Passing the GCTI Exam

Recently, I challenged the GIAC/SANS GCTI exam. And I am excited to say I passed and have obtained the GCTI certificate!!!

The concepts for this course were much newer to me. Threat modelling, researching, and building a threat intelligence tech stack was amazing to learn. Usually, a threat intel program is conducted with very established and mature security programs. So, this is an area I have not seen too many people often get into. However, Threat Intel programs are slowly becoming more common. and knowing your adversary, as well as keeping track of an adversary that could potentially be targeting you is an awesome skill set to accomplish.

FOR578: Cyber Threat Intelligence class

I had taken the full course on threat intelligence. If you want to read my review of it check this blog post out –> https://www.stealthbay.com/a-review-of-for578-cyber-threat-intelligence/

Prepping for the exam

I highly advise everyone take the FOR578: Cyber Threat Intelligence course. You can get more details from here: https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/

The course will prepare you for the exam and cover topics and tools that you will be tested on. There is a lot of material to learn in the course. So, dedicate a good amount of time towards learning the course material and all the concepts. The class was a huge learning experience in the world of Threat Intelligence.

After you take the course try going back to each book and building your index. After this, it is a good time to use up practice exam 1 and see how you fair in it. Use the section at the end, which lists out which sections you were weak in and go study them some more. Take practice exam 2 and hopefully this time you see an improvement. If so, then book your final exam within the next 2-5 days and go for it. This format always has worked well for me.

Making an Index

In my case, though I had a rather good index built up. I found I did not really use it as much as I thought I would. I spent a lot of time learning everything from the course ware material. So, I felt comfortable with most of the questions on the exam and being able to answer them with the knowledge I gained from the course.

If you are looking for an index guide, here is a great guide on making an excellent index for yourself -> https://tisiphone.net/2015/08/18/giac-testing/

I used a similar format to the index above and found it helpful when I did need to use it.

Lab work

This course compared to most other SANS courses has less technical labs. You will get to learn about YARA rules and build out your own. There is a great lab on RecordFuture and DomainTools (highly recommend you try out these tools on your own). And, there is some very basic memory forensics labs. There are some fun labs with Maltego, where you will learn to build relationships between different discovered entities. The rest of the labs are much more theoretical, and deal with threat modeling or threat intel requirements. Overall, my favorite lab was learning to build YARA rules, and using MISP (threat management platform), as this was one of my primary motivators for taking this course.

Practice Exams

If you have registered for the exam, you will have 2 practice exams to use. I highly recommend you make use of them and really treat it like as if you are writing the real exam. It will prepare you for the actual exam format, which consists of a 2-hour time limit (which goes by very quickly). I also highly encourage you really take time to learn the labs. Figure out how you use a certain tool, why would you use it, and how it helps you with Threat Intelligence & Modeling.

At the end of each practice exam, you will see a 5-star rating on each major topic and how you did on them. Focus on the section where you are weaker e.g. (only got 1-3 stars). This will make your study time either between the practice exams or the final exam more efficient and worthwhile.

The exam for me was done from home, as COVID is still prevalent, and things have not entirely gone back to normal. So, it made more sense to take the exam remotely. I did not have any issues during the exam, the connection was great (make sure you have a good connection and no one is video streaming while you are doing the exam!). My proctor was super attentive and explained everything well. The exam process remotely overall went well and smooth.

Future plans for the next cert

SANS has released a lot of great courses lately, and there are so many amazing courses to choose from compared to only have a few available back 7 years ago. Right now, it is going to be a toss up of either GDSA or GIME (soon to be offered). I know they are all quite different topics and courses. However, I feel all of them would provide great value in their own ways.

Have you passed the GCTI or have any questions? Post them below in the comments section!

2 Responses to “Passing the GCTI Exam”

1. EL says:

   July 25, 2023 at 4:39 pm

   GCTI
   How much in all, please! Also, i saw that they have listed a number of prerequisites to get but they are not free. I am not sure if they included the prerequisites in the main program. Thank you.

   Reply
   • Harry says:

     December 22, 2023 at 12:31 am

     Hello.

     Not fully sure on what you are asking about.

     In terms of prerequisites, sometimes they are not entirely needed. But, they recommend you have some knowledge in specific areas before you take the course. eg. You already understand network security, so when they go into details. You already understand and are aware of what they are speaking too. For GCTI, I personally felt most people in my class had no SANS courses prior to the class. So, you can go into it with basic cyber security knowledge and be fine.

     Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.