If you are interested in an information security career, the GIAC GCIA certification program will be your most important course. The GCIA certification course is considered the most challenging but also the most rewarding course.
There's no better course to take if you want to learn how to perform effective threat hunting to detect zero-day activities on your network before they become public. People who want to understand network monitoring alerts generated by an out-of-the-box tool should not take the GCIA certification.
However, GCIA certifications are for those who wish to have deep insight into what is happening in their networks today and suspect severe issues that their tools aren't reporting right now.
What is the GIAC Certified Intrusion Analyst (GCIA) certification?
The GIAC Certified Intrusion Analyst (GCIA) certification is a vendor-neutral credential designed to validate the practitioner's knowledge and skills in intrusion detection and analysis. With the GIAC GCIA certification, you will be able to configure and monitor intrusion detection systems, read, interpret, and analyze network traffic and log files, and understand what's happening on the network.
In order to achieve the GIAC GCIA certification, you will be required to pass a proctored exam covering various exam objectives, such as network traffic analysis, signature creation, log analysis, and incident handling. There are 106 multiple-choice questions in the GIAC GCIA exam. It takes four hours to complete the GCIA certification exam. In order to pass the GCIA exam, you need a score of at least 67%.
Here are the areas covered in the GCIA exam:
- Fundamentals of traffic analysis and application protocols
- Open-source IDS: Snort and Zeek
- Network traffic forensics and monitoring
Who can take the GCIA certification?
- Practitioners responsible for intrusion detection
- System analysts
- Security analysts
- Network engineers
- Network Administrators
- Hands-on security managers
You will learn the following skills
- Analyzing your site's traffic to avoid becoming another headline
- How to identify zero-day threats that no network monitoring tool has identified
- Network monitoring: how to place, customize, and tune it
- How to triage network alerts, especially during an incident
- Identifying what happened, when it happened, and who did it by reconstructing events
- Hands-on experience with network forensics, detection, and analysis
- TCP/IP and common application protocols to gain insight into your network traffic, enabling you to distinguish normal from abnormal traffic
- Monitoring signature-based networks: advantages and disadvantages
- Monitoring behavioral networks for enterprise-wide automated correlation and how to use them effectively
- Performing effective threat modeling for network activities
- Translating threat modeling into zero-day threat detection capabilities
- Analyzing flow data in traditional, hybrid, and cloud networks to enhance detection
You will be able to
- Configure and run Snort and Suricata
- Create and write effective and efficient Snort, Suricata, and FirePOWER rules.
- Configure and run open-source Zeek to provide a hybrid traffic analysis framework.
- Create automated threat-hunting correlation scripts in Zeek.
- Understand TCP/IP component layers to identify normal and abnormal traffic for threat identification.
- Use traffic analysis tools to identify signs of a compromise or active threat.
- Perform network forensics to investigate traffic to identify TTPs and find active threats.
- Carve out files and other types of content from network traffic to reconstruct events.
- Create BPF filters to examine a particular traffic trait at scale selectively.
- Craft packets with Scapy.
- Use NetFlow/IPFIX tools to find network behavior anomalies and potential threats.
- Use your knowledge of network architecture and hardware to customize the placement of network monitoring sensors and sniff traffic off the wire.
GCIA certification exam syllabus
SEC503.1: Network Monitoring and Analysis: Part I
This section provides deep coverage of the TCP/IP protocol stack, preparing you to better monitor and detect threats in your cloud or traditional infrastructure. The first step is called the "Packets as a Second Language" course. In order to identify threats and identify TTPs, students are immediately immersed in low-level packet analysis to collect the packets used in zero-day attacks and other attacks. Throughout this section, students will learn the fundamentals of TCP/IP communication, the theory of bits, bytes, binary, and hexadecimal, and each field's meaning and expected behavior. The students learn to use tools such as Wireshark and Tcpdump for analyzing traffic.
Concepts of TCP/IP
- Why is it necessary to understand packet headers and data?
- The TCP/IP communications model
- Data encapsulation/de-encapsulation
- Bits, bytes, binary, and hex
Introduction to Wireshark
- Navigating around Wireshark
- Wireshark profiles
- Examination of Wireshark statistics options
- Stream reassembly
- Finding content in packets
Network Access/Link Layer: Layer 2
- Introduction to the link layer
- Addressing resolution protocol
- Layer 2 attacks and defenses
IP Layer: Layer 3
- IPv4
- Examination of fields in theory and practice
- Checksums and their importance, especially for network monitoring and evasion
- Fragmentation: IP header fields involved in fragmentation, the composition of the fragments, modern fragmentation attacks
UNIX Command Line Processing
- Processing packets efficiently
- Parsing and aggregating data to answer questions and research a network
- Using regular expressions for faster analysis
SEC503.2: Network Monitoring and Analysis: Part II
This section concludes the "Packets as a Second Language" portion of the course and sets the stage for the much deeper discussion to come. Students will gain a deep understanding of the primary transport layer protocols used in the TCP/IP model, as well as how modern trends are affecting their use. In this lesson, you will learn how to analyze your own traffic using Wireshark and TCPdump. Utilizing Wireshark display filters and Berkeley Packet Filters, the focus is on filtering large-scale data down to traffic of interest in order to detect threats in a traditional and cloud-based infrastructure. This section also covers modern innovations that have very serious implications for modern network monitoring, including the meaning and function of every header field.
Wireshark Display Filters
- Examination of some of the many ways that Wireshark facilitates creating display filters
- Composition of display filters
Writing BPF Filters
- The ubiquity of BPF and the utility of filters
- Format of BPF filters
- Use of bit masking
TCP
- Examination of fields in theory and practice
- Packet dissection
- Checksums
- Normal and abnormal TCP stimulus and response
- Importance of TCP reassembly for IDS/IPS
UDP
- Examination of fields in theory and practice
- UDP stimulus and response
ICMP
- Examination of fields in theory and practice
- When ICMP messages should not be sent
- Use in mapping and reconnaissance
- Normal ICMP
- Malicious ICMP
IP6
- Fundamentals
- Improvements over IP6
- Multicast protocols and how they are leveraged by IP6
- IP6 threats
Real-world application: Researching a network
- Who are the top talkers?
- What are people connecting to?
- What services are running on our network?
- What kind of east-west traffic is present?
SEC503.3: Signature-Based Threat Detection and Response
The third section of the course builds on the first two by looking at application layer protocols. Using this knowledge, you'll learn how to spot threats in the cloud, endpoint, hybrid networks, and traditional infrastructures. Students will also learn about the powerful Python-based packet crafting tool Scapy, which allows students to manipulate, create, read, and write packets. You can use Scapy to craft packets to test a monitoring tool or firewall's detection capability. In particular, this is important when a newly announced vulnerability is added to a network monitoring rule created by a user.
Scapy
- Packet crafting and analysis using Scapy
- Writing packets to the network or a Pcap file
- Reading packets from the network or from a Pcap file
- Practical Scapy uses for network analysis and network defenders
Advanced Wireshark
- Exporting web and other supported objects
- Extracting arbitrary application content
- Wireshark investigation of an incident
- Practical Wireshark used for analyzing SMB protocol activity
- Tshark
Introduction to Snort/Suricata
- Configuration of the tools and basic logging
- Writing simple rules
- Using common options
Effective Snort/Suricata
- More advanced content on writing truly efficient rules for very large networks
- Understanding how to write flexible rules that are not easily bypassed or evaded
- Snort/Suricata "Choose Your Own Adventure" approach to all hands-on activities
- Progressive examination of an evolving exploit, incrementally improving a rule to detect all forms of the attack
- Application of Snort/Suricata to application layer protocols
DNS
- DNS architecture and function
- DNSSEC
- Modern advances in DNS, such as EDNS (Extended DNS)
- Malicious DNS, including cache poisoning
- Creating rules to identify DNS threat activities
Microsoft Protocols
- SMB/CIFS
- Detection challenges
- Practical Wireshark application
Modern HTTP
- Protocol format
- Why and how is this protocol evolving
- Detection challenges
- Changes with HTTP2 and HTTP3
How to Research a Protocol
- Using QUIC as a case study
- Comparison of GQUIC vs. IETF QUIC
Real-world Application: Identifying Traffic of Interest
- Finding anomalous application data within large packet repositories
- Extraction of relevant records
- Application research and analysis
SEC503.4: Building Zero-Day Threat Detection Systems
Section 4 deeply examines modern and future intrusion detection systems based on the knowledge gained from the first three sections. By combining everything students have learned so far, students can now design threat detection capabilities that are far superior to Snort/FirePower/Suricata and next-generation firewalls through advanced behavioral detection with Zeek (or Corelight).
Network Architecture
- Instrumenting the network for traffic collection
- Network monitoring and threat detection deployment strategies
- Hardware to capture traffic
Introduction to Network Monitoring at Scale
- The function of network monitoring tools
- The analyst's role in the detection
- Analysis flow process
Zeek
- Introduction to Zeek
- Zeek operational modes
- Zeek output logs and how to use them
- Practical threat analysis and threat modeling
- Zeek scripting
- Using Zeek to monitor and correlate related behaviors
IDS/IPS Evasion Theory
- Theory and implications of evasions at different protocol layers
- Sampling of evasions
- Necessity for target-based detection
- Zero-day monitoring evasions
SEC503.5: Large-Scale Threat Detection, Forensics, and Analytics
The emphasis in this section is on hands-on exercises rather than formal instruction. Three major areas are covered in this section, starting with data-driven, large-scale analysis and collection using NetFlow and IPFIX. With the protocol background gained from the first section of the course, NetFlow can be used to perform threat hunting in the cloud and on traditional infrastructures. Having covered the fundamentals, students will move on to more advanced analysis and threat detection using and building custom NetFlow queries. A second area introduces traffic analytics, continuing the theme of large-scale analysis. A variety of tools and techniques for zero-day threat hunting are introduced, after which students have the chance to put them into practice. The course will also cover cutting-edge applications of artificial intelligence and machine learning to detect anomalies. The final area of this section involves network forensics and reconstructed incidents. Each student will work through three detailed hands-on incidents using the tools and techniques they have learned throughout the course.
Using Network Flow Records
- NetFlow and IPFIX metadata analysis
- Using SiLK to find events of interest
- Identification of lateral movement via NetFlow data
- Building custom NetFlow queries
Threat Hunting and Visualization
- Various approaches to performing network threat hunting at enterprise scale in networks
- Exercises involving approaches to visualizing network behaviors to identify anomalies
- Applications of data science to streamline security operations and perform threat hunting
- Experimenting with an AI-based system to identify network protocol anomalies on a defended network
Introduction to Network Forensic Analysis
- Theory of network forensics analysis
- Phases of exploitation
- Data-driven analysis versus alert-driven analysis
- Hypothesis-driven visualization
SEC503.6: Advanced Network Monitoring and Threat Detection Capstone
This course culminates with a hands-on server-based Network Monitoring and Threat Detection capstone that is both challenging and enjoyable. In this course, students compete as individuals or in teams to answer various questions using the tools and theories they learn. Based on six sections of real-world data, the challenge involves investigating a time-sensitive incident. During this "ride-along" event, students answer questions based on the same data analysis conducted by a team of professional analysts.
The bottom line
By earning the GIAC Intrusion Analyst certification, practitioners demonstrate their network and host monitoring, traffic analysis, and intrusion detection knowledge. With the GIAC GCIA certification, you can configure and monitor intrusion detection systems and read, interpret, and analyze network traffic and log files.
The GCIA certification is now available. If you are looking for a proxy exam center, you've come to the right place! The CBT Proxy team is here to help you pass your exam on your first attempt. Please click the chat button below to speak with one of our consultants about the exam.