This is my personal blog on the SANS GIAC Certified Incident Handler certification exam!

What is the exam?

The GIAC Incident Handler certification validates a practitioner’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.

The certification is mainly for those looking to or are working on the defensive (or blue) side of cybersecurity. All in all, I highly recommend it as it exposes you to the many tools there are for defensive/incident response while also giving you insight on what bad actors may be trying to do on your network and how to detect it.

• 106 questions
• 11 Labs (Cyber Live)
• 4 hours to take the exam
• Min passing score of 70%

Course:

• SANS Live Online Course: $8,275 USD

My process studying for the exam:

With SANS Live Online courses, you take the course over 5 or 6 days and then have 2 weeks until you are able to schedule your exam. During the class itself, it is very lecture-based and for me (with 2 years of student security analyst and being President of the Texas A&M Cybersecurity Club), I decided to spend the lecture time working on the labs. My Lead at work had told me that the trick to the SANS certficiation exams is to know the labs inside and out, so I took that to heart and focused on them. I don’t mean to sound like a know-it-all, but I personally cannot learn by just watching lectures for 8hrs for 5 days and a lot of what was talked about was introductory into incident response, which I have already done a lot of those job duties in the past and in my current position.

Then of course, as anyone who has taken a SANS course before, indexing is the most important part. ALL SANS certification exams are OPEN BOOK, but if you think you can take the exam without having made an index or even copping one from someone else, you will most likely fail. For GCIH, there are 5 main books and another book about the CTF (Capture the Flag compeition at the end of the course where you can win a pin if you are the top team!). I decided to take a proactive step with my index by making it as I listened to the lecture and did the labs.

The most helpful tips when creating an index?

• Do it during the lecture and labs (or at least write some notes down on terms or commands you don’t know)
• Reference the cheatsheets provided and extract the commands or info you saw during the course and put into your index
• Make sure there is a clear distinction between referencing the books and the lab books (and labs)
• I like having a short description per term, but that is personal opinion

Once I made my index, I took my first practice exam mostly without my index (I caved as I stumbled on a question or two during the practice exam). I did pass the practice exam with a 76% (need a 70% to pass), so I felt pretty good about taking the real one.

I did, however, go back and re-read the books as well as look at the extra resources within the course materials ISO for another 2 weeks then went and took my exam on Sept 6.

I ended up passing with an 83% and I can say that there are things on the exam that were not very in-depthly talked about in any books. That being said, my biggest takeaway with GCIH and maybe SANS certs in general (this is my first SANS exam) is that you should be doing some extra research on topics especially if you get to a point where while you are studying, you think “oh I don’t think it’ll be on the test” and just look it up and put it in your index in case.

For me, I felt like the exam focused a lot more on commands and specifically commands within cloud environments. This topic was briefly explained in the books and labs let alone commands for a specific cloud service provider. However, it is on the cheatsheet that I of course forgot to print the cloud one…. Just don’t make the same mistake I did!

All in all though, the certification is a great resume booster and the tools that are mentioned in the course were current to todays world and some of which I was not familiar with. So for someone trying to get into the defense/blue team cyber industry and are willing to spend a ton of money on a certification, this certfication is a great one to have.

After you pass:

• Get your certificate mailed to you (optional $50 frame - highly recommend getting the frame -> it is really nice!)
• GCIH Badge
• Maintain your cert!
  • GCIH is good for 4 years
  • Continuing Professional Education (CPE) credits in order to renew – 36 credits needed
  • Renewal fee