Jump to Section
- My Education Journey
- Assorted Advice
- What Certification Should You Take?
- Thoughts on SANS Trainings and GIAC Exams
- Certification / Training Mini-Reviews
- Johns Hopkins Cybersecurity Masters Review
Cybersecurity (a.k.a. Information Security or “infosec”) is an extremely fast-moving, technical field and one that for many, demands near-constant learning. This makes working in the Cybersecurity field both exciting and exhausting. Well above average salaries and an over-abundance of available jobs are just two of the compelling reasons to consider becoming an information security professional. Given the business-critical nature of a security professionals job, these individuals are expected to be highly trained, which (in my experience) typically means certifications, formal training courses and higher education.
Infosec is in a bit of a golden age with respect to the incredible amount of trainings, educational programs and online resources which are available, both free and paid, many of which also come with a certification you can sit for. These resources cover a vast array of information security disciplines (e.g. network security, penetration testing, incident response, compliance, etc…), so it can often be overwhelming for both newcomers and veterans to determine where to focus their time, effort and money with respect to getting the best education. To illustrate this point, hop into r/netsecstudents and it won’t take you long to find post after post asking the same general question - “What certificate/training should I take.” It’s a valid question and one that I’ve asked myself numerous times over the years. Whether we’re trying to improve our resume or gain some new technical capabilities, this question often remains the same.
Over the past five years I’ve been fortunate to have been provided a near-unlimited training budget and have been even more fortunate to have been given the time (both by my company and my family) to pursue these academic and learning interests. In this time I was able to achieve/complete a plethora of certifications and training classes as well as start and finish a Masters degree. Having recently completed the degree program as well having achieved the relatively challenging GIAC GXPN certification, I wanted to take a look back at the last couple years and answer a few questions… Would I do anything differently? What have I learned? Will these achievements actually benefit me professionally? What certifications we’re useful? I hope that my somewhat unique perspective can help provide guidance to those asking the question, “What certificate/training should I take?”.
My Education Journey
I originally set out to become a developer, attending a four-year university as a computer science major. By the end of my 5 year college run I had switched majors three times, transferred schools and come away not with a CS degree, but with a degree in information security. Degree in hand, I began my search for an entry-level security position but soon found out that the degree alone was not a compelling enough argument. Companies were looking for individuals with experience, even for entry-level positions - something I just didn’t have. For me, certifications provided a means in which to qualify for positions in the absence of having this experience. Back then, and continuing to this day, a certification (more so than even my 4 year degree!) was enough to put a candidate (like myself) over that lack-of-experience obstacle and in front of some hiring managers. In those early days, I self-paid-for and acquired both the Security+ and the CEH certifications, both of which directly helped land me positions.
Studying for certifications and attending training requires motivation and an aptitude for the technical intricacies of the field - neither of these are out of reach for most. I certainly had a hunger to learn and the educational background/aptitude to succeed. Given the immediate success of landing positions shortly after having achieved previous certifications, my aim was to seek out other certification opportunities. Unfortunately, certification exams and training courses also (generally) require a good bit of cash. This put many certifications either completely out of reach for me or far enough away that I wasn’t sure the ROI was truly there for me to drop my own money on them. During this time, I bounced around several contract gigs, picking up an assortment of experience, always hoping to land at a company that might be willing to invest in me by way of paying for some trainings/certs.
After a few years I landed at what is my current place of employment and I finally got my wish - a company able and willing to invest in me. So I took full advantage of it. 16+ certifications and countless trainings… when I wasn’t busy with my day job, I was busy with training. Many days, my day job was training. I went from one training to the next, one cert to the next, at such a quick pace, I hardly even had time to actually come back, settle in and practice what I had learned. In hindsight, it’s easy to see that I became somewhat addicted to the process. Earlier struggles both finding work in the field and funding a cyber security education gave rise to an insatiable need to learn as much as possible and in parallel, get as many certifications and take as many trainings as possible. Now after these past 5 years, I have plenty of letters, plenty of new skills and some wisdom to share…
Would I have done anything differently? If I could do it all over again, I would take much more time after each training/certification to really apply newly acquired skills, seeking to truly and permanently absorb what I had learned. I also would have spent more time trying to figure out specifically what area of security I wanted to specialize in, which would have allowed me to carefully craft a tailored training regimen better suited to helping me achieve a more targeted expertise.
So what have I learned? It’s a strange dichotomy, through the course of taking rapid-fire, high-intensity trainings, I was able to learn A LOT of different things very quickly. A side-effect of this however was me forgetting much more than I wanted of what I had learned! Had I been more committed to letting this information soak in through practice and individual research, I may have developed a more robust expertise across these subjects. With this said, I did learn (and absorb) quite a bit. My main areas of focus were penetration testing, vulnerability research, reverse engineering and what I’ll call “general security”. To me, general security is a combination of a number of foundational security-relevant disciplines including networking (TCP/IP), web applications, operating systems, etc… Between all of the different trainings and courses, I found there was considerable content overlap. I think where I am strongest technically is in these areas of significant overlap. Learning the same thing multiple times (unsurprisingly!) has the effect of really drilling it into the brain.
Will these achievements actually benefit me professionally? This I can’t answer… yet. Since I haven’t looked for a new job in the last five years, I haven’t seen what, if anything, my bundle of certs plus Masters degree would be able to do for me out in the job market. More specifically, I’m unsure if these accolades would be beneficial in helping me get to my next step, whatever that might be. What I can say is that with each new certification, there is a potential new door that could open (for jobs looking for that specific certification). Though there is certainly diminishing returns with each new cert on a single resume, I have found that recruiters and hiring managers are typically impressed when you have a multitude of them to showcase. I have definitely received many emails from recruiters saying they are very impressed with my certifications and overall experience. So time will tell if they will actually make a difference in any future job searches! At least I can take comfort in knowing my resume will match plenty of certification-related, resume-sourcing keyword searches.
What certifications have proved useful? I’ll answer this in more detail in the Certification and Training Mini-Reviews.
What certification/training should I take? I’ll get into this in more detail in the section What certification/training should I take?
Here is my non-contiguous, random collection of certification/training-related advice/musings…
- Studying for / taking certification exams and taking training courses requires time, money and effort/motivation. Keep this in mind when approaching any potential cert/training. Make sure you have all three in place before committing to any course/certification.
- It’s hard to put a price tag on that first cert. For those who are having trouble breaking into the field, a certification may be what tips the scale in your favor. In this case, even an expensive cert (for example, a SANS certification) could in-fact pay off quickly if it helps you land that relatively high-paying junior infosec engineer role. Given the high demand for qualified individuals, even entry-level positions can command impressive salaries. With respect to certifications specifically, my recommendation for those looking for that breakout role is to research positions that are of interest to you, see what certifications they are expecting (or mandating) that you have, and then figure out how to get it.
- Focus on the journey. A certification is nothing more than a piece of paper or a couple of letters behind your name. What matters most is the skills and knowledge you gain while prepping/training for that cert. Take your time to truly understand the material, acquire a solid foundation of knowledge, one that you can build on top of as you become more advanced. Focusing on simply passing a test rather than just understanding the material will hurt you in the long run.
- …on the thread of “understanding the material”, I have a note for those fortunate enough to take a SANS exam (or similarly “open book” exam): A common recommendation for SANS exams (even from SANS themselves) is to create an index. I don’t recommend this. Now i understand people have different test-taking strategies and some people are just innately better at “taking tests” than others, but I think indexing encourages not really understanding the material, but rather, promotes just searching for the answer come test time. Yes, this may make getting the cert easier, and if that is your goal then so be it! But I urge those who are also interested in retaining the material to not create an index, and in that way, when studying, they aim for a better, more robust understanding. With this said, my personal strategy (I’ve never created an “index”), is to use the little sticky post-its that SANS provides to mark the different chapters/sections of the book (as well as any other potentially information-dense areas of the books). In this way, you can still quickly flip to a section of the course material during the test (or when studying!) to help with recalling certain information.
- It’s worth reiterating here, albeit in a different way, take your time. Focus on the material, attempt to gain true comprehension and don’t seek to just memorize certain data points needed to pass the test. Pay very close attention to the boring stuff. Infosec is a broad field with many disciplines but the core concepts of security, networking, computing, etc…. are shared amongst all of these. This means having a very thorough understanding of the basics will help you excel in all areas of security, from compliance to penetration testing.
- Government contract roles (which may be more numerous in certain locales) often look for specific certifications. Obtaining one of these certs is an easy way to immediately qualify for these positions.
- Don’t depend too much on certifications. Yes, a certification may be able to help you qualify for a job or get your foot in the door for an interview but often it only goes that far. Your peers will likely not think more of you, your boss will likely not promote you, the work itself will not become easier all by merely getting a certification. Focus on what you can learn, the cert is just a bonus.
- Experience has been and will remain king with respect to “proving” your abilities to a prospective employer. Certifications however, can certainly help a candidate get a foot in the door for an interview or even uniquely qualify them for a role that may explicitly require a specific certification.
- Certs, trainings, degrees… ultimately, they serve one of two distinct purposes (in my opinion). Bolstering a resume and acquiring knowledge/increasing skills. Remember this when thinking about what you want to pursue next!
- Find a way to expand on what you learned during the course of studying for a certification or attending a training by doing your own independent research. At the point where you feel you really understand the material, you can then run off and sign up for the next thing.
What Certification or Training Should I Take?
Ok, so let’s try to answer this primary question. Let’s approach the answer based on where someone might be in their career or job search. Choose the scenario below which best describes your current standing…
You’re new to Information Security and are looking to get a job: Do some research on what certifications (if any) the jobs you’d be interested in are asking for. (Try popular job search websites like Monster, Linkedin and Indeed, to name a few). Where you find some certification requirement commonality amongst these job reqs, take a look at how you can get that specific cert. If the training, or exam voucher is expensive, take a look at what salary you may expect provided you get the job and calculate your return on investment. You may find that investing in yourself by paying for the cert can pay off in a big way. This methodology is more relevant for junior positions as the certification can stand in place of the lack of professional experience as it did for me in my early professional career.
You are currently in a junior role and are looking to advance: I’d recommend a similar approach as above, with the tweak that you will likely be targeting a more advanced certification. Keep in mind though that at this point, unless the job you are looking at is contractually-obligated to supply personnel with certain certifications, it is less likely that a certificate is really what you need to get into your next role. Rather, focus more on the experience that is being asked for on the job req you are interested in. If getting a certification can help you obtain that specific experience, then great! Two birds with one stone.
You are a mid-level or senior security professional and are looking to add valuable skills to your resume: Focus on practical certifications and training that can get you to “expert” level within a specific knowledge area you may already have some expertise in or that can fill an important gap in your overall knowledge. Keep in mind, there’s plenty of free and paid training out there to help you get there, so don’t immediately default to trying to pay for some expensive certification or training. Do some research and then get learning! Some “domains” to keep in mind would be web applications, programming/development, cloud, networking, and incident response. I think focusing more on experience you need rather than some certification is more appropriate in this scenario.
You’re interested in getting into penetration testing: Information security as a profession is made up of a lot of unique sub-disciplines. Penetration testing (a.k.a. “Pentesting”) happens to be one of the more popular aspirations for those entering the field, even though penetration testers as a whole make up only a small fraction of the infosec community. For those interested in infosec, don’t immediately think that pentesting is what is right for you or that it’s the only interesting option. Take your time to research everything else you can do in infosec before committing to the pentest path. However, for those that are truly interested, I highly recommend taking a look at the PWK/OSCP from Offensive Security and/or the PTP from eLearnSecurity. Both are practical, lab-based, hands-on certifications with a LOT of good training material. Once completing either of those, I’d recommend checking out the other, more advanced trainings/certs offered by both Offensive Security and eLearnSecurity. For more info, please check out my reviews for both the PWK/OSCP and PTP courses.
You aren’t sure what security discipline are you interested in yet: I’d reference my initial advice here. If you want a job in infosec go take a look at what certs are being asked for within the job reqs you are interested in. Otherwise, I probably wouldn’t throw money at a random cert (yet!). I also have a guide for those interested in getting into the field! If you aren’t sure exactly where you want to go, then don’t sweat it! Get a job anywhere in the infosec field (where you can), and try it out. Maybe you get a SIOC position or a compliance position and do that for a few months. If it’s interesting, pursue it further, if not, pivot somewhere else in the field. A lot of what you’ll learn in one infosec sub-discipline transfers very nicely to any other role in infosec. Finally, feel free to check out my series of mini-reviews covering a large assortment of popular certification/trainings I have personally taken.
None of these apply and you’re just interested in taking something new: If none of the scenarios really apply to you then maybe peruse my series of certification/training mini-reviews, take a look at the vast collection of online education resources or even reach out to me for more personalized recommendations!
Thoughts on SANS Training and GIAC Certification Exams
Given the overwhelming popularity and industry mind-share that this organization, as a security training provider has, coupled with the breadth/depth of experience I have taking their classes and acquiring their certifications, I wanted to take some time to share my perspective on SANS.
I’ll start by saying I have mixed feelings overall on SANS. I think their course material is top-notch, their instructors are world-class, industry-leaders and their network and reach (in terms of how well-known they are) is basically unrivaled. But… they are simply too expensive of an option for most individuals paying out-of-pocket. Secondly, I believe that a sizable majority of the material provided in any given SANS training course is accessible (in some way) online, for free. You need only an Internet connection and the desire to do some research yourself to find it. If not immediately available online you can often find the material in a book or blog post or even a github repo likely also written by the author themselves! So what you are paying for isn’t necessarily the material (which again, is likely available open-source), rather you pay for by signing up for a SANS course is the convenience and the delivery format. From how I see things, the ingredients are all readily available. I compare SANS to going to a fancy restaurant and having a world-class chef prepare a meal for you - one you could have made with those same ingredients at home. With some practice, and most if not all of the same ingredients at your disposal, you too can feed your mind the same dish.
Before I get into exactly how I would recommend you go about giving yourself a SANS education without ever attending a SANS course, let me qualify what I said above with two important points…
First, if you get the chance to attend a SANS course, paid-for by your employer, absolutely take them up on this offer. Though I do think in many cases you can replicate SANS course content with free or cheap resources online, actually attending a SANS course is an amazing opportunity and can provide the following…
- Learn the material in a quicker, more direct fashion.
- Get immediate help on advanced topics from an industry expert. This can help you get over learning roadblocks faster than you may have otherwise been able to on your own.
- Network with like-minded individuals in your field as well as expert instructors.
- Obtain a certification that is highly regarded in the field and could help you with future job searches.
Second, though it is becoming harder to recommend due to increasing cost (now $2500, where as only a year or two ago it was closer to $1000), participating in a SANS work study can give someone an avenue to attending a SANS training for much cheaper than the normal price (which is over $7000 and can even exceed $8000 after bundling the certification, on-demand materials, etc…). I’ve facilitated on 4 separate occasions and can tell you that overall, it’s a pretty easy gig! You’re asked to assist with conference setup/teardown as well as some light operational tasking throughout each day (mainly fetching stuff for the instructor if needed and collecting the notorious daily SANS surveys). I think even at the new price, it is still (albeit barely) a decent value, especially for those who are maybe looking for that first cert. As a “first cert” possibility, I think SANS is one of the best options for a candidate to make themselves stand out with respect to getting an entry-level position.
Ok, so let’s say your employer won’t shell out the cash for a SANS training and you can’t either (nor have you had success getting into the work study). How can you give yourself a SANS-equivalent education yourself? Here’s what I would do…
First, figure out what you’re interested in via their Cyber Security Skills Roadmap. Figure out where you are technically or where you’d like to be and pick out the certification that is next in your path. Next, find the “Course Syllabus” for the chosen course, for example, SEC560: Network Penetration Testing and Ethical Hacking. On this page, you can scroll down to the “Syllabus” section and see a relatively in-depth description of the topics covered during each day of the training for that course. Using this syllabus, you can build your own self-paced, self-taught curriculum, for free (or at-least on the cheap), online! Just google each topic and hunt for trainings/free content online related to that topic. I promise there is much more than you might think and you can find quite a bit of success with this method. This will require some determination, and is certainly more of a “Try Harder” (more on this in a bit) approach, but where money is short, I believe you can make up for it in this way. If you’re having trouble finding resources online, check out my list of education resources!
Certification and Training Mini-Reviews
Having taken and completed each of the trainings/certifications below, I wanted to provide a quick “review” of what I thought of each course. The reviews aren’t meant to summarize what is covered in these courses but rather give my thoughts on the value of each as well as recommendations or advice for those potentially interested in taking them. These are point-in-time assessments and as such can not reflect any updates to the material since the time I took it.
Mini-Reviews Table of Contents
- Tenable Certified Security Engineer (TCSE), Tenable
- Core Impact Certified Professional (CICP), Core Security
- SEC560: Network Penetration Testing and Ethical Hacking (GPEN), SANS
- Certified Information System Security Professional (CISSP), ISC2
- Penetration Testing Student (eJPT), eLearnSecurity
- Penetration Testing Professional (eCPPT), eLearnSecurity
- SEC503: Intrusion Detection In-Depth (GCIA), SANS
- SEC573: Automating Information Security with Python (GPYC), SANS
- SEC575: Mobile Device Security and Ethical Hacking (GMOB), SANS
- Offensive Security Certified Professional (OSCP)
- SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH), SANS
- SEC401: Security Essentials (GSEC), SANS
- SEC542: Web App Penetration Testing and Ethical Hacking (GWAPT), SANS
- FOR610: Reverse-Engineering Malware (GREM), SANS
- ICS515: ICS Active Defense and Incident Response (GRID), SANS
- SEC660: Advanced Penetration Testing, Exploit Writing and Ethical Hacking (GXPN), SANS
- SEC617: Wireless Penetration Testing and Ethical Hacking (GAWN), SANS
- AWS Certified Solutions Architect Associate
- AWS Certified Security Specialty
- SEC588: Cloud Penetration Testing (GCPN), SANS
- Windows Malware and Memory Forensics, Volatility
- The Shellcode Lab
- SANS SEC564 Red Team Operations and Threat Emulation
- SANS SEC642 Advanced Web App Penetration Testing
- SpecterOps Adversary Tactics: Red Team Operations
- Offensive Security Advanced Windows Exploitation
Tenable Certified Security Engineer (TCSE), Tenable
I don’t believe this training/certification is still available. Instead, Tenable has established the Tenable University which is home to a number of online courses covering an assortment of topics related to Vulnerability Management as well as courses covering the use/engineering of their suite of tools (namely, Nessus, Tenable.io and Tenable.sc). What’s more, they even offer certifications you can quickly pick up and put on your resume, all for free! For anyone looking to break into the infosec field or get more into vulnerability management, penetration testing, or offensive security in general, I highly recommend getting into this alternate material. I personally got my start in the technical information security space via Vulnerability Management and attribute my success in large part to what I learned specializing in this area. Every organization is (or should be) doing some form ofVulnerability Management or network vulnerability scanning which means no matter where you go with these skills you will have relevant, applicable experience. I also believe that having a robust understanding of vulnerabilities is useful in just about any infosec sub-discipline. Compliance pros need to understand risk, and vulnerabilities represent a large swath of an organizations technical risk-surface. Penetration testers obviously need to understand vulnerabilities as they are typically taking advantage of them as part of their daily job! “Blue-teamers” (e.g. incident responders, forensics, threat hunters, network analysts, etc…) need to understand vulnerabilities since these are generally the soft spots in a network or on a system that the “bad guys” are targeting. Understanding how vulnerabilities manifest themselves, the consequence(s) of exploitation and how to mitigate them is critical for defensive security professionals as well.
Core Impact Certified Professional (CICP), Core Security
For a brief period of time I got to play around with the powerful (and expensive) Core Impact exploitation framework. During this time, I traveled to Core Security HQ to take the Core Impact training course, the CICP. Core Impact is a mature, and relatively intuitive tool. This makes user-training (in my opinion) mostly unnecessary. To be clear, this training is centered around using the tool, as opposed to actual technical network penetration or exploitation methodology. Save the trip, save the money, this training is not something I would recommend.
SEC560: Network Penetration Testing and Ethical Hacking (GPEN), SANS
SANS’ intro to penetration testing course is SEC560. The course has evolved quite a bit since I took it in 2016 so I won’t speak in-depth to what is covered. For that sort of thing, just search online to find more in-depth reviews of the course material. With this said, taking a look at the most up-to-date syllabus you’ll find that this course is chock-full of valuable penetration testing knowledge covering a wide-array of critical pentesting concepts including network reconnaissance, writing reports, scoping engagements, Nmap, Nessus, PowerShell, Metasploit, Veil, Pivoting, Empire, John, Mimikatz, Hydra, Kerberos, Responder, Bloodhound, ZAP, SQLi and more! Despite the material being quite sound in its overall coverage and depth, I believe the format is not ideal for actually learning penetration testing. I say this because penetration testing, especially as someone new to it, is likely dominated by a lot of trial and error. What this means is that you need a lot of time to try something, see if it works, learn why it didn’t and then try again. In other words, having time to fail and in some cases fail a lot, is very valuable. The pace in which SANS courses are conducted is not conducive to this method of learning. The format for labs is a series of individual exercises whereby the student has (in my opinion) their hand held throughout, each step is explained to them in precise detail, the answer is provided in short-order and you are then quickly whisked away to the next part of the lecture. SANS does give you the option during these labs to “not skip ahead” and see the answer(s) but in reality you likely won’t have time to take this figure-it-out-yourself approach. Being spoon-fed information in this manner is an OK way to be introduced to a technique or tool but I feel that later, when you attempt to exercise this knowledge in a practical setting you will likely feel unprepared having not actually practiced what you had learned in any meaningful way.
As for the certification, I think it has some benefit on a resume as I have seen plenty of job reqs asking for it. BUT! If you are taking this course you are probably interested in getting a job as an actual penetration tester and as such, I would argue that a lot of companies actually hiring penetration testers are looking for proof the candidate actually has some real, practical, more-robust, hands-on experience which you really just can’t get with this training in it’s current form. For these reasons, I wouldn’t recommend this course. With this said, SANS is slowly moving their certification exams to a slightly more practical format. I think this will help with the way those in the field perceive these certifications, especially compared to their more “practical” brethren such as the OSCP.
Certified Information System Security Professional (CISSP), ISC2
Love it or hate it, the CISSP remains one of the industries most recognized and sought after certifications. Those who hold the cert tend to command high salaries and from what I’ve seen, it seems to just make you more hirable in general. No, it’s not a practical cert and yes, taking the exam is kind of grueling but if you meet the pre-requisite qualifications, I definitely recommend going for it. I recommend picking up a CISSP study-book on Amazon (back when I took it I used whatever the latest Shon Harris all-in-one guide was available) rather than signing up for some expensive boot camp.
The exam has undergone some drastic changes since I sat for it in 2016, now being only 3 hours (versus 6) and only have between 100-150 questions (which is far less than previous versions). This shortened format will definitely help those who would normally experience fatigue taking such a long exam. This being said, I will warn you that with less questions comes more weight with each question, so you must exercise a little more care with each question as any incorrect answer will count against you more. When I took the exam i found many questions to be worded poorly (as if not written by a native English speaker) and I often found scenario-based questions to be highly subjective, often looking for the “best” of several seemingly-equally-correct answers. This is one reason I recommend finding an “official” study-guide and reading through it as part of your overall studying regimen, remembering to take any available practice tests that are contained in the book. I found, by reading through these guides, that there was a certain “CISSP” way of answering questions. This way of thinking, when applied to these scenario-based questions will more-often yield the correct answer then if you were to approach it from what I would consider a non-biased point of view. For example, there might be a question that asks you something like “As a security manager for a large banking organization, what is your highest priority?”. It will then list a number of possible answers, each of which seems potentially viable but one of the answers will be something about the “physical safety of the employees”. Of course the CISSP training wants to drill into your head that human safety is priority number one! Even if that seems somewhat irrelevant to an exam about Cybersecurity.
Given the high demand for CISSP-certified professionals, especially in certain job markets, it’s no surprise there are a lot of people, especially those more junior in the field, asking about and looking to take this exam. ISC2 requires those who sit for the exam to have a minimum of 5 years of (relevant) experience (or optionally 4 years plus a relevant degree) and I think this makes sense. It certainly made my test-taking experience much smoother having this experience to lean on than if i had tried to power-study for it early in my career, having not truly understood and practiced the concepts in a real-world setting. Adding to this, I think I greatly benefited in having an extended background in the “softer” side of security (policy & compliance) early in my career coupled with a recent history in the more technical aspects of infosec. As a certification that attempts to cover basically “all of security”, it shouldn’t come as a surprise that having a well-rounded experience would lend itself to being more successful with the exam. To wrap this up, let me just summarize again by saying that I think experience, more so than just remembering facts is particularly useful with this certification (I say this relative to other certification exams where I do think you can be successful just cramming facts into your head) given the nature of the scenario-based questions that are asked.
Penetration Testing Student (eJPT), eLearnSecurity
The PTS from eLearnSecurity is a relatively limited in scope, yet high-value course. With hours of video lectures, practical VPN-based labs and a self-paced style, I found it a really good format for learning this sort of technical material. What’s even better is this course can often be taken for FREE, as eLearnSecurity has frequently given out vouchers for the course as part of different promotions or for something as simple as attending a free webinar (note that the exam attempt is not typically included with this free voucher). Where you can pick up a free voucher, I definitely recommend going through the material, especially as a beginner. Otherwise, this course clocks in at about $400 and in this case I just don’t really recommend it. Again, I think the material is great, but I think your money is better spent on a more comprehensive course like eLearnSecurity’s PTP course or the OSCP. In the end, having “Penetration Testing Student” training or a certification titled “Junior Penetration Tester” from the lesser known eLearnSecurity on your resume is not likely to turn a lot of hiring manager/recruiter heads. You’ll also get a far better curriculum by just spending your money on the more serious courses.
Penetration Testing Professional (eCPPT), eLearnSecurity
The PTP is a fantastic offering from the not-so-well-known online training provider eLearnSecurity. This course can be thought of as eLearn’s direct competitor to the much more well-known OSCP certification from Offensive Security. The PTP course covers a lot of technical ground including assemblers/debuggers, shellcoding, network pentesting, PowerShell, Linux exploitation, web apps, WiFi hacking and even has an in-depth ruby for pentesters module. The course material certainly shines in certain spots relative to the OSCP - modules on PowerShell, WiFI security and Ruby are not be found in the PWK curriculum (last I checked). The decision to take the PTP course is likely not made without asking, why should I take this over the PWK/OSCP? I’ll attempt to make the case for both of these courses, providing my thoughts on each, below.
One of the biggest differences between the PTP and the OSCP in my opinion is the expectations of the student. OSCP is (in)famous for forcing its “Try Harder” mentality whereas the PTP takes a different approach. With the PTP, and similarly with other courses offered by eLearn, students are provided focused labs where the student can practice specific skills and techniques, taking a lot of the guesswork and trial-n-error out of the equation. I do think that this approach is a little “hand-holdy” which I believe can be detrimental to full absorption of the concepts. I found that I failed less in achieving the desired outcome within these labs and as a result learned less about the ways things didn’t work. Though ultimately far more frustrating, there is a method-to-the-madness with the OSCP approach. Where you are forced to figure it out yourself, I believe you really will learn the material in a much more robust way. You’ll also, as a consequence of having to “try harder”, frequently end up down rabbit holes where you learn all sorts of stuff that doesn’t end up being applicable to your ultimate solution, but its gained knowledge all the same. All this said, I think the eLearn approach might be better suited to my personal learning style. The PTP lab environment, which is essentially a series of individual exercises, each with specific lab systems for that exercise, is a less realistic method of practicing penetration testing techniques as compared to the PWK/OSCP. The PWK/OSCP sports a large, open, multi-layered, “wild-west”-style lab network, comprised of many different interconnected systems. Having a large heterogenous network such as this is more realistic in terms of simulating an actual network. Where I think the PTP gains back ground on the OSCP is that the exercises/content/exam is (in my opinion) far more modern. Specifically, you do a lot of hackery in a Windows Active Directory environment with the PTP which I found lacking in the OSCP. Finally, I think the PTP exam unlike the OSCP exam, is a better representation of a realistic (albeit mini-) network in which you need to compromise. This is a little funny considering the OSCP had the far more realistic lab setting but when it comes to the exam they seem to regress. The OSCP is essentially just a series of 5 CTF boxes whereas the PTP requires breaching a machine in a “DMZ”, then pivoting into other internal networks and performing subsequent exploitation.
So here’s where I stand on PTP vs OSCP: It’s difficult to recommend one over the other as they both have certain strengths and weaknesses. I recommend the PTP for its sheer breadth of awesome material, which is brought more directly to you rather than having to find it yourself. I also think the PTP exam better exercises your ability to do real penetration testing given you actually have to do pivoting (among other things not experienced during the OSCP exam). Another example of how I think the PTP exam excels over the OSCP is the duration and reporting aspect of these exams. It’s not terribly realistic that you would be asked to do a penetration test in 24 hours followed by delivering a full report after an additional 24 hours (which is what is asked of you in the OSCP). In my experience, you will have more time to perform the engagement and provide the deliverables. As such, the PTP exam is a week long, with an additional week to provide the report. I do think the PTP is a great complement to the OSCP though, rather than a “choose one or the other”. However if you can only choose one, I would still ultimately give the edge to the OSCP. The huge lab environment is both challenging and exhilarating - an amazing playground for an offensive student. Though I think the material is a bit outdated, I think the most important thing taught by the OSCP is the mentality and methodology. You learn, by trying harder (and enumerating a lot), a more realistic way to breach systems and networks. The experience of failure and the determination you must bring to the OSCP fight can’t be understated and it is absolutely a skill you’ll need for real-life penetration testing. Also, and this is probably the most important point, the OSCP is (currently) the far more recognized and sought after certification by hiring managers and recruiters. That alone is reason enough to choose the OSCP over the PTP.
SEC503: Intrusion Detection In-Depth (GCIA), SANS
Generally speaking, I probably wouldn’t recommend most 500-level SANS courses. They’re expensive and I personally believe you can find most if not all of what is covered in the course searching online. With that said, I think SEC503 could be the exception to that rule. Yes, I still think you can find a good bit of this material online, but I think in this case it would be far more difficult to self-administer it. This course, an undeniably “blue” / defensive security course, which preps you for the GCIA exam is by far my favorite SANS course that I have taken - and this is coming from someone who is an offensive security specialist by trade! I credit my infatuation with the course to the following three points.
At the time I took this training, TCP/IP and general networking concepts were weaker knowledge areas for me, so I really just learned SO MUCH during this course. Much of my early technical focus was on web applications or using certain tools for network penetration testing. I glossed over in those early times, the importance of understanding what is happening at layers 2-4. This course cleared that up for me and then some. This course has two distinct sections (spread out over the course of 5 days of lecture) - traffic analysis and then tooling. As someone more on the “offensive” side, my need to (or desire to) understand a lot of the defensive tooling was certainly minimized back then. Where I found the extreme value, was days one and two where you go deep (and I mean DEEP!) into traffic analysis, packet dissection, understanding of protocols, etc… It is an undeniably dense and information-packed two days but I think one of the best two days of learning I have ever experienced. As for the final 3 days, though I didn’t appreciate it as much then, I now have a much greater appreciation for what was covered. This is a great example of how I discounted certain things early in my career because I didn’t think it was relevant to where I wanted to go professionally. Years later I can see that even as an “offensive specialist” understanding exactly how defender tools (e.g. Snort, Bro/Zeek, SIEMs, SiLK, NetFlow, etc…) work is extremely important. Whether this be because you are trying to bypass these tools or you are looking to set them up in a home/test lab so you can practice against them - it’s good to know how they work. What’s more, I have found that slotting in, in a perfect, exclusively “offensive” role, where all I do is pentest or red team is easier said than done. More likely, at least in my experience, is you’ll need to have experience (especially in an engineering capacity) with tools across the security space, from red to blue.
The material for this training is fantastic and I think a little more challenging to find for yourself online then perhaps other courses. Sure you could buy yourself a book on TCP/IP, this of course would be a perfectly acceptable approach to learning some of this material! But, I think the the course content has been perfectly cropped here for both offensive and defensive security professionals alike to get a firm understanding of how to interpret network traffic and leverage a number of well-known industry tools.
My instructor for the course was Jonathan Ham. He did such an outstanding job making something as seemingly dry as in-depth packet analysis so interesting.
I still think spending $7000+ is not worth it for any individual paying out-of-pocket but if you do get a chance to take a SANS cert through work, desperately want to pay for a SANS cert yourself or maybe you get accepted to a SANS workstudy, I would highly recommend taking a look at this one.
SEC573: Automating Information Security with Python (GPYC), SANS
Do not spend money on this course. Don’t even let your company spend money on this course. This course isn’t meant to be an “introduction to python”, yet they spend two straight days painstakingly explaining the basics. For anyone who has even mild experience with Python, this is excruciating. After the first two days, the material definitely gets more interesting, but nothing is covered in these final modules that isn’t equally covered in any number of very cheap books. The book Violent Python is actually handed out in the class (as part of your $7k+ tuition) and has plenty of what is covered in those final three days of lecture. Do yourself a favor and just Google “learn python” and follow a few of the online tutorials. This should satisfy the basics requirement (what is covered in days 1 and 2). From there, buy a “python hacking” book or two (e.g. The Violent Python book, Black Hat Python, Gray Hat Python, etc…) to learn how to use cool security-related modules (e.g. requests, scapy, struct, sockets, etc…). Here is an assortment of other books that you can use to teach yourself Python. Just please, don’t spend money on this course.
SEC575: Mobile Device Security and Ethical Hacking (GMOB), SANS
I don’t recommend recommend taking this course. The material is interesting enough but it suffers from the pace in which the mobile world moves. Given the speed in which features are added to the iOS and Android platforms it is difficult to maintain a cutting-edge mobile device hacking course - and it shows. What’s more, its difficult to really demonstrate iOS security concepts given how locked down the platform is and how uncertain it is whether there will be an active Jailbreak (which can be used to install iOS-related security tools and demonstrate other security things). For this reason, this course centers mostly around the Android platform. To this course’s credit though, I did find it pretty cool how much more approachable mobile device hacking/security was than I had imagined. I think this course is one of SANS’ more neglected offerings in terms of how frequently it is updated and that’s too bad considering how mobile devices have become more a part of everyone’s daily computing lives.
Offensive Security Certified Professional (OSCP)
I provide some details on the OSCP in my review of eLearnSecurity’s PTP course, but I will expand on the (PWK) course more here. First, let me say that I highly recommend this course for all security professionals. I think this is an obvious choice for those looking to get into penetration testing and I would even recommend those in “defensive” security positions take a look at this course. After all, what better way to understand how to defend then understanding how your systems may be attacked!
Ok, so you don’t really need me to tell you that the OSCP is a great certification and the PWK is an excellent course, nor do you really need yet another full OSCP review. After all, there are TONS of reviews already out there. Instead, let me list a few thoughts and pieces of advice I have related to the OSCP.
- The exam (mostly) forbids the use of exploit frameworks such as Metasploit or vulnerability scanners such as Nessus. Many OSCP students take this as a cue to try and get through the entire lab without the use of these sorts of tools. I don’t recommend this. Not because Metasploit or Nessus or similar tools are so useful that they will give you a serious leg up but rather these tools are good to know how to use in general! Why not take the time to learn how to use them? The lab is a fantastic place to try your hand with all sorts of tools and techniques so you should really take full advantage. To compensate however, where you did leverage a tool like Metasploit or Nessus, figure out how you would have exploited a system, or enumerated a system in the absence of these tools. In this way, you’ll still feel fully comfortable come exam time. Don’t NOT use them just because the exam dictates you can’t.
- As a clarification, the OSCP (at least when I took it) allowed the use of ONE metasploit module (so fire wisely). It also allows you to use the Metasploit session management features (i.e. multi-handler), with no limits.
- The PWK lab has a LOT of vulnerable systems, it’s important that you manage and maintain records of what you’ve found on each of these systems including open ports, credentials and other important artifacts. There are any number of tools/methodologies that can assist in this endeavor but I recommend you take a look at the MSFDB functionality offered natively by Metasploit. This can help you keep track of things.
- Take screenshots! Lots of screenshots! You’ll need this for the lab report, you’ll need it for the exam report, you’ll need it for future professional penetration test reports. Screenshots are good, get used to taking them.
- I recommend going through BOTH the PWK PDF and the videos before seriously getting into the lab itself. This is what I did and I found it more comforting to know what Offsec wanted me to know vs what I needed to hunt for myself (as part of their ever-so-fun game of “try harder”).
- The exam does not require any pivoting. You should absolutely practice this in the lab but won’t need it come test time.
- Don’t worry about pwning every box in the lab. Getting through X amount of boxes isn’t a sign that you are ready. I got through about 30 which was more than enough!
- I think the OSCP is mostly a positive experience but I do think that it is very “CTF”-ey. Which is to say, less like hacking a real modern network and more like doing a series of hack-the-box challenges. Make the most of it though! It can be really fun if you’re in the mindset of learning rather than just “getting the cert”.
SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH), SANS
SEC504 is SANS most popular course. It is designed to be approachable for both semi-experienced professionals as well as to those new to the field and covers both offensive and defensive security domains. I did not actually take the course but I did challenge the GCIH exam which accompanies the course. Personally (and again, I did not actually take the course), I would not recommend this course as I think it tries to cover too much ground in too short of time. The course attempts to cover network attacks, incident handling, memory analysis, malware investigations, offensive tooling, network analysis, physical security, network scanning AND web application attacks… all in 6 days. You get a brief intro to each of these topics (the course does have a day with a heavy focus in Incident Handling) but I don’t think it covers any of them at the depth you would want given you payed $7000+ to take the course. Of course given its popularity, if getting this cert helps you land a specific entry-level position, then absolutely go for it!
SEC401: Security Essentials (GSEC), SANS
SEC401 is SANS’ “mile wide and an inch deep” course. I like to compare its accompanying cert, the GSEC, to the popular ISC2 CISSP certification (which I also have some thoughts on). I did not actually take this course but I did challenge the GSEC exam. Given the price, I don’t think I can really recommend this course. If you’re interested in getting a lay-of-the-(infosec)-land, I recommend looking into some free “intro to security” courses online or even looking at study books for the Security+ or CISSP. Either of these should get you acquainted enough with the foundational concepts of information security. Both of these (CISSP and Sec+) are also great (cheaper) options for a certification well-respected in the industry. The GSEC certification I don’t think is going to move the needle on impressing any recruiters (no more than the Sec+ or CISSP that is) and the course material is probably easy enough to find online or via some cheap text books.
SEC542: Web App Penetration Testing and Ethical Hacking (GWAPT), SANS
This course is an introduction to web-application-specific penetration testing. I did not take the course but I did challenge the accompanying GWAPT certification exam. Similar to my GPEN review, I don’t recommend this course as it doesn’t provide a format conducive to really learning penetration testing. For learning penetration testing, I would recommend a more practical approach. Not that SANS doesn’t have practical exercises and in-training labs, it’s just that these labs fly by so quickly during the course of the training that you really don’t have time to fail, and failing is a great way to learn. Instead I would recommend a more practical course such as the eLearnSecurity WAPT course. With the current popularity of “bug bounty hunting” and penetration testing in general, there is certainly an abundance of free or cheap web-application hacking training material out there. The Web Security Academy from the famed PortSwigger (creator of Burp Suite) is just one example of this. More examples of free/cheap online training material for web application penetration testing can be found in my guide to free/online training!
FOR610: Reverse-Engineering Malware (GREM), SANS
I think this course is fantastic! I took this course prior to it’s adoption of Ghidra so I can’t speak for the new content but the instructors do a fantastic job getting through some of the trickier concepts (even for those new to the world of reverse-engineering). Unlike other SANS courses, especially penetration testing courses, I felt by the end of this training I could actually do real-world, practical, malware reverse-engineering. I should mention that prior to taking the course, I did have some background in assembly language and reverse-engineering but I still feel that anyone who dutifully gets through all of the material in this class could similarly feel ready to do some real malware reversing. For anyone interested in getting into malware reverse-engineering, I definitely recommend checking this course out. Paying full price for this class however is where I would be a little hesitant to recommend as I do think there are cheaper options out there.
I want to reemphasize here that you’re probably best set up to succeed having a little knowledge about assembly (specifically Intel assembly) prior to sitting for this course. This isn’t explicitly listed on the “Prerequisites” section for the course by SANS but having taken this class with a coworker who did not have much experience in this area, watching some of their struggles really emphasized this point. Check out my primer on intel assembly or dive right into Intel’s own manuals if you are interested in getting prepped!
ICS515: ICS Active Defense and Incident Response (GRID), SANS
SANS ICS515 is a bit of a niche course, covering incident response techniques as well as knowledge and tooling specific to OT environments. First, I’ll say I probably wouldn’t recommend spending (your own) money on this course. At the point in which I took this course I had already taken 10+ SANS courses and as such, found that this course had a lot of similarities, things seemingly plucked from each of these other courses and made available in this course, albeit with a distinct ICS-flavor. There is a section on asset discovery and network security monitoring (NSM), reminiscent of both the SANS SEC460 and SANS SEC503 courses. There is a section on Incident Response, which echoes material taught in SANS SEC504. There is a section titled “Threat and Environment Manipulation” which focuses on ICS malware case-studies as well as malware analysis. This section contains plenty of material from SANS FOR610. The newest content to me (having not taken a course related to it) was covered in day one of the course, focusing specifically on “Threat Intelligence”. Though SANS also has a course dedicated to threat intelligence, I found this introduction to threat intel, as applied to ICS environments a good primer on the subject, covering the (ICS) Cyber Kill Chain, Active Defense, Intelligence Life-Cycle, Diamond Model and more. Overall, my biggest takeaways from this course were from this first day but having a unique interest in ICS security, I found the entire course pretty fascinating, despite a lot of the material being a rehash of similar content from other courses.
SEC660: Advanced Penetration Testing, Exploit Writing and Ethical Hacking (GXPN), SANS
SEC660 is SANS advanced penetration testing and intro to exploit writing course. I will echo what I have said about other SANS penetration testing courses and say that I don’t think that the format of this course is ideal for teaching penetration testing. Rapidly going lab-to-lab and lecture-to-lecture, with little time to actually practice the offensive techniques is not a great way to really learn and practice penetration testing. With that said, I do think the topics covered are really good with respect to the more advanced types of network pentesting. Where this class shines in particular is the final two days where you break into exploit writing for both Linux and Windows. Though I think the exercises are a little limited, I do think they are a great introduction to the world of exploit development for these respective platforms. I think for those interested in getting into exploit development, this is a decent place to start (though it is, as usual with SANS, an expensive option). With this said, I think “advanced network penetration testing” and “exploit development” are really two different disciplines and SANS may have been better served to separate them into two distinct courses. I think a lot of professional penetration testers don’t need to have exploit writing skills and vice versa. In the overwhelming majority of penetration testing engagements, you likely don’t have time to write your own exploits or find zero-days. Conversely though, understanding already-written exploits and thus being able to modify exploit code on the fly is a great skill for your average penetration tester.
As part of this “mini-review”, I wanted to share some thoughts on the “practical” portions of the GXPN exam. Prior to taking on this course, and during the prep-time for the certification, the (partial) practical nature of this certification was something that was always on my mind. It certainly changed the way I prepared for the exam since I knew I’d need to actually put my knowledge to actual use, rather than simply regurgitate/recall random facts/concepts as is the case with most other GIAC exams. This exam, unlike most GIAC exams (though they are moving more exams to this partially-practical format) has a small number of questions (6 in my case) which require actually remoting into a lab environment and doing some sort of actual “hacking” relevant to the course material. Knowing this, I spent much more time than I had with previous certifications (the advanced nature of the material also was a factor for time-spent studying) prepping for the exam. I expected these questions to be difficult and to be centered primarily around the exploit development/reverse-engineering (the more challenging) aspects of the course. What I found was that neither of these things ended up being true (at least in my opinion/experience). The questions were straight-forward (which is not always the case with the multiple-choice, scenario based questions you often find on GIAC exams), relatively easy and did not take that long to complete. I also was surprised to see that the majority of the questions (atleast on my instance of the exam) were not actually related to days 5 and 6 (which cover exploit writing). It’s also important to note that for those questions that were covering days 5 and 6 material, none of them were particularly in-depth. Given the time-constrained nature of the exam, the exam authors can’t expect people to be putting together full ROP chains now can they!? In short, study the material, try to really grasp the concepts for the sake of grasping the concepts - but don’t sweat the practical exam questions, they aren’t that bad!
SEC617: Wireless Penetration Testing and Ethical Hacking (GAWN), SANS
SANS’ advanced wireless penetration testing course offers an amazingly practical introduction to an array of RF technologies and how you can exploit them. This training covers traditional WiFi, DECT, ZigBee, a couple Bluetooth variants, RFID, NFC and even Software Defined Radio (at a high level). Included with the expectedly high entry fee is a box - yes, an entire BOX! - of cool hacking gadgets to use throughout the various hands on labs - bluetooth dongles, SDR, a Raspberry Pi, RFID badge cloner and more…
Unfortunately for me, I took this class in 2020 - best known for being an amazingly crappy year on a global level and more specifically, infamous for the global Covid-19 pandemic. For me, this meant taking the class via SANS On-Demand. Up until then, I had never taken an on-demand course from SANS, opting instead for in-person trainings for each of the courses I had taken prior. In a vacuum, I found the on-demand format to be pretty good. The physical books are mailed to you as well as available via your SANS portal as a digital .PDF and the video lectures are pre-recorded, typically by the course author themselves as well as downloadable so you can watch them anywhere. Where the on-demand format falls short, especially for this course is with labs. In typical a classroom setting, the instructor will have set up a physical lab environment in which the students can practice their hacking skills. With a class which requires an active medium (actual ZigBee buzzing around for example) in which to hack, which is not easily delivered in virtual form, the practical components of the course proved far more difficult to exercise. Ultimately, I do recommend this course for anyone looking to learn more about wireless hacking but I would advise that those interested hold off on taking the course until they are able to do so in a physical classroom setting.
AWS Certified Solutions Architect Associate
With the help of the online training platform A Cloud Guru, I sat for and passed the AWS Certified Solutions Architect Associate exam. I give a lot of credit to this training platform for my success and would recommend others interested in taking this exam take a look at signing up. It’s not an overwhelmingly cheap service but it is far more economical than a lot of other training platforms (*cough* SANS *cough*) and the RoI on getting an AWS cert seems to be pretty high these days. The virtual video lectures provide both theoretical instruction as well as hands-on, practical labs that you can follow along with. The instructor, Ryan Kroonenburg, does a great job at walking you through the labs and alerting you if something you spin up in your AWS account would result in you seeing actual charges. The Solutions Architect curriculum is essentially just a high level speed-run of a large number of core AWS services (IAM, S3, EC2, RDS, VPC, ELB, SNS, SQS, Kinesis and Lambda to name a few of the big ones.) You’re expected to know what each of these are at a relatively good technical depth, how they interact and when you would use each of them. The exam questions are mostly scenario-based and at times can be confusing and subjective though typically you can figure out the best answer by slowly using the process of elimination to rule out certain answers that can’t be true due to some small detail contained within the question prompt or the answer itself. I also recommend those who are prepping for the exam to buy some practice exams from a site like Udemy as I found these very useful in just getting a feel for what the actual exam questions would be like. At 65 questions and a passing score of 720 (out of 1000), the exam doesn’t leave too much room for error so be sure to really think through each of the scenario-based questions. Given the popularity of “Cloud” in modern enterprises, taking training and picking up this certification seemed like a very good idea.
AWS Certified Security Specialty
Shortly after picking up the solutions architect associate, I spun up the A Cloud Guru video lecture series for the AWS Certified Security Specialty and began prepping for the security specialty exam. Given this exam was more specific to “security” within AWS, and given my extensive security background, I expected this exam to actually be easier than the solutions architect. This assumption proved mostly false. Yes, the exam does cover less topics and services than the solutions architect exam but the understanding you must have requires quite a bit more technical depth. With this said, I do think my years of security experience came in handy with a few questions. The A Cloud Guru course covers the security aspects of S3, Identity Federation, CloudFront, CloudWatch, CloudTrail, Config, Inspector, Trusted Advisor, VPC, NAT, ELB, WAF, Shield, API Gateway, Athena, Macie, SES, Artifact and Lambda (and maybe a few more) - with a heavy, and I mean HEAVY focus on both IAM and KMS. I found that well over half of the questions on the security specialty exam asked very challenging, scenario-based questions related to IAM and KMS. Overall, I thought the course from A Cloud Guru was great and I certainly learned a lot. However, having now taken (and luckily PASSED) the exam, I can say that this course does not really cover all the topics needed to comfortably pass the exam. In some cases, more depth seemed to be required, and in other cases, there was simply something not covered at all. I don’t fault A Cloud Guru though as AWS is notorious for adding more and more services and functionality to their platform all the time and the specialty exam DOES recommend that those who sit for the exam have 2 years+ experience securing workloads in AWS. So don’t expect this course to be your one-stop-shop for easily passing this exam. Listed below are some of the gaps I think the course had with respect to the exam questions I encountered as well as some other general tips for what to put emphasis on when studying.
- Really understand how to read IAM policies. I found many questions asking me about very specific policy statement syntax. This was doubly true for conditional statements within these policies.
- Though this is covered pretty well by the A Cloud Guru course, it deserves special mention here. REALLY understand how to share S3 buckets cross-account. You WILL get several questions asking about this.
- There are a few in-depth questions on web identity federation not really covered well enough in the course.
- Truly understand the differences between Inspector, Trusted Advisor and Config. You will be asked which of these is the right service for a specific objective and I found these questions somewhat challenging. I also thought Config had a particularly heavy focus.
- Understand the relationship between CloudTrail and CloudWatch Logs.
- There were some very specific questions on CloudHSM I felt weren’t covered well by the course. Try to read some AWS documentation on CloudHSM.
- KMS, KMS, KMS, KMS. So much KMS. You will be asked like 30 questions on KMS. Really understand key rotation, how to provision access to keys, key policies, administering keys and everything else to do with KMS. Read the FAQ, read the whitepapers, read everything you can on KMS, understand cross-account KMS access and KMS Grants.
- I had a question on taking memory dumps from an EC2 instance. I think SSM covers this. The course doesn’t get into this I don’t think.
- The course covers this well, but there are a good number of questions related to Security Groups, NACLs and Route Tables. Understand the in’s and out’s (get it?) of these controls.
- Understand Function Policies vs Execution Roles for Lambda.
- Understand the AD Federation sequence.
- Read up on using certificates with CloudFront.
With all this said, I really enjoyed the course from A Cloud Guru and though I found the exam challenging, I think the questions were relevant and a good exercise of my AWS security knowledge. Remember to take your time with scenario-based questions and really try to rule out questions based on why they CAN’T be the answer. Good luck!
SEC588: Cloud Penetration Testing (GCPN), SANS
SANS continues to expand their portfolio of courses, and within these new offerings is SEC588: Cloud Penetration Testing. “Cloud penetration testing” is at a… weird point in my opinion and I think this is evident in the makeup of this course. SANS does their best to differentiate how “cloud” pentesting is different than traditional network/webapp pentesting but really, there isn’t that much difference and even they admit this within the course material. Sure, the course authors key in on certain things that are more effective in cloud environments for performing reconnaissance and enumeration (among a few other things), but for the most part, nothing really changes here as it compares to traditional network/webapp testing. At the end of the day, you’re still using Nmap for port scanning, Metasploit for payloads, etc…
Cloud native applications as defined by the CNCF (and as introduced by SANS) heavily leverage containers, CI/CD tooling, container orchestration (i.e. Kubernetes) and APIs/microservices. This course spends a good deal of time covering the security and pentesting aspects of these technologies. This is all great stuff but I think a full course on container pentesting - or webapp pentesting which focuses on APIs/microservices might be better than covering all these topics so briefly. The course also seems to heavily favor AWS instead of equally featuring other cloud providers. There is actually one day where Azure is covered but this really feels like only an introduction. Oh and there’s no mention of GCP that I can remember at all. By the time you get to Day 5 (Exploitation and Red Team in the Cloud) the course authors really start to run out of ideas as they pivot (literally) from attacking the cloud to using the cloud itself to stage attacks from (i.e. proxycannon, cloud-based C2, tcp redirectors, etc…) Though this is really cool stuff for sure, I think it makes more sense for a course on red-teaming (still waiting on the 6-day redteaming course from SANS!) than it does a cloud pentesting course.
Overall, I feel this course introduces a lot of interesting topics but doesn’t cover any at a technical depth that I think they could have in 5 days had they taken out some of the unnecessary things and focused a little more on core material. In the end, I did enjoy the course and was able to achieve the GCPN certification but I don’t think I would recommend this course to others at this time. Instead, I would suggest those who are interested in learning more about cloud penetration testing take a look at some books on the subject (for example, AWS Penetration Testing), blog posts or other offensive cloud research that is only a quick google search away.
Windows Malware and Memory Forensics, Volatility
I took this course at a point in time where I was seriously unprepared for it. For this reason, I can’t really give a recommendation on the course itself. However, I will say that before you consider taking this course, you are going to want to pay close attention to Volatility’s expected prerequisites. This class is not for the faint of heart and requires some serious pre-requisite knowledge.
I wanted to add here that though I didn’t learn Volatility nearly as well as I had hoped during the course, having been severely underprepared for the course at the time I took it, I did have a lot of fun using strings to conquer WAY too many of the CTF questions on the final day. Don’t discount the power of Strings and GREP!
The Shellcode Lab, Black Hat
I took this course while at Blackhat one year and came away really impressed. It’s one of those courses that takes what seems to be a pretty advanced and relatively opaque subject and makes it very approachable. By the end of those course I felt I had acquired a lot of practical skills. I recommend anyone interested in this class to have some familiarity with Intel assembly but after that, I think its relatively approachable and definitely recommended!
SANS SEC564 Red Team Operations and Threat Emulation
Red Teaming is one of the apex disciplines of the Cybersecurity field. SANS, as one of the premier cyber security education providers in the world offers only a two-day course covering the subject. This speaks to the niche-ness of Red Teaming as well as it’s advanced nature. This course, formerly taught and authored-by Joe Vest (the course author is now Jorge Orchilles, creator of the C2Matrix) is one of the best, most-concise introductions to Red Teaming I have found and would be valuable for anyone who is looking to stand up a Red Team practice at their organization. Being a SANS course, the price is still steep, but at only two days and given the fact that your organization should really be paying for you to take the course, I definitely recommend it. It is important to note that this course is NOT technical in nature. It certainly won’t get into the gritty technical aspects of red teaming, nor does it really explain with any sort of technical depth, the nature of standing up any sort of red team infrastructure. For this, I recommend taking a look at the SpecterOps Adversary Tactics: Red Team Operations training. With this said, I think performing successful red team engagements requires a thorough understanding of what red teaming really is, especially compared to traditional penetration testing, as well as an understanding of all the moving parts, players, stakeholders etc… This course will help you achieve that understanding.
SANS SEC642 Advanced Web App Penetration Testing
SANS’ top tier web-app specific penetration testing course is a bit hit-and-miss in my opinion. The problem with any “advanced” course is that it’s really difficult, in any 6 day period (which is the length of your typically full SANS course) to cover even a small fraction of the known techniques applicable to any specific penetration testing discipline, in this case web application penetration testing. Given everything that could be covered, SANS authors decided on SQLi, XSS, File Inclusions, XSRF, attacks specific to some web frameworks, crypto attacks, some WAF bypass stuff, and a little bit on Flash, SOAP, WebSockets and HTTP/2. This list obviously misses a gigantic swath of the web attack surface and even within this list itself these concepts are only barely touched. By far the most interesting day (for me) was the day on crypto-attacks but even that I’m skeptical as to the real practicality of what I learned. I’m not saying I didn’t learn anything useful in 6 days, but I think anyone at the stage in their career where they are interested in “advanced web application penetration testing” is better off with other educational mediums. You could probably learn more in 6 days just reading bug bounty writeups for example! An added negative is that this course currently does not offer a certification, so at the end of the day, you’re really only taking this course for its content - and at $7k+, I think you’re money is better spent elsewhere.
SpecterOps Adversary Tactics: Red Team Operations
SpecterOps is a (primarily offensive) security consulting company specializing in (bleeding-edge) research, assessments and training. Prior to taking their Red Team Operations course, I was familiar with them as the creators of both Empire and BloodHound. For a four day course on what is a very advanced, and very broad subject - I think the Red Team Operations course is outstanding. It covers both managerial and technical aspects of Red Teaming, everything from initial access operations (IAO) and establishing C2 to persistence, privesc and pivoting, all while in a modern, Windows-based AD environment. Within the labs you’ll get real, practical experience with the tools of the trade (e.g. Cobalt Strike) and modern techniques. With this said, I don’t think this course alone can take someone who isn’t already a red teamer and make them one over the course of four days. Even as deep as this course gets, the nature of Red Teaming is one that requires breadth and depth far beyond what this course can offer. For this reason, I recommend this course for those who already possess a moderate to advanced penetration testing background or those with entry-level experience in red teaming. I’ll also point out that this training is useful (as is most trainings) only if you have the ability to practice what you’ve learned after-the-fact. Unlike a lot of other security disciplines, adversary emulation is difficult to “practice” in a lab environment, you need both a legally-appropriate and willing test-subject. This means your best-off if you are already part of an internal red team or are looking to stand one up at your organization. Without this in place, I don’t recommend taking the course.
Offensive Security Advanced Windows Exploitation
The AWE is Offensive Security’s most difficult and arguably most prestigious certification, focusing exclusively on advanced, modern, Windows exploit development. With an interest in vulnerability research and thus an interest in exploit development, coupled with some experience in exploit writing and reverse engineering I decided to sign up and make my way through the course. Offered only in-person at the yearly Black Hat security conference and with very limited seats available, I was lucky to have been given the chance.
Now I will admit that at the time I sat for this course my exploit development skills and experience were certainly more on the beginner-side but based on my observations of other students in the class, I can say with no doubt, that this course is every bit as mind-melting and challenging as you might expect or have read in other reviews, even for those with far more experience than I. In hind-sight, I’m comfortable enough to say that I was out of my depth and would have been better served taking the course after I had a little more experience. But perhaps more importantly, I should have waited to take the course for when i was truly ready both mentally and professionally, to dive fully into the world of vulnerability research and exploit development.
This takes me to my advice for those thinking about enrolling. If you aren’t already a vulnerability researcher, penetration tester, exploit developer or aren’t thinking about making the shift into that realm in the near-ish future, I probably would not sign up for the course. Without a good amount of preexisting experience or knowledge, theres a decent chance the material will fly over your head. But also, if you don’t plan on exercising what you’ve learned in short order, your unlikely to retain a lot of the information, nor will you be able to properly study for and take the extremely challenging OSEE certification. With all this said, I do think that for those that are mentally (and emotionally) prepared, this course could really help someone push themselves further into modern exploit development and vulnerability research.
JHU Masters in Cybersecurity Review
Starting in mid-2016 and finishing up almost exactly 4 years later in 2020, I finally completed my Masters degree at Johns Hopkins University, achieving an MS in Cybersecurity. This program proved both challenging and rewarding as well as at times disappointing and even quite useless. I want to say early on in this review that I don’t recommend people sign up and self-pay for any Cybersecurity masters degree. I don’t think in the infosec industry, there is any significant professional value with having a masters, outside of maybe qualifying for some manager roles. This is especially true given the time and money you must invest to even get a masters degree. They are expensive and in most cases, it seems that having a certification or two will more than satisfy contractual, HR or hiring manager requirements. In my case, my company was willing to foot the bill for the program and seeing the opportunity, I decided why not!? I of course fully recommend taking advantage of free, employer-sponsored training wherever possible.
So how did I decide on the JHU program? Since I would still be working full time I needed to limit my choices to online programs only. Preferably as well, I wanted to choose an institution that was close by in the event that I needed to go on-campus for some reason, either to speak with a professor, collaborate with fellow students or take a class only offered on-premise. Living in the northern Virginia/DC metro area this still left me with a good number of options. With these requirements in mind I considered the following programs, University of Maryland University College (UMUC), University of Maryland (UMD), Johns Hopkins University (JHU), SANS Technology Institute and George Mason University. I won’t get into all the small decisions that ultimately led to me choosing the JHU program but in general I chose it for three reasons.
- First, and most importantly, I liked the available courses more so than any other program. Namely, I was interested in the reverse engineering course, embedded systems course and the cyber physical systems course. My primary focus with this degree was to focus on the learning aspects rather than just the idea of having a masters degree for my resume.
- Second, after some research, it looked like the JHU program was rated very high if not the highest among online Cybersecurity masters programs. I took this as a sign that this would be the best bet in terms of getting a high-quality, masters-level Cybersecurity education.
- Third, I felt that Johns Hopkins had a particular prestige, especially in my area, and that having a degree from there would look good on my resume.
So how were the Masters classes? Well first, prior to getting accepted “officially” into the Masters program I needed to take a few additional pre-requisite courses. This included a Java class, a course in Data Structures and a course in “Computer Organization” (Discrete Mathematics and Python are also required pre-reqs but I had already satisfied these through undergraduate and professional work). All three of these courses were great additions to what was my overall masters curriculum and interestingly enough, three of my favorite courses I took over the course of getting the degree, despite none of them actually be masters courses (they were bachelor-level courses). The Java course is self explanatory, it was simply a beginner-to-intermediate-level course in Java programming. The Data Structures course I found fascinating and pretty invaluable. To this day I still use the concepts I learned in this class for both my personal/professional development efforts as well as for understanding concepts related to modern operating systems, memory, reverse engineering, etc… The Computer Organization course was primarily centered around assembly programming. This has proven to be very useful foundational knowledge for my forays into reverse engineering, exploit development and general security research.
Once I finished the necessary pre-reqs I was formally accepted into the Masters program and now needed to complete the 10 Masters courses. Three of these are mandatory courses - Foundations of Algorithms, Foundations of Information Assurance and Cryptology. Foundations of Algorithms is advertised as the sequel to Data Structures and maybe in theory it is, but I found the class (and I can not stress this enough) completely useless, entirely opaque, and overtly difficult. In fact, the professor even suggested, during an office hours one night, that the class did not make sense for anyone who wasn’t in applied mathematics or certain (more abstract) disciplines of computer science. The course content, assignments and projects were all nearly impossible to follow, to the point where the professor would essentially just give us the answers since he knew how difficult the material was. Overall this class was a complete dud, in all respects. It was a waste of my time and I learned absolutely nothing. Unfortunately, it was required and therefore I could not get out of it, nor can anyone else in this program. Moving on… The “Foundations of Information Assurance” course was your typical “intro to information security” type stuff. Given my experience in the field, I did not personally get much value out of this course. Now if you had less experience in the field or are coming into this Masters program fresh out of your undergrad or early enough in your Cybersecurity career, I can definitely see how this class would prove beneficial to building your understanding of the fundamentals of infosec. So again, kind of a dud for me. The third and final mandatory class was in Cryptology. This class, unlike the first two, I found challenging, interesting, relevant and worthy of the Cybersecurity masters class designation. This was a highly technical class where you really are taught how modern ciphers work, the mathematical principles that are the groundwork of these cryptological constructs and are even taught cryptoanalytic techniques. My word of warning for those who are getting ready for this course is to take it seriously, not only because it is challenging but because it is information dense and it is knowledge you really are going to want to try and commit to memory as best you can.
In addition to the three required classes, I needed to choose seven electives from their catalog of courses. The seven I chose are listed below (in the order I took them).
- Principles of Data Communications
- Embedded Computer Systems
- Software Development for Real-Time Embedded Systems
- Reverse Engineering and Vulnerability Analysis
- Operating Systems
- Web Security
- Intrusion Detection
I’d like to quickly review and give my thoughts on each of these below…
Principles of Data Communications
One of the primary things I hoped to get out of experience with this Masters program was to get a deeper, more robust understanding of TCP/IP and computer networking. I wanted to understand these concepts from a purely academic perspective, rather than an applied one as I had received via an assortment of training courses (such as the SANS course SEC503). JHU offers a variety of courses related to this domain, all of which required this course, Principles of Data Communications, to be taken as a pre-req. This course primarily covers the Layer 1 (physical layer) aspects of network communications focusing on topics such as digital vs analog encoding, multiplexing, signaling, error-detection, data compression and more advanced topics. Though I found this course very interesting, I think it was a little TOO low level for what I was looking for. I would need to take a different class to cover networking concepts related to layers 2-4 which was after all, my primary interest in taking this class in the first place. Ultimately, I only recommend this course for those who really want to know these low level mechanics. Then again, this course is also a pre-req for almost all other courses in the networking track for this degree program so you may have to take it regardless if you have your eyes set on something which requires it.
Unfortunately, out of the 6 other electives I chose from here, none of them actually ended up being one of the classes that would focus more on networking or TCP/IP! Oh well, sometimes even the best-laid plans go awry.
Embedded Computer Systems
Having an interest in vulnerability research, especially in the realm of IoT, got me hooked on the idea of learning more about embedded systems. So much so that I decided to take not one but TWO electives on the subject, this class and a class on software development for embedded systems. This first class I felt was a real dud and was pretty much useless. The class was mostly a series of bizarre “case studies” that hardly had anything to really do with embedded systems. Not once did I get to dump firmware off of an embedded system or even physically do anything with an embedded system. There was nothing about the course which was even remotely practical, or interesting in any way. At certain points the course material would pivot into even softer subjects like “copywright law” or “licensing agreements”. This class ended up being a huge disappointment and I would not recommend it to anyone.
Software Development for Real-Time Embedded Systems
The second of two embedded systems-related classes I took focused on software development for embedded systems, more specifically, development on real-time systems (RTOS). This class was extremely practical as we spent the entire time actually writing code for arduino systems and even building a drone-system with a variety of sensors all interfacing with the arduino. I greatly enjoyed this class and felt like i learned quite a bit on the subject. Unfortunately, I’m not entirely sure how useful this knowledge has been (so far) with respect to my career. I’ll also point out that the use of a drone for this class was highly suspect as the drone kit was not particularly easy to use and all lab deliverables required videos of the drone being successfully flown while also performing a number of other in-flight operations. This put those who were not particularly great drone pilots (like myself) at a bit of a disadvantage. I appreciate the spirit of what the professor was going for here but I think the class would have been better served with something a bit easier to control like an RC car.
Reverse Engineering and Vulnerability Analysis
The class on reverse engineering and vulnerability analysis was by far my favorite course and I believe, objectively-speaking, the best course I took throughout the course of my Masters program. This class is the perfect mix of both theory and practical exercises, set to an extremely fast pace. Within the first week you will have covered and began deciphering Intel assembly instructions as well as started writing your own Intel assembly disassembler! By the end of the class you will be doing full malware reverse engineering and even writing your own exploits from scratch. This class was no joke! I can’t recommend this class enough, especially for those interested in these advanced topics.
This course was a bit of a mixed- bag. From a theory perspective, this course was exactly what I was looking for. It covered all the core operating system constructs (e.g. interrupts, kernel types, system calls, system architectures, system programming, scheduling, I/O, multi threading, memory, task management, deadlocks, device drivers, file systems and more!). Execution of the practical side of this course was where the big let down was. Namely, the course author decided to have all assignments and labs (all of which were heavily focused on system programming) be based on the strange, little-heard-of, not-modern, Minix 3 microkernel-based operating system. Now I had never heard of Minix 3 and asking my coworkers about Minix yielded a similar response. What was Minix 3 and why would my professor think this was a good platform to teach OS concepts? I mean, it doesnt even use a modern architecture, Minix 3 after all is a micro-kernel architecture as opposed to a more modern, monolithic or hybrid-based architecture. This course required a pretty firm understanding of C programming as well as some prior experience in Unix system programming, neither of which I really had. Picking up C was easy enough but learning to write code specifically for an operating system that no one uses and thus has little references online, proved to be a real struggle. I’ll also add here that the professor was particularly non-helpful when it came to actually teaching these more practical concepts. Perhaps the expectation was that this was something I should have already known coming into the course. Either way, I found the system programming segments of the course to be frustrating and stressful as they were a very large part of my final grade. Ultimately I did prevail and though I have some pretty big issues with this particular aspect of the course, I do think overall I would continue to recommend it to those who want to learn more about operating systems. My recommendation to Johns Hopkins however is to use a more relevant, modern operating system (like actual Linux!) as the practical foundation for this class.
This course was an interesting overview of the wide-variety of web-related technologies a security professional must consider, with topics including web-based crypto, writing RESTful APIs using Flask, AWS cloud, SAST/DASTWAF concepts, IoT protocols, container technologies such as Docker, open-source vulnerability scanners and finally a module on traditional web-application vulnerabilities such as XSS, SQLi etc… I found this course to be a little meandering, never doing anything more than scraping the surface of each of these topics. Yes, there were some interesting practical exercises sprinkled throughout but mostly I found that getting a “taste” of so many things was not that valuable (to me personally). I’ll qualify this by saying at this point in time I had several years of web application security and cloud experience so some of this material may have simply just not been that new to me and thus I found the lectures and assignments a bit boring. For someone interested in getting a look on everything “goin on” in the web security world, I think this course can satisfy that specific need. Outside of that, I think most people might leave this class just hungry for something a little more substantial.
My seventh and final elective was Intrusion Detection. I had not intended to take this course and only did end up enrolling due to availability and scheduling issues related to another class I had planned on taking. It was my final semester however and at this point I really wanted to close the book on this program and move on to other things in my life! It turns out that I’m happy I took the course as it was (similar to my Reverse Engineering course) a really satisfying mix of both theory and practical exercises. Notably, I’d like to call out the excellent labs (assigned weekly) which covered a wide variety of tools (some of which I did have prior experience with) such as Nmap, Linux, TripWire, OSSEC, Snort, Neo4j, Cypher, Zeek, iptables, ROC analysis, Keras and RapidMiner. I definitely recommend this class for anyone looking to get some good experience with any one of these tools and learn more about general intrusion detection in the process.
What I wish I had done differently
Having finally graduated, I wanted to take a look back at my experience both with JHU at a high level and with each of my classes and reflect on what I may have done differently. First I want to say that if I could go back in time, I would stilll choose the JHU program over any of the other schools I had considered. What I would change however is some of the classes I took. I’ve made it clear in my reviews above what classes I thought were good, which had value specifically to me and which classes I thought were awful. Out of the 10 masters-level classes I took, three of them I found both well done and applicable/valuable to my career, three of them I found very interesting and well done yet not particularly relevant to my career, two of them I found a little too “high level” and not particularly useful and another two I thought were just atrocious. Looking at these numbers it’d be easy to come to the determination (with only 3 classes I actually thought were useful to me) that I didn’t get out of this program what I had hoped. Had I chose different classes I certainly would have gotten more out of the program but I am thankful for what I was able to learn. Some classes I would have liked to try instead include offerings on Java Security, Cyber Physical Systems Security, Operating Systems Security and even Digital Forensics. I’ll add that there seems to have been some significant changes to the course catalog since I graduated (which was only a few weeks ago as of this writing) with more courses having been added, notably classes on DevOps and “Assured Autonomy”, both of which might have been interesting to me and would certainly be worth checking out for anyone considering this program. After taking the class in reverse engineering and vulnerability analysis, the professor suggested, for anyone who was interested, doing an Independent Study in place of a typical elective. This would offer the same three credits but allow for a more exploratory, research-oriented approach to the reverse engineering material (or any other class you would be interested in). I seriously considered doing this for reverse engineering but ultimately decided not to. I regret this decision and recommend those who are taking this program to not be lazy and do what you think sounds interesting, even if it will be more work.
It’s really incredible and I’m extremely grateful for all the opportunities I’ve been given over the last 5 years and though there are plenty of things I would change if I could go back and somehow make adjustments along the way, I am ultimately very satisfied with how everything has turned out and the choices I made. In closing, I have just a few parting nuggets of “wisdom” / advice I’d like to share.
Make an effort to continually re-focus, frequently ask yourself what you want to do or where you’d like to be and make constant adjustments to better reach that goal. It’s easy to be swept into something or fall into a “comfort zone” such that you drift away from where you really want to be.
Appreciate all opportunities and try not to discount the things you may learn that you think are not relevant or useful. Too many times have I had the chance to learn something I didn’t think was useful so I never really committed myself to it, only to later realize i DID want to know it and was then force to teach myself again. You’ll save yourself plenty of time and headache by just having an open mind and being as much of a willing knowledge-sponge as possible.
Revel in the fact that infosec is such a cool and exciting field! One that for those who are motivated enough, can be a place of rapid development and overwhelming opportunity. Take advantage of the vast network of people just like yourself who are looking to share their experiences, network and continuously learn.
Thanks so much for reading, whether it was the entirety of this article (I know it’s quite long) or any given section. I hope some of it was enlightening or valuable and if there are any questions or you’d like to know more / share your own experiences I’d love to hear about it! Feel free to reach out anytime!