Friday, 13 April 2012

Doing The GSE

So, as many folks know, I went to Orlando towards the end of March to attempt the GSE lab. Both before and afterwards, I received several questions about the GSE :) Therefore, instead of destroying my fingers and typing multiple individual respones, I figured I'd write a short blog on my experiences with the lab section, whilst my thoughts on the written section can be found here. Apologies, this post started off short.

Firstly, let me say, that once I overcome the initial nerves (I was bricking it on the first morning), I had a great time. @Chris_Mohan and @asho_relaxo both told me that I'd have fun but I didn't believe them (in fairness, they're not trustworthy characters). Most folk enjoy the first day the most, but I loved the second morning, it was a blast, especially when you come back to that problem that you couldn't figure out and then you nail it :)

So how did I prepare - 

1. I found out who previously sat the GSE and chatted with some of the guys that I knew or who had a vague connection to. You will find that all the GSE-holders are very approachable and just normal blokes :)

2. I did what I detailed here, which includes reading (several times) some GIAC GSE advice @ 
It's important to check what the requirements are and this goes for the questions that you face in both the written and practical exams (actually maybe add a 're-check' there).
3. I went through each page in the GSEC (I'm not great at Windows, as well as many other things actually), GCIH (I don't do offensive stuff regularly so I also skimmed my GPEN notes) and finally GCIA, which I sadly found awesome (seriousy, it's a pleasure reading Judy Novak and Mike Poor's notes). 
The topics in GCIA weren't hard for me because I essentially sit in packet captures daily, woot, eh :)

4. I did every lab/exercise in the three primary courses.

5. I set up my own lab, but do it with a 'plan'.....know what you want in you lab and what you're going to do with it.

Some folk go to the extreme on their lab but mine was confined to VM Fusion on my MBP, which had to have its memory increased to 8GB  but given that 4 GB of DRAM is now around $25, that was nothing. I also set up some Windows server VMs on my Xen Server in work, but really 90% of my lab work was performed on my MBP.  

PLEASE NOTE the GSE labtop requirements, I'd recommend turning with a Windows (XP or 7) laptop with 4GB RAM with either VMware Player or Workstation, you will experience fewer issues and do you really want to worrying about your laptop instead of bricking it over a GIAC question?????????

6. I became familiar with every offensive and defensive tool that I felt was necessary. Based on my study, I discarded several. I'm not going to tell you what they are, work it out yourself, it's not hard ;-)

7. I live in Wireshark and tcpdump so I didn't have much work to do there.

8. There are some GSE Google Groups but I personally did not find them useful as the people on the list dropped out and seemed to be doing Masters, PhDs and other security exams, which is admirable but didn't help me in doing a GSE.

This might come across as harsh but I find that many folk on those lists 'talk' rather than 'walk' so be careful you don't become an endless resource. I  know this happened with previous GSE candidates.

9. Build your lab, attack it, take captures, analyse the captures, lock down your lab, attack it, take captures! Rinse and repeat :) Trust me this works! Use the systems outlined in the GSE requirements for your lab.

Become familiar with the tools described in the 3 courses, you can work yourself, which tools are more important that others. I founded an ethical hacking CTF  in Ireland so for the last three years, created a lot of challenges and practiced breaking and defending boxes. This was obviously a huge help but it's not feasible for most folk to do this, especially as preparation for the GSE. One thing that I did do was play with Security Onion, Doug Burk's awesome creation, as outlined here. It helped my Snort knowledge without a doubt and is the perfect way to play with Snort whilst you don't have to worry about building or compiling anything because Doug has kindly done it for us.

10. I read quite a few books, some day I'll update my reading list :) Check out Chris list here.

11. I followed @Chris_Mohan's advice and went in with a smile and determined to have fun (after all I had just paid for myself to travel from Dublin for 3 days in Orlando to do an exam - yep, I got no support from work).

12. Learn to manage your time, the hours go by very quickly, trust me. Not so much the first couple of hours but in the last quarter or so of each session, time simply vanishes.

13. If you don't get something within (what you deem) a reasonable time frame, leave it and move on. Come back later with a fresh mind and you will be surprised what you might see. This happened me several times.

14. Don't be afraid to use the GIAC computer to check something but don't waste time up there.

15.  Get your sleep beforehand. I spent the day before the lab reading the 'Hunger Games' :) What's the point studying then, if you don't know 24 hours before, leave it. A fresh brain will do much better. Additionally, if you're coming from outside the US, be aware of the time zones and try to adjust. Thankfully, I was just four hours ahead of Orlando but I was still waking at 04:30, though I did manage to get back to sleep until just before 06:00, when the gym opens!!!! I cannt emphasise how important sleep and rest beforehand are while you will be tempted to study, study, study.

16. Go out for dinner the night before, if possible, and definitely go out on the first night of the lab for some food and maybe a drink. Relaxing with the folks from the lab is a great help, though $75 of sushi for one person might be a bit much even if the waitresses are hot ;-)

17. Bring whatever legal uppers you can, especially if you're not coming from within the US. I was pretty jet-lagged, though it mainly meant I went to bed @ 21:00. I brought Berrocca and drank the coffee provided in the room, however, being from Europe both it and the coffee in the Starbucks (in the hotel) was awful and I missed my Nespresso machine :) I eat very healthily in general and play a lot of sport, I made a conscious effort to keep this up around the exam. It's good not to change habits and release those endorphins!!

18. Most importantly, I need to thank Doug Burks, Dennis Distler and Stephen Sims (my awesome GSEC instructor, having Steve teach 401, wuhoo!!) together with Jeff Pike and Jared McLaren, the proctors :)  However, most of all, I must announce my huge appreciation to Ash Deuble and Chris Mohan (even though he kept asking if I liked his 'shiny hair'). The guys answered my many silly questions and  also provided me with hours of amusement with mail threads that went hopelessly off-scope and into crazy tangents!!

I should also thank AIB, yes that's right AIB, for sending me on my first SANS course though I didn't quite get the bug until Arrigo taught me the GCIH course. 

19. Did I say about building a lab, attacking it, analysing it and defending it?

20. A great benefit of the GSE certification is that if you've multiple certs, the GSE renews the others automatically, much cheaper in the long run :)

21. Finally, this challenge is 'tough but fair'!!

To finish it off, we even played a little practical joke on Jeff toward the end of the second day, which helped relax everyone (I think) especially as it went so well - a nice fake lump of turd on the ground :) So go on, give it a shot, it's not that scary and the feeling when you get the email from Jeff Frisk, well it's very nice.....

--

P.S. If you're on the GIAC Alumni mailing list, there are several threads on the GSE written and practical exams with a lot of information!

P.P.S. It'd be great to see a GSE lab exam in London but until there are European-based folk prepared to sit the exam, we'll have to travel to the US.

6 comments:

  1. Fantastic work Mark, nice to see you got Ireland on the GSE country score board finally!

    Good work on showing Jeff some love - it's an important tradition to annoy the person scoring the exam...

    ReplyDelete
  2. Mark,
    Just reading the requirements and process isan ordeal. Congrats and well done.

    ReplyDelete
  3. Thanks Joe.

    Looking back it actually doesn't seem too bad but I'm sure my wife would disagree :)

    ReplyDelete
  4. Mark, is bricking a good or bad thing ? Listening to you on Eurotrash I couldn't tell.

    ReplyDelete
    Replies
    1. Ha ha, it just means that I was "very nervous" so a mixture of good and bad, depending on how you control the nerves. Thanks for the feedback and listening to the podcast :)

      Delete