GCIA Certification Bulletin
(Part 2 of Candidate Handbook)
The GIAC Intrusion Detection In-Depth (GCIA) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for anyone relied upon by an organization to perform intrusion detection using network and host-based techniques.
All GIAC certifications expire after a period of 4 years. In order to recertify, candidates must take the current version of the certification exam.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions are written by the same authors who write the questions for the actual GIAC exams and are representative of the types of questions you can expect to see. However, it is important to keep in mind that no exam questions are identical in content to practice exam questions. During the practice tests, each time you choose a wrong answer you will receive the correct answer along with an explanation that will help to reinforce the subject matter presented in the question. The practice tests also keep track of the number of questions you have answered correctly, incorrectly and how many questions you have remaining. You will only have one attempt at each practice test, but if you would like additional attempts they are available for purchase. If you do purchase a new practice test set, the on-line system will re-quiz you on those questions you had difficulty with, in addition to new questions.
- Type:
- Certification
- Target:
Individuals responsible for network and host monitoring, traffic analysis, and intrusion detection
GIAC Certified Intrusion Analysts (GCIAs) have the knowledge, skills, and abilities to configure and monitor intrusion detection systems, and to read, interpret, and analyze network traffic and related log files.
- Requirements:
- 1 proctored exam - 150 questions - 4-hour time limit - 67.3% (101 of 150 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
Abnormal Stimulus Response | The candidate will show a fundamental understanding of abnormal looking network traffic that results from specific hacking techniques. |
Advanced Analysis with Tcpdump | The candidate will demonstrate an understanding of how to determine specific attacks by analyzing network traffic with tcpdump. |
Advanced Snort Concepts | The candidate will demonstrate a fundamental understanding of advanced Snort concepts such as rule ordering, false negatives and positives. |
Analyst Toolkit | The candidate will demonstrate an understanding of the different tools that are available when analyzing intrusions. |
Checksums | The candidate will demonstrate a fundamental understanding of what checksums are and how they can be used to validate packets. |
Correlating Traffic | The candidate will show an understanding of the issues and solutions of data correlation. |
Dissecting Datagrams | The candidate will demonstrate a thorough understanding of how to dissect a datagram using tcpdump. |
Domain Name System (DNS) | The candidate will show a thorough understanding of how DNS works for both legitimate and malicious purposes. |
Examining ICMP Fields | The candidate will show a thorough understanding of normal and abnormal ICMP fields. |
Examining IP Header Fields | The candidate will show a thorough understanding of normal and abnormal IP header fields. |
Examining Packet Crafting | The candidate will demonstrate familiarity with how packets are crafted using different tools. |
Examining TCP Fields | The candidate will show a thorough understanding of normal and abnormal TCP fields. |
Examining TCPDump Output | The candidate will demonstrate a thorough understanding of how to analyze a packet header using tcpdump. |
Examining UDP Fields | The candidate will show a thorough understanding of normal and abnormal UDP fields. |
Firewalls and Intrusion Prevention | The candidate will understand how firewall technology can be employed to improve intrusion detection/prevention |
ICMP Theory | The candidate will understand the ICMP protocol, how ICMP can be used for mapping, and the concepts behind ICMP based attacks |
IDS Interoperability | The candidate will show a fundamental understanding of the different types of interoperability models. |
IDS Patterns | The candidate will show a thorough understanding of in the wild detects including DoS attacks, network mapping, and coordinated attacks. |
IDS Signatures & Response Time | The candidate will show a fundamental understanding of the flow and process of detecting intrusions. |
IDS/IPS Architecture Issues | The candidate will show a thorough understanding of the specific technical related issues with regard to deploying IDS/IPS systems. |
IDS/IPS Management Issues | The candidate will show a thorough understanding of the management related issues with regard to deploying IDS/IPS systems. |
Indications & Warnings | The candidate will show an understanding of the importance of two indication and warning models. |
Introduction to Snort | The candidate will demonstrate a fundamental understanding of the installation of Snort as an Intrusion Detection System. |
IP Routing | The candidate will demonstrate an understanding of how packets are routed across IP networks. |
IPv6 Theory | Outcome Statement Not Available At This Time |
Malicious Fragmentation | The candidate will show an understanding of the concepts behind fragmentation-based attacks. |
Manual & Automated Correlation | The candidate will show an understanding of with the importance of correlation in intrusion detection. |
Microsoft Protocols | The candidate will demonstrate an understanding of Microsoft's SMB/CIFS, RPC, and Active Directory protocols. |
Network Mapping & Info Gathering | The candidate will demonstrate a thorough understanding of the reconnaissance techniques that attackers use to gather information. |
NIDS Evasion & Insertion | The candidate will show a fundamental understanding of the evasion and insertion techniques hackers utilize to confuse NID systems. |
Normal Fragmentation | The candidate will demonstrate an understanding of how fragmentation works through theory and packet capture examples. |
Normal Stimulus Response | The candidate will show a fundamental understanding of everyday network traffic behavior and typical responses. |
Snort Configuration | The candidate will demonstrate an understanding of how to configure the Snort Intrusion Detection System. |
Snort GUIs & Sensor Management | The candidate will show familiarity with GUI tools that are available to management a Snort implementation. |
Snort Modes of Operation | The candidate will show an understanding of the different methods of operation that Snort currently supports. |
Snort Performance, Active Response & Tagging | The candidate will demonstrate a fundamental understanding of Snort performance options, active response techniques and tagging. |
Snort Rules | The candidate will demonstrate familiarity with how to effectively configure Snort rules. |
TCPIP Refresher & Beyond | The candidate will demonstrate familiarity with tcpdump/windump, and have a thorough understanding of IP. |
Traffic Analysis | The candidate will be familiar with organizing multiple log formats for analysis, how to detect the source of an event, normal vs abnormal behavior, link analysis, periodic reports, and profiling. |
Traffic Analysis with Tcpdump | The candidate will demonstrate an understanding of how to analyze network traffic in relation to other traffic using tcpdump. |
Writing Tcpdump Filters | The candidate will demonstrate familiarity with the techniques that are involved when writing tcpdump filters. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
