It’s been so long since I’ve sat down to write a blog post. I’ve conferred with Aninda Chatterjee on my lack of motivation to write, where did it go and if it would ever come back again numerous times with months in between. To be completely honest, the drive to do tutorial type stuff just isn’t there. I’m planning to embark on some Kube learning soon, so maybe that could spark something. Time will tell…
So what have I been up to in the last, say, 10 months since my last post? Well, a lot! I’m deep into trying to be a cyber analyst at work, perhaps trying to get fully onboard at a Cyber Operations Squadron (Air Force). In sharpening my skills at work I’ve also continued to study and take exams in my free time as noted by the title of this post.
In the following, I plan to take you on a round robin discussion of the courses and exams I’ve taken since I’ve last checked in, let you know what I think and cap it all off with what comes next. Always looking with an eye toward the future 🙂
GIAC Network Forensic Analyst (GNFA)
The GNFA is the exam associated with the SANS FOR572 course. I chose to do the ‘On-Demand’ version taught by Phillip Hagen. I really like the On-Demand format. From the content broken into smaller, easy to consume videos, to the digital book associated with lecture side-by-side, to the easy navigation, to the mobile App. It doesn’t miss and it shouldn’t given the course is now garnering an $8k+ price tag.
Before taking SANS FOR572 I completed SANS SEC503, which I’d recommend as a precursor if you are a bit new to the field. SEC503 spent a good amount of time going through how to use a certain tool whereas FOR572 assumed such knowledge and really hit the ground running using the same tools and spent most of its instruction in the actual analysis of the output. So it felt really good to feel like I was building upon a foundation started from a previous course and ‘advance’ into ‘doing the job’ type scenarios.
Scenarios, that’s one word to describe FOR572. Scenario! Everything you do deals with a specific, elaborate scenario. You are called in to a company, given network maps, logs from certain devices and start logging all your findings a long the way. Hands on learning from a large data set, allowing you to go far beyond what’s outlined in the lecture or in the lab. This is where SANS shines in my opinion. Not to discount the lecture, as I think that’s top quality as well, but the thought that goes into the scenarios, the lab book and how it’s so nicely put together is something I’ve not seen another vendor come close to (I know, I know, it costs $8k+).
I felt fairly confident going in to take the GNFA on exam day. I began studying networking, built upon what I learned in SEC503, I was ready! This exam turned out to be all multiple choice if I’m remembering correctly, no lab questions. Still, all the questions were paragraphs were you are deciphering log information to come up with conclusions about the data set. My brain was on fire at the end of the 3 hours. I passed the exam with an 80%. Lower than I expected but, like mentioned above, most of the course and this exam was not about knowing and using a specific tool, it was about being able to say things about the output.
Talk about leveling up. I feel as though if I were to relate this to my collegiate learning I’d say I learned as much in 4 months studying FOR572 as I did a whole year in college taking a full load. Furthermore, it’s at this point I think my confidence also begins to show through a bit more in the workplace. I’m beginning to share my opinion more in meetings (and I have a bit of experience to base my opinions on…).
CompTIA CySA+
I’m assuming if your reading this, you have an idea of what the Art of Network Engineering community is. If not, they do a podcast but even better, they have a discord. In the discord people talk about coffee, grilling meats and travel (that’s the channels I mostly check). Additionally, there are channels for studying/discussing specific technologies, sharing employment advice and simply lifting each other up.
One day I saw a post from someone offering up a CompTIA exam voucher. I reached out and a few minutes later I was signed up for the CompTIA CySA+ exam. This gentlemen, who I will not mention by name so he doesn’t get swarmed with free voucher requests, supplies CompTIA with exam questions for certain exams as a side hobby. In return, sometimes CompTIA gives him exam vouchers and he was simply passing this one on.
To study for the exam, I looked quickly at what was available on one of my favorite learning sites: O’Reilly. Each module and topic, after a quick skim, looked familiar. It was at this point I moved my exam up and said to myself “I’m already doing the job, let’s just go take the exam.” So, in short, I didn’t study at all.
The exam itself, I called it fair, insofar as I passed. My logic was that I’m doing the job and in my mind I’m ‘doing the job’ at a fairly high level, pat myself on the back. So, passing the exam would simply validate the skills and knowledge needed and since I passed everything seems to have lined up.
I wish I could give a more, if your just starting out is this worth it, type of opinion but I can’t really view this exam from that perspective, since it isn’t mine. I took to learn networking, learn some networking implementation and then some network design and then I got into cyber. The culmination of 4 years of studying on my own made this exam a pretty easy endeavor.
Beyond just passing an exam, this opportunity helped me garner all the required CEUs to renew my required Security+ certification for my current employment with the Air Force. So I wasn’t just out here passing an exam for no reason! 🙂
CompTIA Pentest+
So I quickly conferred with the person that gave me the previous CompTIA voucher my thanks and that I passed the CySA+. He replies back that he has another voucher…
Interesting.
I believe we are now into February 2022. At work, I’m getting ready to start a cyber exercise called Cobra Gold. In this exercise, I was to be a ‘red team’ member and provide cyber effects to teams defending a network and specific devices within their network as if I were an adversary.
This exercise started off with four days of academics, of which, I even taught a 90 minute course on ‘Linux Host Hardening’ but I had very little experience in offensive tools or techniques. So I had a bit to learn in a week to be a good adversary! This backdrop, and receiving another voucher prompted me to study for specific topics covered in the Pentest+ exam while I study, prepare and execute my tasks associated with my part of the Cobra Gold exercise I’m doing for work.
The main things I implemented and used was Metasploit, nmap and all the impacket tools. Not an exhaustive list by any means, but I had two weeks! One week focused simply on learning and another week implementing my attack. Have to start somewhere!
As mentioned in the exam above, I went back to O’Reilly to fill in the gaps on specific exam topics I wasn’t able to tackle during the work exercise. As far as the Pentest+ exam goes, getting the hands on practice with nmap and Metasploit payed off immensely. Knowing all the nmap options might even be a quarter of the exam, ok, maybe not that much but it’s there for sure!
I would call this exam very entry level as well after taking it. I studied for about two weeks and passed very easily. Again, I do have a lot of other types of experience beyond the two weeks I focused on it, so I’m not saying it’s ‘that’ easy. Now that I think of it, and I’m two CompTIA exams into this post, I haven’t really seen much content on exams from the point of view of a mid to advanced career. I mean people do posts on them that are, but I have to give them more credit on being able to empathize with how it relates to people ‘just starting out’ cause that is not as easy it seems.
GIAC Certified Forensic Analyst (GCFA)
Man. This was a tough one. Just looking at that heading I’m taken a back by the amount of work went in to me barely passing this exam. I just passed this exam a couple of weeks ago, which means, I started this course about 4 months ago. The GCFA is associated with the SANS FOR508 course.
For this course I decided to try the ‘Live Online’ format. Quick recap, I don’t like it as much as the On-demand format. One good thing, work allowed me some time away to do the Live-Online format that was not allotted to me when doing the On-demand format. But content wise, not the best for my learning.
First off, the course pace is FAST! I took this course because I’m mostly comfy with networking, including on the cyber side. This course was about learning about host artifacts. Something I knew very little about. By the end of day two my mind had melted and was on the floor. The lecture by day three, while I could hear words coming out of the speakers, they washed over me like a warm shower at the end of a long day. I knew something was happening but my mind was in a completely separate place, unable to make sense of much beyond day 2. I had trouble catching up at night as my dad duties were far too great for the amount of content I needed to grasp before the next day.
The next thing I don’t like in the Live-Online format is how the recordings of your lecture are laid out. They are simply an 8-9 hour video, unedited in your browser, breaks and lunch included. The connection would time out after a couple of hours and I’d have to reload my page and try to skip to were I’d left off. It just wasn’t ideal. I ended up going through the MP3s associated with the course over trying to deal with the recordings of my lecture as they were edited and in smaller more manageable chunks.
The labs, like all previous SANS courses, were off the charts. There were some 60+ specific tools discussed in the course and you had so much data, including full images, forensic images etc. to run them on. So many tools and so many different kinds of artifacts. A crash course unlike anything I’ve ever experienced. Like FOR572, the labs for FOR508 use the same org but you have a completely new set of evidence so that you can learn how to analyze hosts. The labs built off each other as well. You are able to take what you learned from one tool as a starting point as we examine evidence from another tool or data set.
After going through the course, going through the course again with the MP3s, going through the course again by reading all the books, going through all the labs a few times I didn’t think I had any chance of passing the associated exam. I NEEDED TO CREATE A VERY GOOD index if I was to get anywhere close to passing.
On a GIAC exam, you are allowed to take any written notes, books, diagrams etc. in with you when you take your exam. Many people make an index, where they have a list of alphabetized key words associated with which book and page number to find it. So if you get a question about shimcache you can quickly find some relevant pages if you are stuck. I went through all the books again, reading each page, summarizing the page, and then adding any key terms to an index. This took about 2 weeks and I had around 900 entries in my index.
And when you go into the exam, there are about 85 questions and you have 5 books that are between 120-180 pages each. So you can’t really look up ‘every’ question. Even so, questions will often be framed with competing tools, viewpoints or ideas so you have to know more than one thing to get to what the answer should be. This exam also included a practical portion, where you get access to a VM and have to use some tools to come up with the correct answer. I much prefer these questions as they seem more straight forward.
I ended up passing the exam with a 76%, 72% was passing. While not impressive by merely looking at the score, just about everything I learned over the last four months was something I didn’t know or have experience with beforehand. Memory analysis was the most fun, most eye opening module to me. Didn’t know how many things you could find out by dumping someone’s RAM. Remarkable.
eLearnSecurity Certified Digital Forensics Professional (eCDFP)
Getting this exam voucher was akin to how I got my CompTIA ones. It’s not what you know it’s who know they say…Here a friend was not going to be able to use his voucher before the deadline due to commitments at work. So here comes me always willing to try my hand at an exam.
I choose to do the eCDFP over other eLearnSecurity exams due to the overlap with FOR508 and I was coming down to the wire of having to take the exam very soon. I signed up for the 7-day free trial to go through the associated course and I was on my way. Exam in seven days.
To say I had trouble with both the course and the exam would be an understatement. Half the labs for the INE course were ‘under maintenance’ and I wasn’t exactly blown away by having to go through some 1500 slides in seven days. The video lectures were short and didn’t really dive into any additional options with any of the tools discussed, very surface level. To INE and eLearnSecurity’s credit their support team was always there, responding quickly to whenever I needed help, mostly with the exam.
So the exam is a 24 hour timed 30 question test. 15 of the questions are typical multiple choice and 15 questions require you to connect to a lab network, perform tasks, analyze output to come up with the answer. I spent about 6 hours and 3 exam attempts simply trying to get properly connected to the lab environment. To note, I needed to install an OpenVPN client about 3-4 versions old to even connect. Then I had to hope that I was able to connect the the VMs in the exam lab environment. If you couldn’t connect, you’d have to reset the lab environment which took another 30 minutes. Very frustrating.
In any case, come the second restart on my third attempt (I was given another voucher due to my technical difficulties) everything was working perfectly. I correctly answered 28 out of 30 questions in about 4 and a half hours.
While this exam does have a lot of overlap with SANS FOR508, it digs a bit deeper into data acquisition from hard drives. How to decipher a MBR in a Hex editor and be able to make out partition tables/sizes and the like. So this wasn’t as simple to study for as the CompTIA exams mentioned above, I really had to dig in on a few modules. Whats more, even though they were trying to get at the same artifacts discussed in SANS FOR508, they were using completely different tools to achieve it. Feel as though I really became more of a pro with FTK imager in this course.
My main gripe with the exam beyond its lack of proper functionality is that it’s still on version 1. People have passed this exam since at least 2018, the same version. The linux machine was using Security Onion and I was using Wireshark version 1.12 which came out in 2014. I shouldn’t be using 2014 version of Wireshark in 2022…
So this exam, while the content is still ok, could use a bit of a refresh if only to fix what’s broken and bring in some new versions of the tools discussed and used. There’s a lot of additional functionality in even the tools discussed that could be of value. I’d like to see eCDFP version 2 come out before I fully endorse this exam and course.
Planning for the Future 🙂
Well were do I go from here??? I want to gain a deeper understanding and working knowledge of kubernetes so I think that might be the next big course I undertake. No associated exam, just in it to learn.
Beyond that, I just applied for a masters program in cyber defense at Dakota State University. Don’t think I can attend awesome SANS courses forever and they have a ‘technical track’ so I hope to be pushed and learn a lot here.
See you around the bend as we continue on this journey, till next time 🙂
The Art of Network Engineering 