Thursday, November 12, 2015

GIAC Certification - GREM Exam Tips

If you look at my LinkedIn profile, you'll see that I have passed more certification exams than I can remember! The reason I bring that up is to let you know that GIAC GREM exam was by far the toughest.

Thought I'd share my journey with you!

The Start.

I sat the class-room course SANS FOR610 and our instructor (Jake Williams) was awesome - highly entertaining and super-knowledgeable. Cant get any better than that, as the course really is hardcore and can get a bit tiring at times.

If you get a chance to sit the class-room course, I'd always suggest you do it over the on-demand version. Access to a SANS instructor is unmatched by any advantages the Online course might offer. You can ask questions as they come up in your mind, the real-world examples and stories the instructors share with you, the labs, interaction with fellow attendees and networking with people while you're doing the course is invaluable. I made a few good connections while I was there. Also, you get to meet other instructors (I was at the cyber-defense event, so there were community nights etc., which were really informative and fun).

The Test. 
I took my time to sit the test. With a full time job and family, its hard to find time to study as much as I would like to. And study you need to, if you want to pass this exam. Like Jake told us on the first day, there's a reason the word 'engineering' is in the course title - it is a tough one.

I took nearly four months to sit the exam after taking the course (three work-overseas trips and two other certifications in between!). Last few weeks I really stepped it up - stayed up late and went through the course books back to front.

One of the biggest help I had (and you should too), was the mp3 audio files by Lenny Zeltzer - the ones you get as part of self-study after you take the course. I listened to these every chance I could get. I had them on my phone and played them in the car. I listened to Lenny go through the course until I knew what he was going to say next! REAL BIG help, trust me on this one.

The Preparation.
I did quite a bit. I did grab malware samples whenever I could and tried to reverse them as best as I could. In hindsight, I think this really helped. When you're working on malware not from the labs, you're dealing with stuff you dont know about. You end up learning a lot. I was not successful most of the times but kept getting better. All of this starts to make sense as you gain more and more experience. It was a slow process for me but I did get better at reversing and analyzing.

When you look around the web for tips on GIAC exams, indexing is big. Everyone tells you to make an index for your books and most people tell you their indices are quite big.
Make what you will of this, but I didnt really end up with a huge index. It was a few pages. I did not rely on it too much during the test and I didnt really think a bigger index would have helped. Keep in mind though, I'm talking specifically about the GREM exam. Not sure if the other exams require bigger indices. Also, I knew my books really well by the time I took the exam and I knew where to look. I did label my books with colored tabs. That, I believe was more helpful than the index.

The Index and labels. 
As I mentioned above, I relied a lot on the labels through-out my study and also the exam. I labeled everything with a sticky tab that I felt was important. Also, while reading through the books, I highlighted all the keywords and important bits. While labeling and indexing, I went through the books again and looked for the highlighted bits and put them either on the index or labeled them.

The Exam. 
Keep in mind that you only get less than 2 minutes per questions. I tried to be at a level where I could answer a few questions without having to look at the books. Some questions I knew but had to confirm by looking at the books - but this is a lot faster than looking for the complete answer. Some questions I had to lookup.

You get a 15 minute break during the exam - I didnt bother. Once you're in the zone, I guess its better to get it done with in one hit.

The Result.
I passed quite easily with more than 80% (70.7% is the pass percentage). Would've loved to get 90% - which is what I was really aiming for but didnt get there.

One more thing I want to share with you is that I found the exam to be a lot harder than the practice exams. Maybe it's just me and I got a bit unlucky in that sense.

The biggest tip I can give you is this - go through the course material back to front, reverse ALL samples that were provided to you during the course and try to get some more. I did go through some other books but I dont think they are really required for the exam. I read through Practical Malware and MAC. One book I can really recommend is Windows Internals - this book really helped me in learning more details about things that are relevant to this course (good to know).

Last thing, enjoy learning everything as your're studying for the exam - it really makes it easier and you learn more.

The Impact.
Getting certified - does it make a difference? YES, it does.
You feel  a lot more confident - people around you (esp. the ones who know how hard it is) respect you a lot more.
As soon as I updated my LinkedIn profile (added the GREM badge) the number of recruitment agent emails went up overnight!

Are GIAC certifications and SANS courses worth the hype - YES. I will definitely be doing more with SANS, not just for the career opps but primarily to learn more. I really did learn a great deal and plan keep learning more.

Any questions, let me know!
GoodLuck!

Share:

7 comments:

  1. So basically, they just ask you questions and there's no practical test involved?

    ReplyDelete
    Replies
    1. That's right - there's no practical test.

      Delete
  2. Im only asking cos im interested in the grem certificate. Im not really sure if that is going to help in any way cos im looking at becoming an infosec trainer and not really trying to get myself a job. Also i've read most of the sans610 pdf and although it seems to cover a lot of analysis techniques, it just feels like im missing out a lot and i should reverse a few malware samples to actually understand the subject well. Just sort of confused you know.

    ReplyDelete
    Replies
    1. No course will give you the knowledge and experience that real world jobs will. This course is really good for people who do reverse engineering as a job and want to upskill. The knowledge and real-world stuff that you get to learn in this course is invaluable (not to mention the networking with other experienced people in the industry). The trainers that teach 600-level courses for SANS are the best in the world and as a result you walk out learning a lot more than you already know. The course is very full-on and the exam is not easy (in fact, its quiet hard as far as GIAC exams go). The certificate itself is very highly regarded in the industry, but you're right, this course is best suited for people who have a good understanding of assembly language and have some experience in reverse engineering. Hope that helps!

      Delete
  3. Thanks a lot for your writing! That helps and congrats for your certification

    ReplyDelete