GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Intrusion Analysts (GCIAs) have the knowledge, skills, and abilities to configure and monitor intrusion detection systems, and to read, interpret, and analyze network traffic and related log files.
Individuals responsible for network and host monitoring, traffic analysis, and intrusion detection
Preparing for the GCIA Exam: Candidates may choose to prepare for the GCIA exam by taking the SANS Training Course: SEC503: Intrusion Detection In-Depth
*No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.*
- 1 proctored exam
- 150 questions
- Time limit of 4 hours
- Minimum Passing Score of 67%
GIAC reserves the right to change the specifications for each certification without notice. Based on a scientific passing point study, the passing point for the GCIA exam has been determined to be 67% for all candidates receiving access to their certification attempts on or after August 2nd, 2012. To verify the format of your current certification attempt, please read the Certification Information found in your portal account at https://exams.giac.org/pages/attempts.
Certifications must be renewed every 4 years. Click here for details.
NOTE: GIAC exams are NOT given the day after the conference ends.
GIAC certification attempts purchased without SANS training will be activated in your SANS/GIAC account within 24 business hours of purchase. GIAC certification attempts purchased with SANS training will be activated in your SANS/GIAC account 7-10 business days after the end of the conference. In both cases, you will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam. GIAC exams are delivered online through a standard web browser.
- Certified Professionals (GCIA)
- Exam Feedback Procedure
- Grievance Procedure
- Proctored exam procedure
- SANS Information Security Reading Room
Bulletin (Part 2 of Candidate Handbook)
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Advanced Snort Concepts
- The candidate will demonstrate understanding of advanced Snort including: rule ordering, reduction of false negatives/positives, sensor management, performance, and tagging.
- Application Protocols
- The candidate will demonstrate knowledge, skill, and ability relating to application layer protocol dissection and analysis including HTTP, SMTP, and various Microsoft protocols
- Concepts of TCP/IP and the Link Layer
- The candidate will understand the the TCP/IP communications model and link layer operations
- The candidate will demonstrate a thorough understanding of how DNS works for both legitimate and malicious purposes.
- The candidate will demonstrate comprehension of how fragmentation works through theory and packet capture examples, as well as the concepts behind fragmentation-based attacks.
- IP Headers
- The candidate will demonstrate the ability to dissect IP packet headers and analyze them for normal and anomalous values that may point to security issues
- The candidate will demonstrate knowledge, skill and ability relating to the analysis of IPv6 as well as issues involving IP6 over IPv4.
- Network Architecture and Event Correlation
- The candidate will demonstrate competence with issues relating to IDS/IPS management, network architecture as it pertains to intrusion detection, and event correlation and management
- Network Traffic Analysis and Forensics
- The candidate will demonstrate the ability to analyze real traffic and associated artifacts: malicious, normal and application traffic; and demonstrate the ability to discern malicious traffic from false positives.
- Packet Engineering
- The candidate will demonstrate knowledge, skill, and ability relating to packet engineering and manipulation including packet crafting, OS fingerprinting, and IDS Evasion/Insertion
- Silk and Other Traffic Analysis Tools
- The candidate will demonstrate the ability to use Silk and other tools to perform network traffic and flow analysis
- Snort Fundamentals and Configuration
- The candidate will demonstrate knowledge, skill, and ability relating to Snort, its modes of operation, and its configuration.
- Snort Rules
- The candidate will demonstrate the ability to effectively design and configure Snort rules for given scenarios.
- The candidate will understand TCP communications as well as expected responses to given stimuli at this layer
- Tcpdump Filters
- The candidate will demonstrate the skill and ability to craft tcpdump filters that match on given criteria.
- UDP and ICMP
- The candidate will demonstrated the ability to analyze both UDP and ICMP packets and recognize common issues
- Wireshark Fundamentals
- The candidate will demonstrate the knowledge, skills, and abilities associated with traffic analysis using wireshark from an intermediate to high degree of proficiency.
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.