SANS SEC565 + GIAC GRTP
The new SANS Red Team course SEC565 by Jean-François Maes and Jorge Orchilles with it's GIAC certification GRTP also called "GIAC Red Team Professional" has consumed a lot of my time in the last three months.
With this article I want to give you a better understanding if this course might be the right SANS course for you. In addition, I'll also review both the course as well as the GIAC certification itself.
SEC565 course review
SEC565 is an excellent learning resource if you are interested in red team operations. In addition to learning about regulatory and industry-led red team frameworks, the focus is heavily on the holistic methodology for using the kill chain and compromising a target environment. This includes:
- Planning Adversary Emulation and Threat Intelligence
- Attack Infrastructure and Operational Security
- Getting In and Staying In
- Active Directory Attacks and Lateral Movement
- Obtaining the Objective and Reporting
Source: https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/
Jean and Jorge did an excellent job of teaching all the listed chapters, which gave me a solid understanding of all the topics.
Who is this course for ?
- People who want to join a Red Team as an Operator
- Red Team beginners who want to gain a holistic understanding of the field of work
- Blue Team members who want to secure their IT infrastructure against their worst enemy (TTPs)
Especially Blue Team members should attend this course, as most Blue Team trainings don't teach about the attacker's methodology to compromise an environment. Since the Blue Team members top priority is to detect malicious events, it's highly recommended to understand how hackers work.
GIAC certificatation review
The GRTP exam consists of 75 multiple-choice questions that must be completed within 2 hours either through ProctorU or at a certification center. The minimum passing score is 76%. I've decided to take the online exam via ProctorU. SANS allows their training material (open-book policy) as well as notes.
Since I can't go into too much detail, I can only say that this exam is a typical format for GIAC certifications. There is nothing special about it.
The only thing I was missing was a practical portion of the exam, as the course itself teaches a lot of actual Red Team operations.
Source: https://www.giac.org/certifications/red-team-professional-grtp/
GIAC certification preperation
With its open-book policy and multiple-choice nature, the best learning approach is to build a SANS Index.
I highly recommend following the advice of Lesley Carhart, Director of Incident Response for North America at industrial cybersecurity firm Dragos, Inc.
hacks4pancakes
In the end, it is simply a matter of creating a comprehensive index of all the keywords, tools, API calls, and commands used, and understanding each slide. An additional learning approach is to go through the index and check if you understand each entry or not. This "backwards" approach really ensures that you get things right. One mistake I made was using Anki cards to learn. This ended up being a complete waste of time because you don't need to memorize everything. The exam isn't supposed to be like that. So learning each command with parameters or name of a GitHub script isn't feasible.
ProctorU has very strict testing policies, so be prepared a day in advance. They will scan the room thoroughly with your webcam, and even water bottles with labels can be a problem. I've also ended up uninstalling AnyDesk, even if it was inactive during the period, and disabled a bunch of features like GeForce Experience or Xbox Gaming menu. Headphones or a second computer are also strictly forbidden. So keep this in mind, as the preparation is quite time-consuming in the end.