How to Ace the GCIH

SEC504 the GCIH Exam: Insights and Preparation

In my last certification review post back in November 2024, found here: https://www.thesocspot.com/post/how-i-passed-the-giac-certified-forensic-examiner-gcfe-exam

I indicated that I was about to begin studies for the GIAC Certified Incident Handler Certification. I took the SEC504 Hacker Tools, Techniques, and Incident Handling on-demand course by Joshua Wright - an amazing instructor by the way! Yesterday, I took the exam after about 9 weeks of prep and got 98% on the exam.

I was having a discussion with someone about the experience with the exam and they wanted to know if I had a systematic way of preparing for GIAC exams that allowed me to ace them. After reflecting on that question, I decided to share my experience here so that someone else can also benefit.

I will do this blog post in the form of FAQs (Frequently asked questions) that I have seen about GCIH and prep for these certs in general.

Q1. I'm a cyber defender, isn't the GCIH all about offensive security?

The course is red team heavy, but I don't think it is enough to prepare someone to be a penetration tester. If anything it's an okay base. That is why the instructor states in the course that it isn't a penetration testing course, rather it's a course that teaches defenders the mindset, techniques, tools of an attacker and how to defend against them. In CompTIA Security + you learn about these attacks in theory. Well in this course you learn how to use them to gain initial access, exploit, persist, and move laterally. You also learn how to detect such techniques after executing such steps.

It's honestly a solid defensive course and has an abundance of offensive security content that it may spark a defender's interest in going down the red teaming path.

Q2. How do you prepare for GCIH?

I reused the same indexing method that I used when preparing for the GCFE, that is the long form index and had about 800 entries in my index. I also applied the recommendation by many to create an index of the labs, all of the labs. It seems like overkill, but the difference between passing and acing is usually the difference of just a few questions.

After making a complete round of the material (excluding the CTF), I did all the labs again ensuring that I understood the material for the lab I was about to do, so that each step I completed in the lab I was completing intentionally. This is important and it is also in one's best interest to do the bonus section. The labs are long and draining, exciting at times but also draining. However, saying that doing the labs more than once is essential would still be an understatement if you want to ace this exam. My prep flow looked like this:

1st round - Completed the on demand course, quizzes, lightning labs, and workbook labs.

2nd round - Reviewed the material relevant to each lab and completed the labs again. This time you should, like I was, be able to have an idea of what commands are next as you work through. I also did the quizzes again, since I strongly believe that you get different questions in the quizzes on your second go. These quizzes are a preliminary test of the strength of your index before Practice test 1.

CTF (Capstone) - After my second go around, I was comfortable with the tools, so working through the challenges in the CTF becomes significantly easier. The CTF is crafted so well too, that it packages all techniques and tools that you learned in the course in a very hands-on applicable way that it ends up being like an additional review of the labs you did.

Additional CTF event - Fortunately, I also had the opportunity to participate doing both offensive and defensive in an Incident Response and Containment Cyber range workshop where I again got to use tools such as Metasploit and other techniques for attacks.

Practice Exam 1 (P1) - Finally, it was time for P1 and I used this to test the strength of my index and so should you. The answers to the questions in the Practice test for the multiple questions come straight out of the book and the labs are similar to the labs on the exam and the labs completed in the course. I scored 96% on P1 and decided to skip the second practice exam and register for the final.

GCIH exam - Honestly, at this point, a lot of the material is in your memory and you have applied it extensively. The labs are a walk in the park and if you have your lab index in the event you stumble on a question. It helps to also create a tool index. I had created one for P1 and forgot it for the actual GCIH exam. It caused me to have to spend more time going through my books for the answer for one or two questions.

In the end, I truly believe that the secret to passing this certification is to practice the labs extensively and have a reliable index for those one or two challenging questions.

Q3. It's a ton of material and the labs are long, how much of it do you really need to know?

Ideally you would want to complete everything. I asked the same question initially, it felt never ending. I think it feels that way especially on the first go at the entire course - building the index, completing labs, and completing quizzes- it's a lot. After that, it becomes more enjoyable because you've done the majority of the work!

Now, I have noticed this based on the GIAC exams I have completed. They are not a 'try harder' organization. Yes, everything is fair game, but the questions asked on the exam don't often go to the deepest nooks and crannies of the material in the book. The questions often revolve around the key concepts from any section as well as practical application. Those questions that cover stuff you don't recall, that is what your index is for.

Q4. What certs should I have done before taking this?

You would want to have a solid understanding of computer, networking, and security fundamentals. That could be obtained from anywhere, for example, CompTIA A+, Net+, Sec+. It does not need to be GIAC foundational certs such as GFACT. However, I think this is a good course to complete within the first year of being a security analyst. One additional thing to note is that GCFE and and GCIH did not have much overlap

Q5. What's next?

I plan to get my hands on the GCFA, as my goal from the outset was to complete obtain GCFE, GCIH, and GCFA. Also, I feel really comfortable with the tools covered in this course and the attack techniques, so I'm contemplating the GX-IH, but we'll see.

Final words

That's all for now folks! Feel free to reach out for additional information. I'm pretty exhausted, but as I said do the labs a lot. Oh and don't frustrate yourself by doing the Linux and PowerShell Olympics more than you have too. I never completed them in their entirety, so I am of the opinion that the Linux you learn in all of the labs outside of the Olympics is adequate for passing the course. Disclaimer, I am at an intermediate level in PowerShell and have had fair exposure to the Linux CLI.

Thanks for stopping by, I should be dropping a new cybersecurity blog post about a lab that I am going to be work on soon, so stay tuned!