SANS SEC401 – Comprehensive Review

To get started in InfoSec, One must drink from the fire hose eventually 

First, I want to apologize for the very late and posts over the last month or so. My life has been a little chaotic bouncing between a few different things and I went on holiday for a few weeks and was told no laptop :). But alas. For this post, I wanted to jump into something that has been very near and dear to me: SANS courses. I’ve done a lot of them…20 to be exact. This is something I am humbled by through various employers and military benefits to put me through many of these classes. In that retrospect, I want to pass on those courses I’ve taken recently in order to provide some semblance of reassurance (or not?) if the class is actually worth it to you and potentially your employer. Let’s face it, these are not cheap courses to attend. But there are reasons to that, that I will not get into now. Just realize there is a lot that goes on behind the scenes to keep SANS as the most up-to-date InfoSec training going full steam ahead. 

With that said, the first course I wanted to touch on is the one that is the most foundational one SANS puts on. Yes, there is a 300-level course but I have not taken that…nor will I probably ever. But you may be asking then, “Tony, why did you take the 401 level course then?!” And I can tell you why, the SEC401 course is part of the 3-5 courses you must take in order to sit for the GIAC-GSE (Global Security Expert) certification. As such, because that cert renews all of your other certs from GIAC — it is something near and dear to me to obtain in order to save a serious amount of money. 

So What is SEC401?

SEC401, or Security Essentials Bootcamp, is essentially a middle ground between CompTIA’s Security+ and ISC2’s SSCP certifications. Make no mistake from the 400-series numbering convention though. This is a class you are going to learn by a fire hose. What you already know within Information Technology will predicate how well you are going to grasp some of this information as it is getting thrown at you. If you want to see a full listing of what you’ll learn, please click this link to redirect over to SANS and you can read what each day entails. Also note, that SANS now tells you what the labs are as well for the class too! Extremely helpful if you want to see if a class is more lecture heavy or exercise heavy. Just note, this course/cert are just like its peer certifications I’ve mentioned above: You will learn a miles worth of information but you’ll only scratch the surface of what it really is. Meaning you will get a very concise overview of the specific topics and maybe a little in-depth depending on the instructor. Don’t expect to walk out and start dissecting TCP Headers and writing python scripts to parse the MFT. 

A big thing to remember with this class: It is what SANS calls a Bootcamp. What does that mean? These are 10-11 hour days, not 8 like you get with something like FOR508 or even SEC560. That also means if you are attending in person, you will get a normal break around 1500 local time and that is it. When everyone else is packing up at 1700, you are going to be sitting in class still for another 2-3 hours. Tie in NetWars or Night Talks and you can seriously be in for a rough week. Plan your dinner accordingly and don’t be afraid to bring a few snacks (and caffeine) in with you in the afternoon. Oh and if that isn’t enough…this is SIX (yes 6!!) full days of course lecture. There is no Day 6 challenge. That means you are in class for close to 60 hours…be ready for that! 

Book 1 

Book 1 is going to get your feet wet in the deep end of the pool quicker than green IT/Management folks are going to probably want. In my opinion, the material is sound but the fact you are going over it in such a rapid succession can be overwhelming on the first day. I’m not going to regurgitate what SANS has already provided on their own website, but be prepared to go over things like Network Architecture/Topologies, Cloud Services, TCP/UDP and Wireless. This is the day you are going to find out if you are prepared for the material or not. Because it is only going to get harder as the week progresses on ya. I liken this day to ISC2’s SSCP in that multiple domains are covered from an IT Security standpoint. Meaning Sys Admins and others outside of say a SOC/CSIRT would gain immense benefits from this day. 

Book 2

Book 2 is what we would call a “Blue Team” book. It is all about Defense and Hardening. Things you’ll be going over consists of the Critical Controls that SANS is well-known for. Along with that you can expect to finally see the CIA (Confidentiality/Integrity/Availability) being explained in-depth. This will scratch the surface for things like Active Directory/Domain Controllers + passwords. You’ll spend so much time on passwords and rules during this book that you’ll feel like a SME when you get back to your office. Lastly, the scary “APT” will be defined in-depth and will go over specific examples. This is the book that most closely resembles what you would see in CompTIA’s Security+. 

Book 3

By this point in the class, your head is going to be absolute jelly. Largely because you’ve just sat through 20 hours of lecture and you’re only going into the third day. But this is probably my favorite day out of the week as it is Threat Management. This is your Red Team introduction day. You’ll see tools like nmap and other vuln scanning type tools that can help an analyst understand what is going on within the network. The day is laden with Pen Testing examples and methodologies. 

The other half of the day is focused on Endpoint and Perimeter defenses, so Firewalls and HIDS/NIDS. Snort is looked at and given to the student to play with in a lab. This is largely because it is free and many of the other classes will focus on that software (SEC503 being the big one). 

Book 4

So if that isn’t enough, day 4 is the infamous cryptography day. What makes it infamous? Largely that you’ve now gone through 30 hours of course lecture and you STILL have 2 more days of this class. 

So half of this day is set aside for your Incident Response portion of the course. The other half is for all things crypto. For the IR side, it is looking at hashing/password cracking + stego. The crypto side is going in depth with things that will look familiar to anyone who has taken an IT college course or certification: Symmetric/Asymmetric, Public/Private Key, Full Disk Encryption, Certificate Authorities, etc. What you may not have seen from other courses is VPN’s and GPG encryption. Largely from what I’ve seen is other certifying bodies like CompTIA or Cisco do not focus heavily on those technologies. 

 Book 5

This is the largest book for the entire course. I just looked at mine and it was close to 400 pages. That is a lot of material. Moreso than most other 5 day courses combined! If you are a Sys Admin, or have played in a Sys Admin role before, this is going to be a very quick and easy day for you. If you have not been one, this is a day that will have you feverishly wanting to write notes. This is literally everything to do with Windows Security. From things like NTFS Permissions, Domain/Group Policies, Password Enforcement, Windows Firewall setup, AppLocker, etc. Seriously go look at the SANS syllabus and see what is all listed — extensive isn’t the word  I would use for it! At the end of the day there is a claim to be going through Forensics. As someone who does forensics, this isn’t forensics moreso that it is making sure proper logging is activated for Event Logs and other aspects on the machine in order to recreate an incident if you are compromised. This is a very essential day if you interact with Windows machines at all in your environment. 


Finally, the last book is on Linux Security. Shockingly this is probably the one day that I think students get the MOST out of the entire day. The other 5 days, most folks probably know 1 or 2 of the modules through experience and/or research. This is an area where most folks just don’t have the “hands on” knowledge of how Linux works and its intricacies. This makes the day really beneficial in my opinion. It also is going to lay a great foundation of knowledge to anyone who plans on taking future SANS courses, regardless of Blue Team/Red Team/DFIR. Why? Well dang near every class comes with a Linux VM where you are doing things within it. This class is going to make sure YOU know what commands to use and where to go for certain types of files that will make you successful in those classes and in the real-world. It also will save you from like a 2-3 hour bootcamp course they give on Day 1 at any SANS Event where they crash course you through Linux to get you up to speed. 

 My Thoughts? 

Overall, this is a great class for those who are just breaking into either IT Support or InfoSec. There is now a manager course that crash courses through most of this material, so if you are going to be a manger of an IT group — take that class instead. That is mentioned in the syllabus provided on the SANS website and that I linked earlier. If you are someone who has 4+ years experience of a Bachelors in this field already — much of this class is going to be trivial to you is my guess. That doesn’t mean you won’t learn something from it though! Heck, even I learned some good stuff in this course I didn’t know before taking it. But if you are planning on taking this more as an elective through your employer, I would tell you to probably find something different. If this class is required for you (DoD I’m looking at you…), then be ready to suck it up and get your thinking cap on. 

Lastly, I feel I need to bring up the three different options that SANS provides for prospective students. Sometimes travel isn’t possible to a location where training is being put on, or duty calls and you’re not able to leave work because of something that is going to keep you in the office. 

LIVE: This is the type of training that almost everyone and their brother are going to tell you to take. Reasons always include: “you get to network” “you get to do NetWars” “you get to listen to Night Talks” and of course my favorite “you to get to go somewhere on the companies dime!” 

Overall, the live training is certainly worth it. However, networking is at your leisure, not SANS’s. If you are an introvert, it is going to be hard for you to really make new friends in this environment. While in class, you most likely are not talking to other students on break anyways. These are literally 8+ hour days of hard-nosed lecture from the foremost experts in the craft. Everyone is there for a crazy amount of money, so they are not going to interrupt or miss classes just to network and hopefully find a new job. The night talks are good, but most get published online in some facet of webcast anyways. Just remember, you are on a schedule when you attend in person. You don’t access to material online in ways that the other methods provide. 

Simulcast: Probably my favorite. You get the newest material being taught, can still watch the lecture as if you’re in class, ask questions in real-time and you can do it from pretty much anywhere. They use Go-To-Meeting as the method of transmission and its pretty decent if you’re in the region (North America, EMEA, APAC) that the course is being taught in. What makes this my favorite though is if you need to go do something else (or take a call) you can simply turn the speakers off and do whatever it is you need to do. Say you know a module pretty well, well if you elect you can simply go do something else or work ahead. You’ll have the books after all. And you get those books by the way about a week earlier than the live students do. That means you can pretty much have gone through all the labs once or twice before the class has even started. And if you have issues with the labs at all, SANS has people available during the class (and after) to help you out with that. 

OnDemand: Another favorite of mine, and my typical “go to” method of delivery. But why wouldn’t this be my favorite then? Well Simulcasts are only available every so often and are specific to the classes. So say I want to take FOR508 but the next simulcast is in March 2019, I would have to wait until then to get into the simulcast. Where with OnDemand, you are going to get access to the materially literally the day you purchase the course. You’ll get the books shipped to you just as you would with Simulcast and you’ll then get new link too on your SANS portal that gives you access to the OnDemand content. In there you’ll find your class. It is literally a breakdown of a real lecture that was taped at some point of that current year and they’ve broken it down by module. This is fantastic if you know Snort information and want to skip that piece of the lecture, because now you can literally skip it. What makes this great for me is you can pick it up and leave it when things come up. You have 120 days of access to the material online and you can move at your own pace. I typically finish them in about 60 days. What makes it great too is you can always go back and relisten to material that you didn’t get. SANS also has SME’s available to help out dang near 24/7 if you have questions or get stuck on labs as well. This is quite possibly the best option out there if you want to save money on travel and do the class at your own pace so the fire hose learning isn’t near as daunting as what it would be normally. 

For this class, I would strongly advocate either Simulcast or OnDemand for it. Day 6 is the only day that is 8 hours. The rest are right around 10-11ish if the instructor is behind. That means you’re basically pushing 60 hours of class in a week. That is too much in my opinion. With the other 2, this gives you some more latitude to get up and move around or go and get food whenever you’re hungry/thirsty. With simulcast, you even get access to the recordings after the day is done as well. So if you need to step away for even a long duration, you can always go back and watch it later. 

Hope this helped anyone who may or may not have thought about taking this class!


Preparing for a GIAC Test….This is not the CISSP

I’m late for the day! Largely because my cities “summer festival” was last night and was out with friends, so blame them…not me 🙂

This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley’s template is still something I use, only over the course of my cert attempts I’ve tweaked it ever so slightly to fit into my own study habits. So don’t get it wrong! I find her advice to be very fitting, I’m just giving you Tony’s template. Also, I get that certs like CEH or CISSP are still highly sought after within the field and employers. But I am also an advocate that brain dumping yourself at a test typically doesn’t help a person later in their careers after they’ve gotten a cert. Knowing how to do continue doing something is much more meaningful to me. Hence why I am a strong advocate for GIAC certs over some of the others. People think these tests are easy…but I can promise you (especially if you’re a manager or employer reading this and doubt them) they are not easy tests when you put the confines they have on it!

At the time of writing this, I have 7 GIAC certs (GCFA, GCIH, GPEN, GLEG, GMOB, GASF, GAWN) with hopefully another 3 or 4 coming this year. GI Bill is something that is amazing! I’ve TA’ed for the mobile courses (SEC575 and FOR585 here shortly) and the Legal course. I’ve sat for multiple instances for many of the courses offered as well.

Disclaimer: Don’t ask me for my Indexes or what material is covered in the exams. I should not have to explain why.

So what about the tests? If you have not taken the GIAC tests yet, I’ll give you a quick rundown. They are open book, open note, open text book. You cannot bring electronics into the testing facility and you cannot bring copies of the test or any renditions of the test. This means if you violated GIAC’s notice while take a practice test and took screenshots or anything of the test materials — you ain’t bringing that stuff with ya! The tests are going to range in length and time. I think GSEC is still the longest at 5 hours and the shortest being 2 hours for an assortment of specialty ones. I think the standard for the most popular certs though are usually in the 3 hour, 115 question range. You can always go to the GIAC website though and see exactly how long, how much time and most importantly, what you need percentage wise to pass the test. It changes based on how many are passing/failing, so keep an eye on it if you’re waiting to take the cert! It may change for better or for worse.

First, the books themselves: 

So you took a SANS course, whether live or distance learning, and you’re sitting here staring at your probably 5-6 books…now what?










This feels like a daunting task after you’ve just listened to an instructor talk for probably 46 hours about this material! And you’re still trying to remember that info too!! Take a deep breath, it is going to be okay! Yes, within your books you probably have about 1000+ slides with material on it. The worst part is, while you were listening to the instructor you probably didn’t really notice or read the notes portion to the material within the books.

But lets even talk about that for a minute. If you are attending in person, I would almost urge you to only use the books if you fully intend to take notes while the instructor is talking. Otherwise, honestly — you are probably not going to spend a lot of time staring into these things while they are talking. You will be more engrossed at what they have on the slide on a projector or their own stories of how running Metasploit on a customer resulted in crashing the whole web server down. But again, that is just me. To me the most important book while taking the class is the Workbook one that has the exercises in it. Don’t forget that one!

Now the course is over and you’re at home. You need to get three things before you start looking at the material:











These three things are going to be your best friend for about the next 2 weeks or so. Now, you are going to read all the notes sections to every single one of those slides. You are going to highlight any area within the slide that is defining out things like what a tool does, what an exploit does, what a concept or artifact is, etc. You are going to use the post-it flags to annotate things like Tools, Exploits, Artifacts, etc. Yes, this is tedious. Yes it will make your eyes hurt. But this is probably the most important thing that you can do. Even more than the index we will talk about here shortly. Remember, that the test is timed. In most cases you’ll average 90 seconds per question. If you are looking this stuff up feverishly, you will not have enough time. Period. Being able to use your memory is going to help out more than you know.

Average time to go through 5 books in a “one read and mark pass” will probably take you about 14 days to make sure you are fully absorbing the information and annotating properly. Take. Your. Time. It will be super important here shortly…

Do I need to know the Labs??

YES! You better know the in’s and out’s of the labs you are presented in the class. And no I’m not just talking looking at the answer portion of the labs and running through it quick. Know what the tools are and what you are looking at. Know what you are looking at. Know what it means. For example, if I were to give you a tcpdump output, could you determine what was going on just by looking at it? If not…you better go back to that portion of your class or do external research to have it understood. This will also come into play when we start talking about the index.

So what about this Index you keep talking about? I thought SANS provided one now? 

Yes, in almost every class you’ll get an index that SANS created. However, the reason the instructors and others push so hard for you to make your own is a 3-fold reason.

Reason 1: It gets you into the material so YOU know where it is
Reason 2: Do you really want to trust something that someone else made with how often the materials change for these courses?
Reason 3: SANS does not make the GIAC tests

So yes, make sure you do take theirs with you to the cert attempt, but do not rely on it to be your “end all, be all” index for this. It won’t be in your words and there is probably a good chance it isn’t 100% accurate for page numbers.

The Index:

Time to make the index. Here is going to be the thing before you start. You need to have a plan for this. Because it is going to be more than just what book and page something is going to be on. For the best way to do that, I would strongly urge you to use Lesley’s method of excel and then importing it into MS Word with the rest of my suggestions to your index. Her way is just the best way to do it so I’m not going to try and reinvent the wheel! You are going to break this thing down in sections. Just like a research paper. Remember what I said at the beginning of this post, the tests are open note. You have free reign with what you wish to put into this thing so long as it doesn’t violate the testing center or GIAC’s rules and code of conduct. 










That is an example of my Table of Contents from one of the courses. And no, that was not all the pages for that one either. It actually went to 60. Now there is a method to the madness for this thing. For starters, I barely even need to use an index when using the methodology because I’ve been so deep into the material I just KNOW where the subject is within the books. At this point, you should have already 1) taken the course, 2) read through it once, 3) done the labs 2 or 3 more times and 4) gone through the books again to start making this index.

Again, remember this is your words and this is open note! So with my example of tcpdump, if you are having a hard time remembering what the flags are within the output from the tool, take a screenshot for an example and make it up and put it in your index! You’ll always be able to refer to it this way. In fact, for classes that are command line heavy…I would say take a screenshot of the output of all those tools and have them in your index. You’ll find it MUCH quicker in this index than you will in the books. Remember most of these SANS books are between 150-250 pages. Your index is going to be between 30-60 pages. Which one is quicker to go through when you’re on the clock?

Also things to consider is to put things like definitions and anything specific artifact locations in an area within the index so it can be quickly referenced. Also, those cheat sheets they give ya (ya don’t forget those!) are typically online via the SANS portal and you can just import them into MS Word and have them included in your index! Easy Peasy! and you don’t have to worry about forgetting them on accident. Additionally, if you’re having issues remember what a tool does, go find the man page online and just add it to the index! I needed this for things like nmap where there are about 100 different options that can be done to get results. And yes, it came in handy!

Okay so you have Index Beta version completed, now what?

Now is when you take the first practice test that GIAC provides to you. And here is where my ideology differs from many….don’t use your books at all. The point of this first practice test is to see what you actually know from the course and the material. You may fail it. But it is a practice test. Don’t stress out about this. Make sure you click to see the answers regardless if you answer it right or wrong. If you end up guessing on a question, make sure you understand why you got it “lucky right” too. For whatever you get wrong, make sure you write a note about things to study. If you are seeing that your SQLi questions are always wrong, make a note that you may need to dig a little deeper into the material to understand it better. This will also help you get used to be under the timed test parameters too.

Once you’ve completed the test, screenshot the results that show you the stars indicating how well you did for each section of the syllabus and close out your browser. Now its time to compare the syllabus from the GIAC site and your results on areas you struggled  on. Go back into the materials and make sure you hit it even harder in your index for those sections. Index every dang word that looks to be important or that you can recall from the practice test. Put in new sections in your index on that material if you were getting something wrong because you couldn’t recall what you were looking at.

Practice Test 2: 

At this point your index should be pretty much shored up. Your books are annotated and highlighted. Now it is time to see how prepared you really are going to be. Take this practice test with all your books and Index. Keep it turned on to give you the answer regardless if it is right or wrong to help you understand why you got it wrong or why you got lucky right. Make notes on what you were deficient on. When the test is over depending on your score, will depend on what you need to do. If you’re scoring in the 80 percentile on the test, you are probably okay to relax a bit and just brush up on some areas. If you’re below that percentile, you’ll probably want to go back through the material and labs on those sections much more in depth to really shore you up. If you want to buy another practice test, you can for like $150 in your SANS portal. But I caution that practice as these are typically retired questions so the odds you’ll see them on your test are going to be pretty darn rare. Don’t memorize answers to this because it’ll only hurt you when you take it.

So you’ve taken both Tests and the Index is ready! Now what?

Do yourself a favor and don’t just print this thing out at home and bring it lose leaf to the testing center. If you’re in the states, go to UPS/FedEx/Kinkos or somewhere and have them actually bind it. I use UPS and it usually is about $20 to do a colored copy of the index. The reasoning for this is because it’ll make it easier to carry and not worry about losing something….and most importantly….you will always have a “quick reference” book at your work place that doesn’t require you to dig through your 6 SANS books every time you are looking for an answer for a real world situation.

And that is it folks! None of this is absolutely revolutionary, but it is something that I feel prepares you much better for these tests than just building an index and going in with that. You’ll understand the material so much better in my experience and it will make you so much stronger in your day jobs because of it. I wish you all the best of luck!