Strategy for Passing the SANS GCTI FOR578
Hello cyber family! It's been a long awaited goal of mine to pass my first SANS cert and this last week I crossed that finish line. I wanted to share with you my experience and some study methods that helped me pass FOR578. What this article will cover is a high level view on who the GCTI is good for, strategy for preparation, study methods, and making a solid index. What this article will not be covering is any specifics from the materials or information that was on the test itself.
What is SANS?
Let's start by addressing some basic questions like, what is SANS, and furthermore what is the GCTI and who is it good for?
SANS (SysAdmin, Audit, Network and Security) is arguably the world's largest cybersecurity research and training organization. Their mission is to "empower cybersecurity professionals with practical skills and knowledge they need to make our world a safer place." SANS employs some of the worlds leading educators in the tech and cyber space who generate industry relevant, up to date and real world "apply now" knowledge through courses and testing. There are so many different SANS classes that touch all areas of cybersecurity, for this I'll be specifically focusing on the GIAC Cyber Threat Intelligence (GCTI), though some of these study strategies may help you with other SANS exams.
Who is the GCTI FOR578 good for?
"All security practitioners should attend FOR578: Cyber Threat Intelligence to sharpen their analytical skills. This course is unlike any other technical training you have ever experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills." (For578.1: Capstone)
✅Incident Response Team Members
✅Threat Hunters
✅Security Operations Center Personnel and Information Security Practitioners
✅Digital Forensic Analysts and Malware Analysts
✅Federal Agents and Law Enforcement Officials
✅Technical Managers
5 key focus areas:
1:Cyber Threat Intelligence Requirements
2:The Fundamental Skillset: Intrusion Analysis
3: Collection Sources
4: Analysis and Production of Intelligence
5: Dissemination and Attribution.
Though I won't be going into specific details from this course I've got to give a big shoutout to the author Robert M. Lee. Robert did an amazing job at turning technical and potentially dry information into consumable, and thought provoking training. You can read more about what SANS has to say about GCTI on their website listed below in sources, but for now let's get into the study strategy!
What to expect...
At the time of writing this, students had the option to attend SANS classes via LIVE in person, LIVE ONLINE virtually, or LIVE ON DEMAND where students could self pace off of a pre recorded class. I like interaction but did not have the flexibility to travel so I opted in for the LIVE ONLINE.
Materials
After registering for the course SANS shipped out the necessary materials (books) a few weeks before the class start date. These books were extremely important through the learning and texting process. All other digital materials were provided on the day of class by the instructor. There were 2 practice tests included, use them wisely! I did use the practice tests a little too soon trying to gauge materials when really they would have been better used to practice looking up key words in the books quickly.
The Course
The LIVE ONLINE course lasted for 6 full days and was a TON of information to take in. How you consume knowledge will be up to you and your best study methods. Some people jump right into making their index (we will talk about the index in a bit) or reading the books. I don't do well trying to split brain study so for the 6 days LIVE ONLINE I sat with the books and took notes. Knowing what I know now I would have put more focus on reading the books and less on notes. It was an exciting but long 6 days, it was important for me to remember to take care of myself and take breaks. Every hour or two I made sure to go on a walk or stretch. These courses are long and it's a little too easy to become consumed and forget to move. If your body stops moving your brain will lag. No one needs that trying to learn a whole new concept in 6 days.
Aftermath
After the 6 days of material I was definitely at information saturation. I took a week off after the class then picked up the books and started reading from the beginning, at this time I could go slow and make a solid index of keywords. Keywords were any words or phrases in the course that stood out as a need to know. As I mentioned before I took the practice tests way too early. What I would have done now, hindsight being 20/20 is wait until after re reading the books, finish my round 1 index and then take the first practice test. With the results of that first practice test I would have gone back and studied missed areas/strengthened my index. For me the real value of the practice exams were not so much the material learned but in practicing using the index and scanning the books quickly.
The Exam
Not everyone opts in to take the exam and are happy just doing the courses, the course by itself is a wealth of invaluable information, but for those who are considering going after the certificate, you'll want to know about making a solid index, so keep reading!
SANS is one of the few organizations that offer open book testing...you read that right...OPEN BOOK TESTING! Super easy right? Not so fast...depending on the exam you'll have 1.5 to 3 minutes per question and there is a ton of material to get through. A way to navigate the material and for a lot of people one of the most important pieces of passing a SANS exam will be to make a solid INDEX and time management. I made my index in excel with 4 different columns reading left to right "Keyword, Book, Page, and Comments". In each "Keyword" cell I placed the keywords found through the books, sometimes there were multiple of the same keyword that referenced different key points or information locations. The next column "Books" housed the book number where I could find the information and it's corresponding column "Page" indicated the page location of the information within the indicated book. The final column reads "Comments", this is where I see people's indexes differ wildly. Some people put nothing, or just a few key words, others like myself put full descriptions for all of the keywords. I found that putting more information in the comments section helped my time in the testing environment. Some of the answers were even in the index and I could save time not shuffling through the books to find the answer. During the exam you will have the opportunity to take breaks. I recommend you TAKE THEM! As much as I wanted to just get it done and over with I felt taking a short break to get up and move around helped my over all focus.
You can see some of my tips and sample below on how I did my index layout. for NDA purposes I will not be able to share any of the actual information but hope you get the point.
Here you can see how I tabbed the site of the index A-Z.
They key was really to find any way possible to save time.
What worked for me: Quickly picking the keyword in the question, find it on the index, get to the book/page and start scanning. There were times I had not picked the right key word so it was important to move fast to be able to re rout.
Choosing Your Test Environment
At the time of writing this there were two options for testing, one being at home proctored online and the other was at an approved exam center. I have taken tests in both environments and have a few thoughts on both.
Online at home:
Pros:
✅You control your immediate environment.
✅You can shuffle your SANS books without disturbing other test takers.
✅Creature comforts such as water and snacks for your break.
✅Ensure you have enough space to lay out your SANS material.
✅You don't necessarily have to wear pants.
Cons:
💀You are responsible for internet availability and system configuration. Though the proctor will help you trouble shoot to a point, you will still need to provide the needed peripherals like microphone, speakers, and proper specs.
💀It may be harder to focus depending on your home environment.
Test Center
Pros:
✅Quiet test environment.
✅They are responsible for equipment and internet.
✅You may have better focus away from your home environment.
Cons:
💀You may be subject to the space available, ample room to spread out your SANS material could be a challenge.
💀They do their best to keep the environment quiet however it doesn't always happen. I have been to test centers with distracting events going on outside and rustling around from other test takers. (I'm a big old noise sensitive baby...)
💀Pants required.
Thanks for stopping by and taking the time to read the strategy for passing GCTI. For future topic suggestions leave me a comment or send an email! Until next time, stay geeky friends. <3
Other Resources
LADIES! SANS has an Immersion program. If you apply and are selected it is a wonderful opportunity to become SANS certified and get a leg up in your cybersecurity career. Follow this link to check out the scholarship offered. >>>
SANS also puts out a TON of free training through the year, check out their website to keep up to date with what's up and coming for the year. I highly recommend any summits they put on.
Sources
For578.1: Capstone. Cyber Threat Intelligence Training | SANS FOR578. (n.d.). Retrieved February 25, 2023, from https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/
Art- purchased stock or Mid Journey AI generated.