In late September of 2022, I began my journey towards becoming a SANS Certified Incident Handler. The entire point of the certification is:
The GIAC Incident Handler certification validates a practitioner’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.
It covers a wide range of topics, although it mainly focuses on red team actions and how to mitigate those actions. For those also that may not know – the SANS certifications are notoriously hard (and expensive). It’s important that one prepares extremely well for the exam, especially since you can bring any printed material into the exam with you (including the textbook)!
For those that may be looking for help with this exam, there are 2 items that you need to do while you study – Create an index, and create flashcards with Anki.
Creating an index is crucial when it comes to SANS certifications. An index typically consists of an Excel Sheet, with 4 seperate columns: Term, Definition, Book #, Page #. Without these 4 items, you aren’t going to do very well. As you go through your course, you want to write down all possible terms and definitons in the books, highlighting them as well as writing them down somewhere. Then, either after your class if you opted to take one, or after you read through all the books, you’ll put your handwritten notes into the excel sheet. Once done writing your index, go ahead and take your first practice exam without your notes. This will help you to gain a better understanding of what you picked up on while you studied, and what you didn’t. You should get a star rating on the different sections within the exam, and that section will correlate to a section in the book. Anything below 3 stars is worth a second pass to ensure you learned all the possible terms within that section.
All of what I just stated above should be completed within ~2 weeks of starting, whether you choose to include the course or just the books. However, once you complete that, you really want to take your time, ensuring that you’re learning as much as possible. This is really where Anki comes into play. SANS has a webcast on the best way to use Anki that I highly recommend you watch (it’s how I set it up), but here are the essentials of Anki. You are meant to study Anki every day, and as you study it introduces different cards based on how you answered previously. There are 4 options for cards: again, hard, good, and easy. Again is for when you get it wrong, but when you get it right, you then answer the ease in which you could recall the answer. This then will schedule that card so it shows up in another day’s session. I highly recommend using this in addition to your index, as it’s something that you can do in the morning (I always did it with my first cup of coffee), and it really does make an impact. As you build your index, build your Anki deck as well, and it will help you to recognize terms that are in your index, along with allowing you to answer quicker, and give yourself more time for harder questions.
Before you take your second exam, I would recommend that you’ve done the following:
- Read through all books a minimum of 3 times
- Built an index of at least 150 terms
- Built an Anki deck
- Added to both the Anki deck and index after 1st practice test
Once you’ve done that, it’s time to take the second practice exam! For this, I recommend that you do use all resources that you plan to use in the exam. Note that you cannot use any digital material during the real exam, so you will need to print out your index. Before you print it out, be sure to sort your index alphabetically, and either add shading to rows or cell borders to make it easier to read printed out. Both should make it easier to find terms and definitions, allowing you to move faster in the exam.
For your second exam, you should be hoping to get a minimum of your passing score. A rule of thumb that I heard from friends in the SANS offensive operations discord is to try and achieve a score about 5% higher than your passing score. This helps to ensure that you are on the right track, and that with just a little more work you should be able to pass! If you aren’t able to achieve this, you may want to look at post-poning your exam so you can have more time to study, or purchasing a third practice exam.
If you did pass that, congrats! It’s time for the final exam! Just note that it’ll basically be the same exam, so don’t fret the format. Just bring your index and your books, and study your Anki cards, and it should be ok!
For myself, I was able to achieve a 91% on my exam, passing so well that I earned a spot in the GIAC advisory board (small pat on back). And I will say, I use pretty much everything from my certification in my job, daily. It was such a fun certification to complete, and with it being my first one, I can’t wait to continue on and collect more.
I hope this may help those looking to get into a SANS certification! If you have any additonal questions, please put them below in the comments and I’ll try to answer as many as I can. Hopefully this inspired you to start your certification journey! If so, then it’s time to…