuff?!

SANS503 (the course)

The number one thing I liked about the course was the Virtual Machine and the Lab Workbook. Each section of the class concluded with lab exercises that we completed on our vm. We created rules, tuned rules, searched pcaps, created packets, created scripts and had a comprehensive capstone exercise to bring everything together. I went through this workbook twice. I probably spent 100 hours in the exercises alone. I went through the first time as I was following along with the course. I needed a lot of hints and had to do a lot of extra research as most of these tools were new to me. The second time through, I did almost all the exercises without using any of the hints. Really felt like I got the foundational understanding of how to use the main tools discussed during the class, namely, snort, tcpdump, tshark, scapy, wireshark and zeek.

I did the self paced version of the course. I got a recorded version of the course that I could watch at my own pace. This was perfect for me. As I mentioned before, this was the first time I’d ever used snort or wrote a snort rule. So I got to take my time with the material and really hone in on the fundamentals of using the tool. The instructor was excellent, clear and engaging even though it was not interactive. Besides just learning some tools the class also dug into major protocols. We went through ethernet, ip, tcp, udp, icmp, dns, smb, http and tls. One of the major themes of the course was being able to parse these different packets in hex. After doing this for a few months it’s not so difficult to pull out the next header field and what have you.

GCIA (the certification)

The certification exam was difficult for me. I had done one practice exam before taking the actual exam and scored an 89%. Not only that, I had more than an hour to spare. This had me feeling very confident. On the actual exam, as opposed to the practice test I took, I didn’t get any feedback per question, whether it was right or wrong. For whatever reason, perhaps just the added pressure of it ‘being an exam’ I was second guessing myself and was looking up more answers and even verifying answers I knew were right (it’s an open book exam). When I submitted the last question I had one minute remaining of my four hour allotted testing time. I scored two points lower than my practice test when all was said and done, an 87%.

What I like most about the exam is that since it is open book, there isn’t any really stump the chump kind of feeling when an obscure question about an IP option comes up. Instead, using documentation you can easily decipher what you need and come up with the answer.

Before going through the examination process I had read in other blog posts or youtube videos of people making an index. People would go through each book and index terms so that when they came across a question they could go to their index and hopefully find the answer in a reasonable amount of time. I did not do this, I used the index provided in the lab book portion of the materials and truth be told I didn’t use it that much. My thought process is that if you put in the time on the material (there are five main books), you will have a pretty good idea of where to start looking for that topic.

Lastly, one of the coolest parts of the exam is that it has a VM portion where you interact with pcaps using the tools and protocol knowledge outlined in the course to pull out answers. This was way more slick than any Cisco simulation I’ve ever done. Overall I think the exam really covered everything in a fair and balanced way and didn’t at all feel like a random trivia question extravaganza.


If you get the chance definitely take the opportunity to do some of their training. I’m hoping to take FOR572, Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response and the associated GNFA next. It will, I’m sure, be covering a lot of the same tools but I’m excited to get the point of view of a different instructor that will hopefully shed light on new things.

Also, I think I’m going to continue to keep blogging a bit here. I started out not knowing whether I would like it or find it useful. I think blogging and ‘studying in public’ is kind of a way to hold myself accountable even when the passion or motivation maybe lacking a bit that day. Hope you will continue this journey with me and I’ll see you on the other side on our next adventure.

Published by Andre Roberge

Packets // ☕️ & 🏀 // BA Philosophy // Sleep

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: