Get

Home My Network Jobs Messaging Notifications Me For Business Try

SANS SEC504: Hacker

Tools, Techniques, and
Incident Handling ABC
Including Course, CTF
and Exam Review.
Marcin G.
24/7 Cyber Security Analyst | GIAC Certified 2 articles Follow
Incident Handler

March 12, 2023

$ /usr/bin/cat index.txt

I. My feedback:
1. Course
2. CTF
3. Exam
II. Preparation:
1. Course
2. CTF
3. Exam
4. In-person class
II. Last but not least

$ _

I. My feedback:
1. Course

Back in September 2022 I participated in SANS SEC504:

Hacker Tools, Techniques, and Incident Handling in-
person class conducted by Kevin Fiscus in Amsterdam.

The in-person class was great. The knowledge and energy

Kevin shared with us were amazing. He pushed himself
hard, so we could gain from the class as much as possible.
For people, which took online classes there was a moving
camera. The amount of knowledge and course rate makes
really difficult to truly get on with everything. At some
point, you can understand everything the instructor is
saying. Still, if you have little or no experience with the
course material — then your brain will be simply
overloaded with new information. You will be there just
listening, trying things but later simply forgetting them.

It's good to go there with the right mindset. This is not a

one-week course. Depending on your previous knowledge
and experience it’s up to even a few weeks of great fun.

2. CTF

I think it would be great if SANS let us practice more with

the CTF lab after the course. Those are really great labs and
one can practice all course material in that lab. I saw that
some people get really frustrated about those Coin
achievements after all. It’s a nice thing to have but,
personally, I don’t care as much. I was not there for the
coin. I thought about it and I send my feedback to SANS
asking them to change the coin achievement.

Instead of gaining the Coin for accomplishing 1st place

with your team (or the right one), make it gaining for
example for students:

attention,
 provided extra value content,

feedback.

Or at least let people in the class decide how they wanna

play it. I think this could make people more engaged, rather
than joining the class, sitting there, being quiet, playing
with their phones, and then going, trying to get the Coin
and say bye. I’ve heard some rumors of one guy acting like
that while taking SEC504.

CTF scoreboard

CTF last about 4h. I’ve scored 66pts. x13x37 was very very
fast at gaining most of the flags xD. We all worked together
up to 1st place. Yep, I’ve teamed up with the right person
there. He’s got 7 years of experience as PT.

3. Exam

I passed my first test exam at a score of 93% (Firefox), and

the second test at a score of 92% (Guardian). I finished the
final exam with a lower score though (Guardian). Exam
questions were harder for me than those from tests. I’ve
spent more time with books searching for the right answer
or just making myself sure about the right answer.

With the Guardian browser, my labs had huge lags. It

happens to me while taking the second test and I was
worried that this might also happen later on the exam.
Everything other was the same: me, my place, network
connection. Working with the terminal command line was
much harder. Writing commands into the terminal took a
while to load. Correcting command line typos was insane
and very stressful for me. Time pressure makes it even
harder for me. So I did not fully accomplish the labs, even
though I knew how to finish them. I remember I was really
frustrated at that moment. I even started thinking that I will
have to buy another attempt but for sure not with the
Guardian browser. Turns out I didn’t have to.

While taking tests if you choose the wrong answer they will
give you immediate responses and explanations. After the
whole test, you see something like this. This can help you
find out on which topic you need to focus more.

Test results

II. PREPARATION:

If you are interested in taking the class, this might be

valuable for you.
1. Course

Make sure to be prepared and begin the course a week

before. Start as soon as they give you access to online
books and labs. This way you will slowly get on with
materials, thus then more likely you will get more from the
in-person class. This worked for me very well. On your last
day of the class, SANS instructor will share with you a
method on how to get back to knowledge and remember
more of the course and its content. The method they share
with students worked well for me.

To get the needed practice and understanding I work later

with some materials. I get my hands on them again(second
and third reading, indexing, playing Linux and PowerShell
Olympics).

Linux Olympics final score

Secret menu

The more work I’ve done with the materials the better
possibility of greater results. The same will work for you:

   as soon as you get your books, read team for the first
time. Call it the first reading. See what’s in them.
Familiarize yourself with the content. See what you are
already familiar with. See what it’s new for you. Take
 your first notes. Later you will want to go through the
books three to four times more.

   setup your VMware labs.

   get some tools for making your notes.

   you may want to take one extra monitor to work

with. One for virtual machine labs and the second for
note-taking.

2. Class

make yourself fresh and ready, because the course rate

is quite a ride :D

be active, ask questions, make notes, talk and meet

new people, and have a good time as I had.

play with the labs also after the class or at least with
the one you are not familiar with. Take your time with
them.

every lab is well prepared and described within your

virtual machine browser, but make sure to also take
your notes in books.

write your feedback. They care about your thoughts.

They really care.

3. CTF

You will gonna use techniques that you’ve learned in

this class. That includes network and services discovery,
domain & web enumeration, password cracking,
gaining initial access, pivoting, privilege escalation, and
credential stuffing.

meet up with your team, ask who is good at what, and

set up your roles.

prepare your notes from class and use books and

materials.

start some private Pastebin or Riseup to keep up with

all services, usernames:passwords creds, etc.

send your feedback about CTF — mine is in section B.

4. Exam

After the class I took my time and prepare myself for the
GCIH certification exam, which I took in early 2023:

schedule your exam as soon as it’s possible. Do not

schedule your exam on the last day. If possible do the
exam with your browser and ProctorU add-on, not the
Guardian browser. (More on that in section B).

go back to your books make index, and tabs. I

recommend doing two indexes. One for words second
for command lines.

work your way with the books as you gonna need

them for the exam.

join SANS Official Operations Discord server, and read

what others recommend.

make sure to do Linux and PowerShell Olympics. I

really enjoy them.

take the first test exam. See what you are missing. Take
notes. Improve your index, and go back to labs. The
same goes for the second test.

Exam questions are a bit more difficult than those from

the test, so get yourself ready and steady.

Have fun!

write your feedback (yes again).

Report this

Published by
Marcin G. 2 Follow
24/7 Cyber Security Analyst | GIAC Certified Incident Handler
articles
Published • 3mo

I wrote a few words about my experience with SEC504. #SANS #storytime #review
#tipsforsuccess

Like Comment Share 18 3 comments

Reactions

+6

3 Comments
Most relevant

Add a comment…

George Daniliuc • 3rd+ 3mo

 Director EMEA at SANS Institute

Very insightful, Marcin! Thanks for documenting your journey! Useful for
anyone that is still on the fence about #SEC504!

Like · 2 Reply · 1 Reply

Marcin G. • 3rd+ 3mo

24/7 Cyber Security Analyst | GIAC Certified Incident Handler

Thanks George.

Like Reply

root access • 3rd+ 3mo

"With great power comes great responsibility" / RED Team / OSCP

Nice article bro

Like · 1 Reply

Marcin G.
24/7 Cyber Security Analyst | GIAC Certified Incident Handler

Follow

More from Marcin G.

HackerU Cyber Security Red

Team Specialist Course
Review.
Marcin G. on LinkedIn