GIAC Certified Incident Handler (GCIH)
What You Will Learn
The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn’t!), your computer systems will get attacked. From the hundreds to thousands of daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.
This course will enable you to turn the tables on computer attackers by helping you understand their tactics and strategies, providing you with hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process to respond to computer incidents and a detailed description of how attackers undermine systems so you can prevent, detect, and respond to them. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. Applying these skills in your own organization will enable you to discover the flaws in your system before the bad guys do!
The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to thwart attacks.
You will learn:
- How to best prepare for an eventual breach
- The step-by-step approach used by many computer attackers
- Proactive and reactive defenses for each stage of a computer attack
- How to identify active attacks and compromises
- The latest computer attack vectors and how you can stop them
- How to properly contain attacks
- How to ensure that attackers do not return
- How to recover from computer attacks and restore systems for business
- How to understand and use hacking tools and techniques
- Strategies and tools to detect each type of attack
- Application-level vulnerabilities, attacks, and defenses
- How to develop an incident handling process and prepare a team for battle
- Legal issues in incident handling
If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.
We are often asked the differences between SEC504 and SEC560, and what is covered in each course. Please see our FAQ to further clarify the course details.
GIAC Certified Incident Handler
The GIAC Incident Handler certification validates a practitioner’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.
- Incident Handling and Computer Crime Investigation
- Computer and Network Hacker Exploits
- Hacker Tools (Nmap, Nessus, Metasploit and Netcat)
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
- 64-bit Intel i5/i7 2.0+ GHz processor
- Your system’s processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + “I” to open Settings, then click “System”, then “About”. Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click “About this Mac”.
- Enabled “Intel-VT”
- Intel’s VT (VT-x) hardware virtualization technology should be enabled in your system’s BIOS or UEFI settings. You must be able to access your system’s BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.
- 8 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + “I” to open Settings, then click “System”, then “About”. Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click “About this Mac”.
Hard Drive Free Space
- 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
- Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Additional Hardware Requirements
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet additional hardware and software requirements as described below.
Network, Wi-Fi Adapter
- A USB Wi-Fi adapter
- A USB Wi-FI network adapter is required. This USB Wi-Fi network adapter provides the virtual machine access to the wireless network directly. Your internal Wi-Fi adapter will not meet this requirement. We recommend this one.
Additional Software Requirements
VMware Player Install
- VMware Workstation Player 15, VMware Fusion 11, or VMware Workstation 15
- Install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact email@example.com.
“When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.
In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We’ll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you’ll be better prepared to identify attacks and protect your network from sophisticated adversaries.”
“Our instructor Josh was incredible! Engaging, enthusiastic, extremely knowledgeable (especially vim, WOW). His enthusiasm is contagious and really motivating to the material. Keep up the great work Josh!” – Jen F., US Federal Agency