GIAC Certified Incident Handler (GCIH)

August 14, 2016

Back in July, I had the privilege of participating in my first SANS course and I would like to share some of that experience and my journey to certification which is a direct result.

As I prepared for SEC504, I have to admit that I wasn’t sure what to expect. Anyone worth their salt in InfoSec knows that SANS is the highest and most respected and far-reaching security education outfit anywhere, hands down.

I was lucky enough to have Mr. Jonathan Ham as an instructor who is both incredibly intelligent and equally seasoned in our industry. The class itself was an awesome experience complete with lab work and an amazing amount of information.

At the advice of everyone who has ever taken this exam, I’m painstakingly going back over ALL of the course material (6 books, 6 days…not kidding) and manually indexing all of it.

Some of my indexing so far has included the stages of Incident Response which I have forced into my memory, PICERL…

P – Planning, ensure that procedures and policies are appropriately laid out and all expectations are set.

I – Identification, taking appropriate steps to identify incidents and reduce false positives.

C – Containment, once an incident has occurred, ensuring that triage is performed in a timely matter as to not affect production or other lines of business.

E – Eradication, as cool as it sounds. Find it, fix it, squash it and generally bounce back.

R – Recovery, per your contingency plan, should the asset be wiped or just re-provisioned etc…? The main goal here is to minimize the production impact and either restore or replace affected computers.

L – Lessons Learned…Don’t let it happen again!

Hope everyone enjoys this little insight, I’ll try to keep current with this as I’m studying.

-Paul

 

September 13, 2016

So, my plan was to use this blog to help keep me honest and committed to getting this certification under my belt. I’m not kidding, it’s tough. Sometimes things like this don’t always “fit” into real life. I’m doing my best and slowly crawling through the information so I thought I would share a little piece. This time, my studying is really harping on DNS issues so I thought I would touch on what I’m working on this week…

What is DNS? Lame you say? How else would I open this… -_-

DNS, or Domain Name System, is something that we all use every single day, often without realizing it. Basic networking teaches us that every network node has a unique address assigned much like your home address. In computer land, however, this address is a series of numbers used to identify you as a stop on the “map”. DNS does for us what our memories will not. We can ask DNS to help us find Google for example and it’s nice enough to look through the “phone book” and find out that Google is actually 172.217.1.132. I don’t know about you but if I had to remember that, I would never make it. Operating happily over port 53, DNS politely does this for us and asks for little in return.

Why am I rambling about this? To explain something called DNS Zone Transfers and why this is a thing. In many organizations, there is a need for internal DNS servers to do things like map application servers, email, etc.… DNS does a great job of telling everyone where they need to go. Now any company worth its salt is going to care about disaster recovery and availability so what if we throw another DNS server in there so the first one isn’t lonely or overworked. Now we have two independent DNS servers that are serving the same domain but how do we know that they are reading from the same “phonebook”? This is where Zone transfers become necessary. A DNS Zone Transfer is the process of synchronizing multiple DNS servers by way of a secondary server requesting a full information dump from the primary server. This is completely normal and allows fluid operation regardless of which DNS server you may be querying. Ok, so this is pretty weak so far, nothing exciting. Now put your black hat on. How sweet would it be if the company you are attacking would let you connect from the internet and ask their internal DNS for all of this information…and you got it? It’s very necessary for companies to restrict this procedure to known trusted DNS hosts only and to never allow internet entities to ask for or receive this info. We are talking about “keys to the kingdom” stuff here people. Full profiling of your entire network walking right out the door. Food for thought, good study topic. See below for a great example of a zone transfer from Microsoft.

This is wickedly useful in both the wrong hands and the right hands. Our thinking around things like this has to include the fact that while we may be cognizant of our own operations, are we sure that normal maintenance tasks are being carried out how we think they are? For example, if you are used to seeing this zone transfer chatter on the network, is a recon mission that originated from some basement in Asia going to look weird enough to notice? Ok, maybe…hacker.cn is milking your DNS…I pray that it would be detected immediately; but what about the remote worker who is running drive by malware and just did a zone transfer from an IP range that you trust? Are you still going to see your hacker on the other end? Are you even going to notice? Are you even going to notice -_- ……?

DNS: TCP Length = 445 (0x1BD)	 	 

 DNS: Query Identifier = 0 (0x0)	 	 

 DNS: DNS Flags = Response, OpCode - Std Qry, RA Bits Set, RCode - No	 	 

 error	 	 

 DNS: 1............... = Response	 	 

 DNS: .0000........... = Standard Query	 	 

 DNS: .....0.......... = Server not authority for domain	 	 

 DNS: ......0......... = Message complete	 	 

 DNS: .......0........ = Iterative query desired	 	 

 DNS: ........1....... = Recursive queries supported by server	 	 

 DNS: .........000.... = Reserved	 	 

 DNS: ............0000 = No error	 	 

 DNS: Question Entry Count = 1 (0x1)	 	 

 DNS: Answer Entry Count = 16 (0x10)	 	 

 DNS: Name Server Count = 0 (0x0)	 	 

 DNS: Additional Records Count = 0 (0x0)	 	 

 DNS: Question Section: domain.com. of type Req. for zn Xfer on class	 	 

 INET addr.	 	 

 DNS: Question Name: domain.com.	 	 

 DNS: Question Type = Request for zone transfer	 	 

 DNS: Question Class = Internet address class	 	 

 DNS: Answer section: . of type SOA on class INET addr.(16 records	 	 

 present)	 	 

 DNS: Resource Record: domain.com. of type SOA on class INET addr.	 	 

 DNS: Resource Name: domain.com.	 	 

 DNS: Resource Type = Start of zone of authority	 	 

 DNS: Resource Class = Internet address class	 	 

 DNS: Time To Live = 86400 (0x15180)	 	 

 DNS: Resource Data Length = 41 (0x29)	 	 

 DNS: Primary Name Server: server.domain.com.	 	 

 DNS: Responsible Authorative Mailbox: administrator.domain.com.	 	 

 DNS: Version number = 26 (0x1A)	 	 

 DNS: Refresh Interval = 300 (0x12C)	 	 

 DNS: Retry interval = 120 (0x78)	 	 

 DNS: Expiration Limit = 600 (0x258)	 	 

 DNS: Minimum TTL = 86400 (0x15180)	 	 

 DNS: Resource Record: domain.com. of type Host Addr on class INET	 	 

 addr.	 	 

 DNS: Resource Name: domain.com.	 	 

 DNS: Resource Type = Host Address	 	 

 DNS: Resource Class = Internet address class	 	 

 DNS: Time To Live = 86400 (0x15180)	 	 

 DNS: Resource Data Length = 4 (0x4)	 	 

 DNS: IP address = 130.0.10.150	 	 

 DNS: Resource Record: domain.com. of type Auth. NS on class INET	 	 

 addr.	 	 

 DNS: Resource Name: domain.com.	 	 

 DNS: Resource Type = Authoritative Name Server	 	 

 DNS: Resource Class = Internet address class	 	 

 DNS: Time To Live = 86400 (0x15180)	 	 

 DNS: Resource Data Length = 10 (0xA)	 	 

 DNS: Authoritative Name Server: server.domain.com.	 	 

 DNS: Resource Record: Dell.domain.com. of type Host Addr on class	 	 

 INET addr.	 	 

 DNS: Resource Name: Dell.domain.com.	 	 

 DNS: Resource Type = Host Address	 	 

 DNS: Resource Class = Internet address class	 	 

 DNS: Time To Live = 86400 (0x15180)	 	 

 DNS: Resource Data Length = 4 (0x4)	 	 

 DNS: IP address = 130.0.10.30	 	 

 DNS: Resource Record: JH40PS.domain.com. of type Host Addr on	 	 

 class INET addr.	 	 

 DNS: Resource Name: JH40PS.domain.com.	 	 

 DNS: Resource Type = Host Address	 	 

 DNS: Resource Class = Internet address class	 	 

 DNS: Time To Live = 86400 (0x15180)	 	 

 DNS: Resource Data Length = 4 (0x4)	 	 

 DNS: IP address = 130.0.10.155

 

September 14, 2016 (Part 2)

Ok, so I really had intentions of updating this like a diary as I study for my GCIH certification.  Unfortunately, the real world has caught up to me much like a speeding freight train, as it often does, and I received this lovely note from the GIAC folks advising me that I only have 60 days left to sit for my exam.  Needless to say, now I’m scrambling around like an idiot trying to prepare and yeah…lame.

In any event, let me get this done and I will be back to write a huge post outlining all of my adventures!

November 12, 2016

Hey Everyone,

I apologize for my brief absence, but so many things have happened!  After my last post, I stopped to take a deep breath and re-evaluate why I wanted this certification.

After those two seconds had passed, I decided it was time to get serious.  With JHamms advice, I tried to stick to 60-75 minutes a night of studying and note taking before forcing myself to do something else.  Take a walk, hang out with the family, whatever it took to let my mind cool off.  (“netlocksecurity” if you’re an XBox Live-er 🙂

I used several different resources, which I’ve listed below, to help with ideas for my index.  I can’t tell you how important this process was.  Due to the sheer amount of knowledge that you’re digesting, the process of going through the material, line by line, forced me to retain so much!

Ben Knowles’ SANS Indexing

Kevin’s SANS Indexing Guide

Matt Edmondson’s SANS Indexing Tips

Hacks4Pancakes SANS Guide

November 30, 2016

Alright.  What do you say we put this ridiculously long and superfluous rant to bed?  After creating my index and stressing terribly over both the length of time that it took me to complete my practice exam and the amount of information that I wasn’t 100% clear on, I went through once more.  I made sure that I understood buffer overflows correctly and I practiced my own format string attacks to cement these things into my mind.  I have a good friend who is a CIS major and we had several discussions about the application stack and memory allocation.  As grueling as this all sounds, I’m happy to report that on test day, I shook off my nervousness.  I convinced myself that I had learned the information and that at the end of the day, I really did “know what I’m doing”.  I came into a test center, and to my utter shock, I am the ONLY person scheduled for the entire day.  If you’ve ever taken a certification exam in one of the cramped little “centers”, then I’m sure that you can imagine how beautiful this truly is.  In addition to the pressures associated with any difficult exam, being crammed into a broom closet with a room full of seemingly asthmatic, fidgety, and equally nervous adults does not do much for your state of mind.   I’ve said all this to say that you truly never know what to expect when you walk into one of these exams so you must be prepared for the experience as well as the actual exam.

In mid-October, I completed this exam with a 90% and given the work that I put in to it, I don’t mind revealing my score publicly.  This was, by no means, an easy test nor was it an easy class as boot-camps go. Now, here is the best part.  If an exam taker passes any of the GIAC tests with a 90%+, there may be a couple of interesting fringe benefits that present themselves.  The SANS Mentor program is a great way to get started as a SANS instructor.  You may also receive an invitation to the GIAC Advisory Board where you can exchange ideas, logic, and so on, with other information security professionals.

Would I take another SANS course?

Absolutely, I can’t wait.  The detail of the material and the depth of the instructor’s personal knowledge goes well beyond what I expected.

Would I sit for another GIAC exam? 

I thought the format was great, the information was relevant and their certification portfolio is respected worldwide.  Again, I can’t wait for my next adventure with GIAC.

Thank you for taking the time to visit this post.  I hope the information that I’ve shared here is helpful and I would love to hear what you think!  Please feel free to leave a comment below.

 

 

Advertisements

2 thoughts on “GIAC Certified Incident Handler (GCIH)

Add yours

  1. Congrats. I got my first cert. (GCFE) this week and like you with 90%. I just want to ask you how is it to be in Advisory Board. How many mails you get over a week? What activity is required etc.?

    1. As the invitation suggests, the closed board is very light. I think I’ve had two or three since October. The open list, on the other hand can be pretty chatty. My problem is that the information is really great and I want to read it all 🙂

      Congrats on your exam!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Powered by WordPress.com.

Up ↑