Resources / / GIAC

Wargaming GIAC Certifications

As a SANS instructor one of the things I get asked about most frequently is GIAC certifications and tips on how to earn them! As an alumnus of the SANS Masters Program I've taken a cert test or two. In this blog we wargame the GIAC exams and develop a solid test taking strategy.

GIAC Examinations in Summation

For better or worse as a community we have settled on certifications as the metric by which to assess talent. In the grand spectrum of things GIAC certifications are well regarded and valuable to hold. They are also open book.

Much like reality, GIAC exams are less about rote memorization and more an exercise of capability and discovery. For the test taker this does present an opportunity to excel, if you are willing to put in the effort.

Developing a Concrete Plan of Attack

I am a hacker, fundamentally. If you're reading this, you likely are too. This means we like to find the edges of a challenge and slyly slip past. To do this we first need discover the fulcrum upon which the objective rests. When we know this we have identified the win condition. It should not be passing one cert. It should be the key to unlocking all of them, something we can reuse. In the case of GIAC exams this is unequivocally, speed. Because the exam is open book with infinite time we are guaranteed success. I don't know about you, but I haven't unlocked the time travel acheivement so for me this isn't exactly... comforting.

If we really think about this more, though, there is a solution. Infinite time is by no means a requirement for success, the question is more of quantity and necessity: How much do I need?

Our test taking strategy should seek to buy us whatever time delta we deem necessary. To accomplish this most SANS instructors recommend a process kown as indexing.


In indexing we attempt to conquer time itself! Okay not quite, but close enough. The primary goal of an index is to optimize the time we spend taking the test by allowing us to reference and quickly lookup material needed to answer questions.


To be frank I actually find it to be one of the most effective ways to study and retain information regardless of test or no. Allow me to explain, when creating an index we will often use a tool like a spreadsheet and distill vast quantities of information into the most pertinent parts. Below is an example of an index spreadsheeted in the Voltaire tool.


Because this requires absorbing and parsing\compressing material it lends itself naturally to long term retention.

What Should be In My Index?

The easy answer is EVERYTHING!!! It is also unrealisitc and likely counterproductive. My recommendation here is to follow the Paretto Principle (also known as the 80/20 Rule). The Paretto Principle states that 80% of value comes from the optimal 20% of labor whearas the last 20% requires 80% of the total effort to overcome.

We can apply this to two areas of our indexing effort. First, it means that we don't need to replicate our courseware in our index. We should grab the most important 80%. For our purposes this can often be loosely defined as proper nouns like Nmap or Metasploit. Processes are also great things to key in on see: Principle of Least Priveledge.

Let's take a moment and examine SANS courseware to search for and collect key information. Below is a screenshot from SANS SEC460: Enterprise Threat and Vulnerability Assessment a course that I coauthored with Tim Medin and Adrien de Beaupre.


In SANS courseware the material is broken up into slides and notes. Generally, the first paragraph speaks to the slide in narrative form and subsequent paragraphs add depth to the material. Both are of course fair game on the examination. It is important to scan these sections and pay extra close attention to the slide notes because it can be harder to discover information discussed there during test time. And remember, time is our enemy; we need to conquer time!

The other dimension of the 80/20 rule is the description field in your index. Although it is possible to use your index to find and answer questions without needing the courseware it can be exceptionally time-consuming to develop an index this robust. Frequently, I leave these segments blank. It means the reference is there and available if you need it, but didn't require extra weeks of study to put together.

What not to Index

Okay, I'll come clean, the above title is a lie. One of the biggest mistakes I see test takers make is by saying: "Metasploit, check. I use it all the time I got this, I know what it is". It's important to keep references in your index for even the things that your are confident that you know. The irony is that the point in time it becomes useful rarely has anything to do with the thing you "know" and more to do with something similar that didn't make it into your notes. Take the following scenario as an example.

The test asks a question about remote code exploitation frameworks. It's multiple choice so the possible answers are:

  • a) Nessus
  • b) Ettercap
  • c) Immunity Canvas
  • d) SAINT
  • e) Cobalt Strike

Does the answer popout at you? If so fabulous, now do it again 90 times. The better question is... is it in your index? If the answer is no, is there another exploitation framework (Metasploit) that you can jump to in the courseware to identify similar tools and find the nearby answer? I hope the answer is yes. It's important to index what you know because what you know is the gateway to what you could know next.

P.S. It's Immunity Canvas

I wrote Voltaire to make this process easier. Voltaire is a web-based indexing tool for GIAC certification examinations.


A video on Volataire and my personal indexing process is included below.

Go get those certs! You know me so I'll leave you with the typical... Happy Hacking! - 0z

Matthew Toussain

Matthew Toussain

Matthew Toussain (0sm0s1z), a former cyber-operator for the United States Air Force, conducts cyber security research and tools development.

Read More