How I passed the GCIH Exam with a score of 96%

On 17/07/2019, after many weekends of studying and preparation, i finally passed the GCIH exam. I was impressed by my final score, since on the practice exams i had only scored about 84-86%. I managed to get into the SANS Advisory Board and now my mailbox is filled with juicy discussions about lots of cool infosec topics.

In this post I want to share my methods for studying and also some tips that could help you boost your score on the exam. I suppose these are valid for all GIAC exams, but i don’t know for sure.

1 – Studying for the Exam

For the “studying” part, i had classes with an instructor (all provided by my current employer, to which i am eternally grateful) for an entire week.

After that, i never really grabbed the course material just to “study” it. Instead, i studied while making my index: for every new page i would read it completely, understand it, and then worry about how to index it. Worked fine, i guess.

Some earlier experiences and certs also helped a lot:

  • I’m currently working in an IR team since 2018, so that helped a lot with incident procedures, handling, and all other related topics
  • My CCENT really made all networking-related material easy peasy. The GCIH covers some common topics such as the OSI stack, IP headers, TCP/UDP differences, etc… So any networking experience/background will be of great help. Also, i think that most of the “Non-lookupable” questions (those that aren’t in the course material and actually force you to think about them) involve networking topics, so you gotta know them well. You definitely should know the difference between a router and a switch, for sure.

2 – Making your Index

Your index is your guardian angel during the test – I don’t think i would have scored more than 50% without it. Most questions are highly ultra-specific, such as “When using the tool xyz, what output does the option -xb72fwg generate?”, so you need to have a good index.

For mine, i used a variation of the pancake method. Here’s what i did differently:

  • I only used one color per book. Makes it much easier to look stuff up
  • All of my tabs/index entries had a number and a topic, such as “Incident Phases – 23”. No page numbers attached.
  • Numbering was global, not book-specific (i.e., if book one stopped at index 47, book two would start at 48). I did it just so i could order them numerically.
My index, and the five books behind it (Green, orange, red, blue and yellow).

I used some yellow in the green book beucase i ran out of green, but it's still indexed as green.
My index, and the five books behind it (Green, orange, red, blue and yellow).
I used some yellow in the green book beucase i ran out of green, but it’s still indexed as green.

This made it really easy to use the index during the test. If some question asked about nmap, all i had to do was look into my printed spreadsheet (sorted alphabetically and numerically, side-to-side), and see that “nmap” was in the green book, tab number 117. I just had to grab the green book, find tab number 117 and flip it open. Voilá!

I didn’t include page numbers because i saw no reason to have them. You could do it if you want to, i don’t think it makes a huge difference.

Things you must have in your index:

These are essential for your index and should never be left out:

  1. Any and every tool you encounter. Trust me.
  2. General sections of the material (e.g. “Incident Handling – Identification”, “Incident Handling – Shor term containment”, “Data exfiltration”)
  3. Technical “memorizable” details (TCP Header, UDP Header, IP Header, etc…)
  4. “How to defend against x” sections, which are in the end of almost every topic.
  5. Commands for checking stuff on Windows and Unix. (e.g. “UNIX – List active processes”)

For some sections that were too dense (for example, WMIC commands), i just indexed the starting page (“WMIC Commands”) and then, on that page on the book, i made a “mini-index” with a blue pen. So for example, i would open the book and find the following “table”:

“Processes – +1; Users – +2 ; Startup programs – +3…”, where +2 means “2 pages ahead”.

Do note that you should have a general understanding of how the material is laid out throughout the course material (e.g. All things related to data exfiltration is in book x, password cracking in book y). This will help you when finding content that isn’t indexed directly but is closely related to an indexed topic.

My index didn’t have tabs for every tool and that made me miss some questions because i genuinely couldn’t find the tool anywhere on the material and had no idea what it did (or didn’t) do.

My index had 2 pages, or about 130~ entries. If you have something like 300+ entries, i implore you to reconsider.

Also, very important: when making your index, remember that you will order it alphabetically later, so try to group related materials with a prefix. For example, for all data exfiltration related topics, you could do: “Data exf. – tool x”, “Data exf. – Defenses”, etc…

Also, some questions instead of asking “what does tool x do?” ask “which of these tools is used for x?”, so when indexing tools, try to prefix or suffix them with their usage (e.g. “John The Ripper (Password Cracking)”)

3 – Taking the Practice Exams

I only took my practice exams after finishing my index. A good buddy of mine told me i should have taken one practice exam before finishing the index so i could know how the test would be like and what i should have in my index. That’s a very good tip, but it costs an entire practice exam, so it’s up to you.

The exams are very very very similar to the official test. Make sure to hit the button in the upper right corner that gives you the correct answer (and an explanation) for every single question. Read these, because they are important.

For the lab questions, don’t be shy to google some command you forgot. It’s really important that you get these right because even if you take both exams it’s possible you will only see that specific question once.

You should definitely update your index with missing information before taking your second practice exam.

Why was my score in the practice exams lower than on the official one? That’s because i didn’t follow the tips below:

4 – The final showdown

So it has come. The test day.

Get some good rest. Eat some waffles. Get to the testing center early. The space offered to you may be tiny, so don’t bring more stuff than you need to. Also, bring some candy to eat during your break! Trust me, it helps a lot.

Here are some final tips for you to apply during your test:

  1. Trust, but verify. For every question, no matter how sure you are that you marked the correct alternative, even if it’s asking “what port does HTTP use”, and the alternatives are “80”, “Tuna Sandwich”, “NULL” and “HTTP was the second king of Spain”, check your material for the correct answer. This will avoid brain-farts and interpretation errors.
  2. Before submitting the answer, re-read the question and the answer you marked. Make sure you understood the question correctly and that your answer makes sense. You are nervous, so you have to be extra-extra cautious.
  3. Don’t worry too much about the time. Some people may disagree with me on this one, but some hear me out: you have about 1:30m for every question. A lot of them are really simple and can be answered in less than 30 seconds, so you will have a lot of time left. Only a few of them require extensive thinking or looking for obscure things in the material. I finished the test in 2:30h, and that was being super cautious.
  4. For lab questions, be sure to run stuff as admin/sudo if you don’t find what you’re looking for. Especially with WMIC and network scanners, because they doen’t even give you an indication that something went wrong because you are not an admin.
  5. Use your break. Chill. Eat something. If i’m not mistaken, you can even use your phone during the break (i didn’t, but i think the rules say you can), so you can watch some memes to chill. You should come back to the exam feeling rested and re-energized.

5 – The SANS advisory board

If you scored more than 90%, you should get an invitation to the SANS advisory board. You will get access to the mailing lists, a digital badge, and if i’m not mistaken you can even organize your own GCIH classes using the official course material.

6 – Re-integrating into society

Call your parents. Say “hi” to them. They missed you. Tell your friends you are not dead, and check on the nearest police station if you are not on the “missing persons” list.

Haha, just kidding. I hope this guide will help you in your endeavor. If you have any questions, feel free to comment them below or contact me.

Leave a Reply