The GIAC Intrusion Detection In-Depth (GCIA) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for anyone relied upon by an organization to perform intrusion detection using network and host-based techniques.
All GIAC certifications expire after a period of 4 years. Candidates must review the information and retake the exams in order to remain certified. Although there are other entry level certifications available, GIAC is the only information security certification family including advanced technical subject areas.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions are written by the same authors who write the questions for the actual GIAC exams and are representative of the types of questions you can expect to see. However, it is important to keep in mind that no exam questions are identical in content to practice exam questions. During the practice tests, each time you choose a wrong answer you will receive the correct answer along with an explanation that will help to reinforce the subject matter presented in the question. The practice tests also keep track of the number of questions you have answered correctly, incorrectly and how many questions you have remaining. You will only have one attempt at each practice test, but if you would like additional attempts they are available for purchase. If you do purchase a new practice test set, the on-line system will re-quiz you on those questions you had difficulty with, in addition to new questions.
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
Abnormal Stimulus Response | The candidate will show a fundamental understanding of abnormal looking network traffic that results from specific hacking techniques. |
Advanced Analysis with Tcpdump | The candidate will demonstrate an understanding of how to determine specific attacks by analyzing network traffic with tcpdump. |
Advanced Snort Concepts | The candidate will demonstrate a fundamental understanding of advanced Snort concepts such as rule ordering, false negatives and positives. |
Analyst Toolkit | The candidate will demonstrate an understanding of the different tools that are available when analyzing intrusions. |
Checksums | The candidate will demonstrate a fundamental understanding of what checksums are and how they can be used to validate packets. |
Correlating Traffic | The candidate will show an understanding of the issues and solutions of data correlation. |
Dissecting Datagrams | The candidate will demonstrate a thorough understanding of how to dissect a datagram using tcpdump. |
Domain Name System (DNS) | The candidate will show a thorough understanding of how DNS works for both legitimate and malicious purposes. |
Examining ICMP Fields | The candidate will show a thorough understanding of normal and abnormal ICMP fields. |
Examining IP Header Fields | The candidate will show a thorough understanding of normal and abnormal IP header fields. |
Examining Packet Crafting | The candidate will demonstrate familiarity with how packets are crafted using different tools. |
Examining Packet Headers with Tcpdump | The candidate will demonstrate a thorough understanding of how to analyze a packet header using tcpdump. |
Examining TCP Fields | The candidate will show a thorough understanding of normal and abnormal TCP fields. |
Examining UDP Fields | The candidate will show a thorough understanding of normal and abnormal UDP fields. |
Exploits | The candidate will demonstrate familiarity with analyzing specific exploits. |
ICMP Theory | The candidate will show an understanding of why the ICMP protocol is needed. |
IDS Interoperability | The candidate will show a fundamental understanding of the different types of interoperability models. |
IDS Patterns | The candidate will show a thorough understanding of in the wild detects including DoS attacks, network mapping, and coordinated attacks. |
IDS Signatures & Response Time | The candidate will show a fundamental understanding of the flow and process of detecting intrusions. |
IDS/IPS Architecture Issues | The candidate will show a thorough understanding of the specific technical related issues with regard to deploying IDS/IPS systems. |
IDS/IPS Management Issues | The candidate will show a thorough understanding of the management related issues with regard to deploying IDS/IPS systems. |
Indications & Warnings | The candidate will show an understanding of the importance of two indication and warning models. |
Introduction to Snort | The candidate will demonstrate a fundamental understanding of the installation of Snort as an Intrusion Detection System. |
IP Routing | The candidate will demonstrate an understanding of how packets are routed across IP networks. |
IPsec Protocols | The candidate will demonstrate a thorough understanding of IPSec protocols in theory and implementation. |
IPv6 In Practice | The candidate will show a fundamental understanding of the methods used to implement IPv6 over IPv4 networks. |
IPv6 Theory | Outcome Statement Not Available At This Time |
Link, Tallies, & Profiles | The candidate will demonstrate familiarity with link analysis, periodic reports and profiling. |
Malicious Fragmentation | The candidate will show an understanding of the concepts behind fragmentation-based attacks. |
Malicious ICMP | The candidate will show an understanding of the concepts behind ICMP-based attacks. |
Manual & Automated Correlation | The candidate will show an understanding of with the importance of correlation in intrusion detection. |
Microsoft Active Directory | Outcome Statement Not Available At This Time |
Microsoft SMB & RPC Protocols | The candidate will demonstrate a thorough understanding of Microsoft's SMB/CIFS & RPC protocols. |
Network Mapping & Info Gathering | The candidate will demonstrate a thorough understanding of the reconnaissance techniques that attackers use to gather information. |
NIDS Evasion & Insertion | The candidate will show a fundamental understanding of the evasion and insertion techniques hackers utilize to confuse NID systems. |
Normal Fragmentation | The candidate will demonstrate an understanding of how fragmentation works through theory and packet capture examples. |
Normal ICMP & Mapping | The candidate will show a thorough understanding of normal ICMP behavior and ICMP mapping techniques. |
Normal Stimulus Response | The candidate will show a fundamental understanding of everyday network traffic behavior and typical responses. |
Patterns & Analysis | The candidate will demonstrate an understanding of the relationship between firewalls, VLANs, and IPS systems. |
Real World Traffic Analysis with Tcpdump | The candidate will demonstrate an understanding of how to analyze network traffic that was captured in the wild using tcpdump. |
Reconnaissance | The candidate will demonstrate an understanding of the reconnaissance methodology and how to detect reconnaissance attempts. |
Snort Configuration | The candidate will demonstrate an understanding of how to configure the Snort Intrusion Detection System. |
Snort GUIs & Sensor Management | The candidate will show familiarity with GUI tools that are available to management a Snort implementation. |
Snort Modes of Operation | The candidate will show an understanding of the different methods of operation that Snort currently supports. |
Snort Output Analysis | The candidate will demonstrate an understanding of how to interpret Snort output. |
Snort Output Analysis & Testing Tools | The candidate will demonstrate an understanding of how and why to test Snort using specific tools. |
Snort Performance, Active Response & Tagging | The candidate will demonstrate a fundamental understanding of Snort performance options, active response techniques and tagging. |
Snort Rules | The candidate will demonstrate familiarity with how to effectively configure Snort rules. |
TCPIP Refresher & Beyond | The candidate will demonstrate familiarity with tcpdump/windump, and have a thorough understanding of IP. |
Traffic Analysis Part I | The candidate will show a fundamental understanding of organizing multiple log formats for analysis. |
Traffic Analysis Part II | The candidate will demonstrate an understanding of how to identify the source of an event and patterns of normal vs. abnormal behavior. |
Traffic Analysis with Tcpdump | The candidate will demonstrate an understanding of how to analyze network traffic in relation to other traffic using tcpdump. |
Writing Tcpdump Filters | The candidate will demonstrate familiarity with the techniques that are involved when writing tcpdump filters. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.

