· Certification

GX-CS - GIAC Experienced CyberSecurity Specialist

Phwoar, what an exam. I’ll dive into a bunch of stuff (that I hope won’t break NDA) below, but this was simultaneously the most stressful and most fun exam I’ve taken in a long time. This exam is FUN! All of the tasks were tasks you could be reasonably expected to be asked to do as a cyber security professional in one of a number of disciplines (GRC / IR / engineer etc). None of the tasks felt arbitrary or obscure to the point of testing one very random bit of knowledge with no real world application. There was no arbitrary removing of tools from VMs to make the exam artificially harder - all of the built in tools were available on every machine (for example, every windows machine had ISE, etc).There were different levels of after-market tools installed (not every machine had nmap or strings, for example), but if it shipped with the OS, it was available.

The strategy I employed here was to read over every question when I hit it, maybe give the VM a quick poke, then if I wasn’t confident I could solve it in less than 10 minutes (25 questions over 4 hours is roughly 9.5 minutes per question). This mean when I got to the end of the 25 questions and started reviewing the skipped questions, I could divide questions skipped my remaining time, to work out how much longer I could spend on these tougher questions. The biggest downside to this approach is that you can’t take a break (as you can’t take a break without answering skipped questions).

There was one question (and, of course, it was the first question) where I was like “I have NFI how to do this thing, and I know for a fact actually doing it isn’t in any of my material”. I immediately skipped this question with the intention of returning and trying and hoping one of the other questions would give me a hint, but when I got back to it I still had no idea how to even start. I just noped out, randomly guessed, and moved on to the other skipped questions.

I did have a couple of small teething issues with the exam that I didn’t think was just me being a muppet. For example, one question could be summed up as <do this zany technical thing, and provide the resulting hash>. After I’d done the work and flicked through the available answers, I saw the answers looked far more base64-ish than hash-ey (more than just hex characters). Additionally, some parts of the exam are like “do these things, and something on the machine will change to show you the answer to this multi choice question”. Some of those things didn’t change despite me being 100% sure I’d nailed it. I just chucked comments in explaining what I did in detail hoping that it’d be enough.

I don’t know what the pass mark is, but I blindly guessed on at least 4 of the questions, all of which are multichoice with 8 answers. So the odds of getting even one of them right with that approach is less than ideal.

I think the best part of prep I did wasn’t just making indexes and notes, but making sure I knew how to find easy answers quickly. For example, from the objectives, Linux Password Cracking > Hashcat (so I’m not spoilies). Assuming they want you to crack passwords in a shadow file, you need to understand how to use hashcat etc to do so. Now, I’m not going to sit down and memorise the different mode numbericals (-m), because that’s hard. Sticking it in an index will take time to dig up and sift through when I need it. the easier way I found is to memorise hashcat --help | grep '\$6' (or whatever $ value I need).

I’m terrible with powershell, so things like get-help *remove* became my go to there (or looking things up in ISE). When initially reading the question, I understood conceptually pretty much right away what I needed to do, some of the struggle was just remember where / how / which flags etc. Usually that’s a google jobbie for me, but you can’t do that in the exam, so it was a nice eye opener on how reliant I’d become on the internet to solve my problems.

If you’re uncertain how tough or multi-step the exam is really going to be, the demo questions were very, very representative (at least for me), and showed me I really needed to buckle down and get my study on / notes cleaned up. I don’t think I would have passed if they hadn’t have scared me straight.

Through my (roughly) 8 years of experience in cyber security I’ve done most of the things I had to do in the test; fluffing around with snort, tinkering with file sytem permissions, touching packets on networks, host based shenanigans and forensics, light red team mischief etc.

I usually get through SANS exams in about an hour, I went right down to the last 8 minutes or so on this one, for context. Not every question was that hard, some of them I completed in a couple of minutes, and I spent an hour on the last 3 where I was sorta stumbling around knowing what I needed to do and just working out how to get it done.

All in all, I love this exam, and I’m really looking forward to sitting at least three more (GSE here I come!)