Phwoar, what an exam. This was simultaneously the most stressful and most fun exam I’ve taken in a long time.
I’ll dive into a bunch of stuff below (that I hope won’t break NDA), but here’s the headline: this exam is FUN! All of the tasks were tasks you could reasonably be expected to do as a cyber security professional in one of a number of disciplines (GRC / IR / engineer etc). None of the tasks felt arbitrary or obscure - no testing one random bit of knowledge with no real world application. There was no arbitrary removing of tools from VMs to make the exam artificially harder. All built-in OS tools were available on every machine (every Windows box had ISE, etc). There were different levels of after-market tools installed (not every machine had nmap or strings, for example), but if it shipped with the OS, it was available.
Pro tip: The strategy I employed here was to read over every question when I hit it, maybe give the VM a quick poke, then if I wasn’t confident I could solve it in less than 10 minutes (25 questions over 4 hours is roughly 9.5 minutes per question) I’d slap that skip button. This meant when I got to the end of the 25 questions and started reviewing the skipped questions, I could divide questions skipped my remaining time, to work out how much longer I could spend on these tougher questions. The biggest downside to this approach is that you can’t take a break (as you can’t take a break without answering skipped questions).
There was one question (and, of course, it was the first question) where I was like āI have NFI how to do this thing, and I know for a fact actually doing it isnāt in any of my materialā. I immediately skipped this question with the intention of returning and trying and hoping one of the other questions would give me a hint, but when I got back to it I still had no idea how to even start. I just noped out, randomly guessed, and moved on to the other skipped questions.
I did have a couple of small teething issues with the exam that I didn’t think was just me being a muppet. For example, one question could be summed up as <do this zany technical thing, and provide the resulting hash>. After I’d done the work and flicked through the available answers, I saw the answers looked far more base64-ish than hash-ey (more than just hex characters). Additionally, some parts of the exam are like ādo these things, and something on the machine will change to show you the answer to this multi choice questionā. Some of those things didnāt change despite me being 100% sure Iād nailed it. I just chucked comments in explaining what I did in detail hoping that itād be enough.
I donāt know what the pass mark is, but I blindly guessed on at least 4 of the questions, all of which are multichoice with 8 answers. So the odds of getting even one of them right with that approach is less than ideal.
I think the best part of prep I did wasnāt just making indexes and notes, but making sure I knew how to find easy answers quickly. For example, from the objectives, Linux Password Cracking > Hashcat (so Iām not spoilies). Assuming they want you to crack passwords in a shadow file, you need to understand how to use hashcat etc to do so. Now, Iām not going to sit down and memorise the different mode numbericals (-m), because thatās hard. Sticking it in an index will take time to dig up and sift through when I need it. the easier way I found is to memorise hashcat --help | grep ā\$6ā (or whatever $ value I need).
Similarly for Windows: Iām terrible with powershell, so things like get-help *remove* became my go to there (or looking things up in ISE). The key is knowing how to find the answer fast, not memorising every flag and parameter.
When initially reading the question, I understood conceptually pretty much right away what I needed to do, some of the struggle was just remember where / how / which flags etc. Usually thatās a google jobbie for me, but you canāt do that in the exam, so it was a nice eye opener on how reliant Iād become on the internet to solve my problems.
If you’re uncertain how tough or multi-step the exam is really going to be, the demo questions were very, very representative (at least for me), and showed me I really needed to buckle down and get my study on / notes cleaned up. I don’t think I would have passed if they hadn’t have scared me straight.
Through my (roughly) 8 years of experience in cyber security Iāve done most of the things I had to do in the test; fluffing around with snort, tinkering with file sytem permissions, touching packets on networks, host based shenanigans and forensics, light red team mischief etc.
For context on difficulty: I usually get through SANS exams in about an hour. This one took me right down to the last 8 minutes. Not every question was brutal - some I completed in a couple of minutes - but the hard ones were HARD. I spent an hour on the last 3, stumbling around knowing what I needed to do but working out how to actually get it done.
All in all, I love this exam, and I’m really looking forward to sitting at least three more (GSE here I come!)