Saturday, December 22, 2012

Passing the SANS SEC504: Hacker Techniques, Exploits & Incident Handling Exam

I recently attended a SANS class a few months back,  “SEC504: Hacker Techniques, Exploits & Incident Handling”, and I must say, it was awesome. The course goes into detail on the techniques/exploits hackers use in today’s threat landscape and ways for incident handlers prevent, detect and eradicate threats. The cost of the training and the exam was expensive, but it was worth every dollar being able to spend 6 days with like-minded professionals all hacking the day away. Leaving the course I felt a renewed confidence in my skills and learned a few new tools that I wasn’t familiar with before, than I began studying for the exam. 

Let me preface this by saying, exams and certifications don’t make you a better security pro, all they do is show others that you have the knowledge to pass the certification. In many cases this means that people have diluted both the exam and the certification by dumping for the test and just end up collecting credentials without knowledge or experience. This hurts both the people that have worked very hard to pass the exam and the cheater themselves by falsifying their knowledge. Anyway, I digress.

Now having said this I’m not going to give away any questions or topics that are on the exam, that would defeat the purpose of this blog post, but I do want to give a few helpful hints regarding studying for the exam. During our class our instructor gave us a heads up on a few ways to prepare for the test and I have a few that helped me tremendously as well.

First, lets lay down the rules of the exam and what to expect:

·      The exam is completely open book. Yeah, I know easy right. Not. The proctor looked at me weird when I told her it was an open test and made me prove to her that it was. This is your first tip, bring your confirmation proving that it's open book. She than went on to say that open book tests are normally much harder, this time she was right. You’re allowed to bring in arms full of books to the exam that you fell will help you in your attempt. If you’ve taken the course you’ve been given the adequate material to pass the exam and don’t need additional material, unless you want it, but you have what’s needed to assist you with the exam. If you didn’t take the course I would highly recommend reading Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis. Not only is this book awesome and fits right into the course material, but Ed Skoudis founded this course and teaches it. So pick it up if you’re not able to attend the training, it will surely help with the exam and your knowledge in general. There are "right out of the book answers", but material that will jog your memory. If you don't know the course work the books will be useless.

·      For the exam you get 4 hours to complete 150 questions. That might seem like a lot of time, but when you’re flipping through books for a question you’re unsure of the time flies by quickly. You also get a 15-minute break that stops the clock to stretch and clear your mind. I highly suggest you use it when you hit question 75 to give your brain a break. 

·      The course is also multiple choices, but that doesn’t always make it easier, and many times I found it more difficult to pick only one answer.

·      During the test you’ll have the score displayed every 15 questions as a meter of how you’re doing. This can be either very reassuring if you’re doing well, or a way to set you into a panic if you’re not cutting the mustard. The passing grade for the exam is a 72, so knowing where you stand during the exam can be a two edged sword.

Now for the studying tips:

·      If you’ve attended the course or you’re self studying I would highly recommend pouring over the material before taking the exam. Prepare yourself with the materials you have, otherwise you’ll be in for a long test.

·      Tab your books with sticky notes so that you’ll be able to quickly find topics as they come up. This is one of the most important areas of preparation during the exam that I couldn’t emphasis enough. If you’re unable to answer the question without research you need to quickly find where the topic might be in your books. Having sticky notes lined on the side of it is a quick way to do this, especially if you’re using five (or more) books. 

·      Read through all your material and keep notes. You’re also allowed to bring in notes to the exam that you’ve written or printed out. Find areas that you might be weak in that will help jog your memory. I used the course books and kept a spreadsheet of all the tools mentioned, the book they were in the page within that book so I could quickly divert to page in a book if there were specifics about a tool I wanted to verify during the exam.

·      If you’ve taken the course you’ll get a few things on your SANS account that I wasn’t aware of until I logged into the site. Within my account I was given two practice tests that were similar to the experience of the actual test (just with different questions) and mp3’s of the same course by Ed Skoudis. I can’t tell you how valuable those mp3s were and after reading the books again, I listed to the mp3’s by Ed on my way to work, lunch, etc. to prepare for the exam. I read a review about Ed Skoudis’s teaching and it went like this, “Ed is able to harness the English language like a weapon” and I couldn’t agree more. He’s a wonderful teacher and really helped me grasp many topics. Also, if you're not going to use the practice exams you're able to "give them away" to someone else during their studies.

So that being said, please try to take a SANS course if you’re able to, they’re terrific. The SEC504: Hacker Techniques, Exploits & Incident Handling in particular was a great learning experience that will help me professionally for years to come. 

The Computer Incident Response Planning Handbook: Executable Plans for (Google Affiliate Ad) 


  1. Thank you so much for the studying tips shared by you, sir. I appreciate your hard work! The techniques are indeed terrific. However, let's see why students often cheat on their exams:

  2. Come to this source that would be a great help for all the people who need educational help.