Drum Roll Please…………

It’s been a couple of weeks since I have updated the blog. I hoped to get a post out about SANS FOR610, but that will have to wait. Thursday evening I I received an email from Jeff Frisk about my GSE results!

Naturally my wife had been working late, was on the way home but she was still a good 30 minutes away. I called her and told her I got the results, she said OPEN IT NOW! Who am I to disagree?

I open the email and after the greeting I saw the words Congratulations! I immediately began celebrating and realized I would not have to sit the test again. Right then I decieded to take the rest of the evening off and relax with my family and celebrate.

After getting the results I started reaching out to others who took the exam with me. So of them passed, others had to write a paper, and so of them will have to sit for the exam again. Regardless of the outcome the people who sit for this exam should be proud of themselves! I do want to give a special congratulations to my fellow newly minted GSE’s:

• Ahmed Abdel-Aziz
• Skip Duckwall
• Brian Estep

There a ton of people who I would like to think, co-workers, authors’ of books listed in the blog, people I follow on twitter, and friends. Two people I want to think personally are Ash (who will be a GSE very soon!), and Chris. Finally, I want to say thank you to my family for their support and understanding during the entire process as well.

With the GSE knocked out, it’s time to start blogging about something other than the GSE! My next blog post will be about SANS FOR 610 Reverse Engineering Malware, then on to more technical post!

My thoughts about the GSE lab.

After sitting through the lab, and having some time to reflect the exam I thought I would give my thoughts on it. I don’t know if I passed or fail, but I wanted to get this out before I got the results so I had no bias.

There is a lot of mystery surrounding the exam, and I am not going to reveal anything new about the exam itself. I’ll say there was nothing on the exam that wasn’t covered in the GSE objectives. The challenge with this exam is not the range of topics, which there are plenty, but how deep you must know these topics.

What did I think of the exam itself? I LOVED IT! Take the nerves out of the exam and it was really an enjoyable exam, in fact I will say it’s most fun I ever had taking a certification exam. I told Jeff Pike, I would love to do the exam at home. Regardless If I pass or fail, I’ll say if you don’t have a lot of hands on experience I don’t think you’ll be able to pass.

Hopefully I'll find out in a couple of weeks if I passed or failed in the next couple of weeks and I can get back to blogging about other things. I plan to give a review of SANS FOR610 class that I took at SANS Network Security.

The GSE Lab………Completed!

After months of preparation, I took and completed the GSE Lab on September 17^th and 18^th at SANS Network Security 2011 in Las Vegas. I took the last 30 days off from blogging to prepare for the exam. Unfortunately most of the time was spent working and not preparing for the lab itself, but I was getting a little burnt out studying.

I flew to Vegas on Friday the 16^th and meet my fellow tester and friend Ash for dinner. Ash and I discussed what we thought what the test was going to be liked and decided we should locate were the lab was going to be held.  We walked into the room were the lab was being set up in ran into Jeff Pike, who was administering the test. While there Jeff informed us 11 people were sitting for the test, which as far as I know is the largest group to sit for the GSE to date. Ash and I left and agreed to meet for breakfast the next day.

After breakfast on the 17^th, Ash and I walked into the testing facility making a bit of a ruckus! Jeff proceeded to cover various items, and the test began. Once the test started I had my usual initial nerves but after 45 minutes or so I settled into the exam. Once in the exam time flew and before I knew the morning session was over.

Ash and I took lunch together, and ran into a few other GSE test takers. This was the first time we really meet with them. It was an interesting group of people taking this exam, some purely defensive, others purely offensive, and guys like Ash and I who worked both sides.

After lunch we got started on the second part of day 1. This is an area I am not fast with, but gave it my best! While going through this section I didn’t have the nerves I had in the morning. Once again time seemed to fly, an hour felt like 10 minutes, and the whole section seemed to only last about 20 minutes. I will admit this section is causing me great concern, if I don’t pass I’m willing to bet it’s because of this section.

After the test, I went to my room and reviewed a couple of things that had not been covered. After a bit of review, I meet up with Ash for food and a walk around the hotel just to get out.

The next morning I meet Ash for breakfast again, watched several train wrecks of drunk and pissed off people.  Between the train wrecks, we talked about what we thought was coming up. We went back to the lab, even starting a bit early, and began the second day. The morning session tested several different areas that I felt good about, except for one area. I flew through most areas, but still needed more time.

After lunch we headed back for the final part of testing. I will admit this part was not for the faint of heart.  There was a lot to cover and a not nearly enough time to complete it. I answered as much as I could and if I didn’t know the answer I moved on and came back later. Sometime during the afternoon Eric Conradshowed up to say hi to the test takers. Not long after he left time was up and the test was finished.

After the test I went with Ash, Eric, Seth Misenarand a few other testers and had a few beers to relax!

How did I do? I don’t know but should find out in a few weeks. Later this week I will write up my thoughts about the exam.

30 days and counting……

I have not blogged in a while because of various things going on. However I looked at calendar today and realized in 30 days I will be on a flight to Vegas for the lab!

My final month is all about lab time and doing the exercises from the GSEC, GCIA and GCIH classes. As I am doing the exercises it’s about doing them fast and right. The clock is ticking during the exam so I have to be fast and accurate. Tools that I am not proficient at are the tools that I am spending a lot of time on to make sure I understand them.

So with everything set this will be my last blog post until after the lab. I will not be able disclose details about the lab, but I will post when I am back.

I am alive, GSE prep and SANS Network Security 2011 facilitator…..

My short absence from updating the blog is both sad and funny. I originally planned to skip one week because of short 3 day holiday with my wife and friends. While on holiday I received a phone call from my father explaining to me how he just broke his leg 500 miles from home! To complicate matters, my mother just had knee replacement surgery a few weeks earlier and was home in bed unable to do anything. So after returning from holiday I jumped on the next AA flight to COS to get my dad home to Kansas City. Once in KC I had to get my mom to a follow up surgery (she reinjured the new knee), and get my dad through his. My sister was a big help during this, but this family emergency through all kinds of wrenches in my GSE study plan. I returned to DFW earlier this week and started to catch up.

For GSE this week I spend time looking over the Incident Handling domain. I reviewed the incident handling process as defined by SANS:

                Preparation

                Identification

                Containment

                Eradication

                Recovery

                Lessons Learned

Additional areas covered in the IH domain include common attacks, malware and preserving evidence. Fortuantly I was able to get those areas covered as well.  This week I hope to cover the ITSEC domain, OS security, secure communications, and protocols.

Turns out this week I was also accepted to facilitate FOR 610: Reverse Engineering Malware with Lenny Zeltser at SANS Network Security 2011 in Las Vegas. This is the first time I have done facilitating for a SANS course and will tell you I am very excited about the opportunity.

I should be back to posting once a week again, and after the GSE lab I plan on doing more technical and interesting blog posts!

Ubuntu, Sguil, InstantNSM and GSE Lab Prep

Last week I discussed Sguil and I was going to do a post on getting Sguil running on Ubuntu. Like most good plans, mine feel apart. To start with, I changed what I intended to blog about late in the game, than ran out of time.

My plan now is to include using InstantNSM and the Sguil packages to get a Network Security Monitoring (NSM) up quickly. In order to do to this I have to modify InstantNSM to “support” debian based systems. This modification will be made and tested over the next month or so. I have contacted the developer for InstantNSM to see about adding support for Ubuntu.

On the GSE Lab front I have spent time building the lab, started to read the Wireshark Network Analysis  book, and spend some time reviewing network traffic (outside of my day job of course). As I spend more time with packet captures, I am becoming more proficient writing filters in tcpdump and Wireshark.

Next week I am going on short three day trip with the wife and friends so I probably wont get a chance to post anything new, but you never know.

GSE Lab Prep – The Tao of Network Security Monitoring and Sguil

I spent the past week reading The Tao of Network Security Monitoring by Richard Bejtlich as part of my “study plan” for the GSE Lab. Fortunately, or unfortunately, take a train to work every day and that gives me 1.5 hours to do whatever I want to. This time allows me to read a 600+ page technical book cover to cover in a little over a week. I also have spent time building/playing with my GSE lab.

Since there are so many reviews of the book I will limit my review to only say Richard did an amazing job with this book and if you perform any type of Network Security Monitoring (NSM) this is a must read book. One of the great strengths of this book, is Richard discusses several NSM tools not covered elsewhere other then in passing.  I am sure some of these tools will be covered in detailed in the GSE lab, so I plan on spending some time with the ones I am not intimated familiar with.

One tool mentioned in the book that I plan on spending time with is Sguil. According to the nsmwiki, Sguil is best described as aggregation system for network security monitoring tools. Major tools used by Sguil include:

• Snort/Barnyard
• Security Analyst Network Connection Profile (SANCP)
• Passive Asset Detection (PADS)
• p0f
• tcpflow

The great thing about studying Sguil for the GSE lab is all of the tools are discussed in the GSE pre-requisite classes. That fact alone makes Sguil a great tool to spend time with in the GSE lab. One thing I do know that is described as a down side to Sguil is the installation of it. I know a few articles discuss installing Sguil on Ubuntu 10.04 Long-Term Support (LTS), but I plan on writing up a procedure and posting on the blog within the next week.

GSE Lab plan……

With the GSE written out of the way it’s time to focus on preparing for the lab. My plan, which will go to hell over the summer as work and personnel stuff take over, but it’s my plan anyway.

The first part of my plan is to go over several books, which I have been trying to do for a longtime. Here is a list of the following books I plan to review:

• The Tao of Network Security Monitoring
• Extrusion Detection
• Counterhack Reloaded
• Wireshark Network Analysis
• Hacking Exposed

Although the list is long I spend almost two hours daily travelling to and from the office on public transportation so I have plenty of “free time”.

However the lab is not about book smarts, it’s about the ability to get stuff done. To make sure my skills are up to speed, review tools I never or often use I plan on creating a lab. The lab that I plan to build will consist of the following systems:

• Linux (Ubuntu) – Firewall, IDS, IPS
• Windows 2008 Server – Domain Controller
• Windows 2003 Server – Domain Controller
• Windows 7 Ultimate – Workstation
• Windows XP SP3 – Workstation
• Linux (Fedora 12) – Linux Server, www, ftp, smtp
• BackTrack4 – Attacking System

I plan to record all network traffic in the lab for later analysis. This network traffic will include “normal” and “abnormal” traffic. I will be attacking the various systems to create security incidents, than investigate the incidents. I plan to use only the tools covered in the material.

So there is my plan for preparing for the lab. Will it be enough, I don’t know but it should cover all of the defined GSE objectives and if I meet those I will pass. 

Well that was unexpected…….

Seven days ago I posted that I was going to spend that week reviewing SEC 504, then using this week to review the material I needed to work on and taking the GSE written on the 18^th. Review of the 504 material went much quicker than I thought and was done Tuesday.  I spent time contemplating moving the test date forward, and decided to take the written on Friday the 10^th. My thought was, if I didn’t know the material now, I would not know it in a week and I should go for it!

So, Tuesday night I booked the test and was ready to go for Friday. I spent Wednesday night with family, and contemplating an email I got about going to Game 5 of the NBA finals! After a very tough decision I decided not to go, which in hindsight I am kicking myself for not going. Thursday I got stuck at the office and didn’t get home until after 8 (normally not a big deal). I watched Game 5 (kicking myself again for not going), after watching the Mav’s victory I went to bed.

Friday, test day, I slept in until 6:45 since I was working from home in the morning and testing in the afternoon. At noon, I packed up all my stuff and headed to the testing center. When I got to the testing center I had to wait in the lobby for 15 minutes (which didn’t help me). Finally, I got checked in and started the exam right on time (1:00 pm).

I am not going to cover what was on the written exam other than to say all GSE objectives were covered and nothing was asked that was not listed on the GSE Objectives web site. 

After completing the test, I was greeted with a passing score, which means my next steps are to schedule the lab in Vegas at SANS Network Security 2011! Although I am proud of my accomplishment, I have no clue what’s next.

I am going to spend the next week or so coming up with a study plan, although I know I am going to steal some of it from a fellow GSE candidate Ash! I know each person has a study plan to meet their needs and I am working on mine.  Next week I will give some insights into my study plan and lab for the GSE.

GSE Written…Studying has begun in Ernst!

Since I decided to apply for the GSE I began reviewing my material from the three classes. My schedule was to have all my reviews done by 6/12 with an eye on taking the written on 6/18. As of today I am on track just completing my review of SEC 503, and already completed SEC 401.

This week is all about the last class SEC 504 (Incident Handling). Looking over the material I will say this review is the one I looking forward to the most and one of the reasons why I saved it for last!

After SEC 504, I am going to make a list of things to spend time reviewing next week such as bit masking (I always mess this up when I do it by hand) and what you use symmetric and asymmetric encryption for (I know what they are for, I occasionally mix them up though), as well as other areas.

As I go through the material, one thing I can say is there is a lot of material. The depth at which I must cover is where the real challenge in the GSE is, at least for me. For example, when doing packet analysis it’s not just knowing what a particular field represents, but what should the field look like (normal behavior) or not look like (abnormal behavior). That level of understanding is what makes this a challenge.

There are two things about studying for the GSE that I have come to appreciate already. First, the level of knowledge a GSE have is truly amazing and second, I will come away regardless of pass/fail a better security professional.

So for now, off to review SEC 504…………………………

GIAC GSE.....the beginning

So it’s been a while since I have blogged, but I have decided to try again. This time though I am going to take the reader on a ride. I have spent considerable time contemplating and I have made the decision to attempt the SANS/GIAC GIAC Security Expert (GSE).

If you are unfamiliar with the GSE it’s SANS Expert level certification check out this link for details, it covers the requirements and the testing process. The certification is a two part process with a written and hands-on practical lab (very much like the Cisco CCIE.) I hold all three required certifications with a gold GSEC paper, Introduction to Malware Analysis. I am using my GCFW to satisfy the second gold paper (or elective). With the minimum requirements meet, I applied for the exam.

This week the application was approved,  and I have come up with this study plan and schedule for the written. I already indexed the three classes (SANS SEC 401, 503, and 504) that the written test covers, so I plan is to review the index and then read the books from each class.

After each class, I am debating if I purchase a set of practice of test for each class to review my strengths and weaknesses. If I don’t purchase I will spend time reviewing areas I feel I need to work on. If I do purchase practice exams I will take one after each “class”, than take a final consisting of all three “classes” at once.

My planned schedule is to review 3 to 4 modules a night during the week and at least 6 each weekend day (total of at least 12 each weekend). At that rate I hope to have the following schedule for each class:

                401 – 5/23 – 5/30

                503 – 5/31 – 6/5

                504 – 6/6 – 6/12

I will then do a final review the week of 6/13 with an eye on testing 6/18. As I write this it has me thinking about the challenge ahead, and to quote Barney Stinson “Challenge Accepted”! I will update the blog as I move towards taking the written.