It’s important to stay up to date with the latest knowledge and skills. I don’t think many would argue when I say, for cybersecurity training, SANS is the premiere training organisation, and has been for some time. SANS offers opportunities for professionals at all career stages – from those just starting out, to those at the very late stages. They’re constantly adding new courses and certifications via GIAC, as can be seen in their skills roadmap:
I’ve taken a lot of SANS courses (probably too many), and I want to share my experience and guide you through the process of obtaining your first (or next) SANS certification. I’ll also provide a template business case to help convince your line manager that investing in a SANS course is a wise choice for your professional development.
Disclaimer: Yes, there are other programs available (e.g. OffSec’s OSCP and related certs). Yes, there are several tools and services that are not certification-based (hackthebox, blueteamlabsonline, etc.). Those are fantastic resources, and you should be familiar with them before deciding on which to pursue. This blog’s focus is narrow and confined to the SANS suite of certs because they’re the ones I’m most familiar with. They’re also the certs I see most often in job ads.
Full Disclosure: I’ve worked with SANS as a contractor for several years, so I need to make clear my bias. When all’s said and done, though: if you can take a course like FOR500 or FOR508, assimilate all of the information in that course and use it in your day-to-day, you’ll likely be in the top 5% of forensicators, globally. It’s so much information. Taking a course like this, you’ll forget more about digital forensics (or pen testing, or whichever route you go down) than some people will ever know.
Lastly: I’m in no way saying that certs or degrees are the only path to success. There are definitely individuals in the field who’ve never taken a cert or completed a degree and are super successful. However, I think those individuals are rare, they’re the exception (i.e. exceptional). In my experience (and it’s only my experience I can speak from), certs are the fastest way to get skilled up in an area where you have knowledge gaps. With that said, let’s get started.
Understanding SANS Certifications
What are SANS certifications?
SANS certifications are globally recognised credentials that validate your knowledge and skills in various cybersecurity domains. These certifications are developed and maintained by SANS instructors, who are cybersecurity professionals at the top of their field. SANS instructors go through a rigorous process before they themselves are certified to teach at SANS conferences.
Why are they important in cybersecurity?
SANS certs are highly valued by employers because they demonstrate that you have the practical skills and expertise needed to protect organisations (whether your own as an internal security analyst, or others as a consultant) from cyber threats. They also help you stand out from other professionals in a competitive job market, and can lead to increased job opportunities, promotions, and higher salaries. With the move from entirely multiple-choice exams to practical assessments over the last few years, the certification exams no longer reward rote learning exclusively or good indexing of the materials (as the exams are open book), but also test real-world knowledge and skills.
GIAC make it very easy to verify someone’s certs when reviewing a resume for an interview or something similar: https://www.giac.org/certified-professionals/
Some popular SANS certifications and their target audience
- GIAC Security Essentials (GSEC): for security professionals seeking a solid foundation in cybersecurity principles and practices
- GIAC Certified Incident Handler (GCIH): for incident responders and security professionals responsible for handling cybersecurity incidents
- GIAC Certified Intrusion Analyst (GCIA): for professionals focusing on network traffic analysis and intrusion detection (personally one of the most challenging courses, in my opinion, closely followed by the GNFA)
- GIAC Certified Forensic Examiner (GCFE): for professionals responsible for digital forensics investigations, including law enforcement officers, incident responders, and IT administrators
- GIAC Certified Forensic Analyst (GCFA): for experienced forensics professionals, incident responders, and threat hunters who want to advance their skills in complex, large-scale investigations
- GIAC Certified Penetration Tester (GPEN): for ethical hackers and penetration testers
- GIAC Web Application Penetration Tester (GWAPT): for professionals responsible for securing web applications
How to Prepare for a SANS Certification
Assess your current knowledge and experience
Before choosing and committing to a cert, evaluate your current skills and expertise. Consider your job responsibilities, the challenges you face daily, and the areas in which you want to grow.
Identify the right certification for your career goals
Choose a certification that aligns with your professional aspirations and fills any gaps in your knowledge. Review the objectives and prerequisites of each certification to ensure it’s the right fit for your experience level and interests. For example, here’s an excerpt from the FOR500 course page:
Also listed (but not shown in the screenshot) are Learning Objectives and Business Takeaways, which can be used for your business case (more on that later). It’s probably a good idea to avoid jumping into a 600-level class, for example, if you’ve just started as a junior pen tester. Likewise, if you’re just looking to get an overview of cybersecurity topics so you can speak the same language as your digital forensics team, a 400-level course is probably going to provide more value than a FOR500 or something similar.
Explore SANS training options
SANS offers a variety of training formats, including:
- Live online courses: where you attend a synchronous virtual classroom with an instructor via Zoom
- OnDemand courses: an asynchronous, recorded version of the course, typically recorded by the course author(s)
- In-person events: where you attend a live classroom with an instructor in the room
- Challenge the exam: if you think you already have the required knowledge and skills, it is possible to challenge the relevant exam to acquire the cert. This is obviously a cheaper option because there’s no training included. However, you won’t receive the course materials, which are very helpful to have and refer to during the exam. Take this option at your own risk
Consider the format that best suits your learning style, schedule, and budget. For example, OnDemand is a great way to approach the material over an extended period (4 months is the limit) if you can’t attend 6 straight days of live training. It’s also useful if you’d prefer to take the course at your own pace; not everyone’s comfortable drinking from a fire hose. Time zones can also be a consideration; SANS runs classes worldwide, so the next run of the class you want might not be in the friendliest time zone.
Develop a study plan and schedule
Once you’ve committed to and registered for your course, create a study plan outlining the topics you need to cover, the resources you’ll use (i.e. the books, course videos, MP3s, cheat sheets, SANS posters, etc.), and the time you’ll allocate to each topic. Set a realistic exam date and build a schedule that allows you to study consistently and effectively.
Also make time to complete the labs. The labs probably provide the most return on investment when it comes to the exam. While the other course materials and the lectures are useful, the labs and the hands-on, practical exercises are worth the time to complete (multiple times) until you’re comfortable with the tools and the processes discussed in the course.
Personally, I want to take the exam as close to finishing the course as possible. I feel like if I leave it too long, I’ll forget too many of the details to be successful in the exam. There’s plenty of time after acquiring the cert to go back and review the material and incorporate it into my DFIR workflow and practice.
Preparing for and Sitting the Exam: A Proven Method
A successful exam experience requires not only becoming familiar with the course material but also employing effective test-taking strategies. Lesley Carhart (aka hacks4pancakes) has developed a popular method for preparing for and taking GIAC exams that many people, including myself, have found useful. Let’s discuss their approach and how you can adapt it to suit your needs.
(My method is a modified version of this which is probably less extensive, but it’s served me well regardless, and I expect most people will adapt their own method that works for them.)
(Modified) Pancakes Method
- Create an index: While going through the course material (during or after the course), create a detailed index with references to the course books and any supplemental resources. Organise the index by topics, subtopics, and/or keywords to make it easy for you to navigate during the exam
Over the years I’ve developed a spreadsheet with macros to help me expedite this process. The attached spreadsheet has instructions embedded to enable you to generate an index of the books. It’s important (I cannot overstate how important) that you create your own index. It not only gives you an opportunity to review the course material, but it means you’ll be familiar with the index and where the material you need lives in the books. Using someone else’s index, or the index provided by SANS, is not recommended. It won’t work nearly as well as an index you create yourself.
As you create your index, you will get bored. You will space out. Break it down into smaller chunks (like 20 – 30 pages at a time), then take a break or do something else entirely and come back to it. I find that there’s usually ~20-30 entries per page, with multiple permutations of the content, i.e.:
Then, it’s a matter of tabbing up your books in a way that makes sense to you (I just colour code the books; Lesley recommends tabbing each section of each book. For me, that’s too much, but I know a lot of people use that method and use it very successfully. Do what works for you.)
Here’s the Excel index template (with macro) that I use to generate my indexes:
- Take practice exams: SANS provides two practice exams for each certification. Take the first practice exam after completing the course to assess your knowledge and identify areas where you need to focus your review. Save the second practice exam for when you feel ready for the actual test. Generally speaking, if you get 70-80% or better on the practice test, you’re probably ready for the exam
It’s worth noting, the question pool for the actual exam is vast. You will not receive the same questions on the real exam that you did on the practice exam. The practice exams just give you a feel for the types of questions you’ll be asked. Additionally, GIAC can only test you on what is in the books. If it doesn’t appear between the covers of the courseware, it’s not testable.
If you need more than the two practice tests provided, you have two options: 1) trade a practice exam from someone with a spare, or 2) purchase additional practice exams: https://www.sans.org/registration/register.php?conferenceid=2532
- Review and refine your index: After each practice exam, review your index and refine it based on any difficulties you encountered. Add new entries, clarify existing ones, and reorganise as necessary to improve its usability
- Practice using the index: Develop your ability to quickly locate information in your index by simulating exam conditions. Set a timer, and use your index to answer practice questions under time pressure
- Manage your time during the exam: GIAC exams are time-limited, typically allowing 3-5 hours, depending on the certification. Use your index to quickly find answers to questions you’re uncertain about, and don’t spend too much time on any one question. Remember to monitor your time and pace yourself accordingly
Adapting the Pancakes Method
While Lesley’s method is highly effective, you might find that you need to modify it to suit your learning style, preferences, or time constraints. Here are a few ways you can adapt their method:
- Customise the index format: Experiment with different formats for your index, such as a spreadsheet, a physical notebook, or a digital note-taking app. Choose the format that works best for you and allows you to quickly locate information during the exam (NB: you’ll have to print the index to take with you, there are no electronic materials allowed in the exam)
- Focus on your weak areas: If you’re short on time or already have a strong grasp of certain topics, prioritise your study efforts on the areas where you need the most improvement
- Use additional resources: Complement your SANS course materials with other resources such as blog posts, online forums, and video tutorials to deepen your understanding of specific topics. You’ll usually receive some cheat sheets with the course materials, but all of the SANS cheat sheets are available here: The Ultimate List of SANS Cheat Sheets. Use them
- Practice with peers: If possible, form a study group with others preparing for the same exam. Share your indexing methods, discuss questions, and learn from each other’s experiences
By following the Pancakes method (or a customised version that works for you), you’ll be well-prepared to tackle your GIAC exam. Remember to remain calm during the test, trust your index, and manage your time effectively.
Leveraging the SANS Work-Study Program
What is the SANS Work-Study Program?
The SANS Work-Study Program, also known as the Facilitator Program, allows you to attend a SANS training event at a significantly reduced tuition rate in exchange for assisting SANS staff during the event. What that means in practice: you’ll arrive a day early to help set up the conference (e.g. the rooms, the tables, the chairs, the AV, etc.); you’ll provide support during the event (managing the classroom like temperature, making sure students are actually in attendance, reporting any issues with material/environment/student experience to the SANS event team), and helping to break everything down again on the last day.
I’ve been fortunate and moderated/facilitated a lot of the classes I’ve taken as part of the work-study program. 95% of the time you’re just a regular student (albeit with a discounted training seat). The other 5% is managing the room and student requirements. Plus, you get the OnDemand version of the class, and the cert attempt included, so if you miss something during the week, you can easily catch up after the fact and before taking the exam. In my opinion, the work-study program is the best way to take SANS classes.
Benefits of the program
The Work-Study Program offers several benefits, including reduced tuition fees (often around 60% off, although check the website for the most up to date information), networking opportunities with cybersecurity professionals and instructors, and the chance to gain a deeper understanding of the course material.
Eligibility criteria and application process
To be eligible for the program, you must have strong communication skills and be able to commit to the entire duration of the training event. To apply, submit an application through the SANS website, including your resume and a statement of interest. Keep in mind that spots are limited, and acceptance is competitive. You likely won’t know if your application was successful until a couple of weeks before the event, which can make logistics challenging.
Tips for successfully applying and making the most of the program
- Apply early: Spots fill up quickly, so submit your application as soon as you know which class and event you want to attend
- Showcase your passion: In your statement of interest, highlight your enthusiasm for cybersecurity and explain how the program will help you advance your career
- Be flexible: Be prepared to work in various roles during the event, such as registration, set up and break down, and assisting instructors
- Network: Take advantage of networking opportunities to build relationships with instructors, SANS staff, and fellow attendees
Creating a Business Case for SANS Training
Importance of employer support for professional development
Securing support from your employer for SANS training is crucial, as it can help offset the costs and ensure you have the necessary time to study and attend the training. The courses are pretty much outside the realm of affordability for most individuals these days, so unless you can get support from your employer, funding a SANS cert is going to be difficult.
Between you and me, training your team should be a no-brainer. It is a significant investment, but I’m always reminded of these two quotes:
What if I train them and they leave?
What if you don’t and they stay?W. Edwards Deming
Train people well enough so they can leave, treat them well enough so they don’t want to.Richard Branson
Key elements of a compelling business case
A strong business case should demonstrate the value of the SANS training for both you and your employer. It should include details about the course, the benefits, and the return on investment (ROI). Here’s a template that you can use, just replace the highlighted text with the relevant information for your particular case:
I expect this template could be repurposed for other training courses as well, with some minor tweaks.
Obtaining a SANS certification is a valuable investment in your professional development and can significantly impact your career and trajectory in cybersecurity. By understanding the various certs available, preparing effectively, leveraging the SANS Work-Study Program, and presenting a solid business case to your employer, you’ll be well on your way to earning your first (or next) cert. I encourage you to take this step toward advancing your career and invite you to share your experiences and questions. Together, we can continue to grow and strengthen the cybersecurity community.