GCIH

The GIAC Certified Intrusion Analyst (GCIH) exam focuses on practical, hands-on skills and in-depth knowledge related to intrusion detection and incident response. Here are the main points covered, categorized for clarity:

I. Network Security Fundamentals:

• Network topologies and protocols: Understanding various network architectures (LAN, WAN, etc.) and protocols (TCP/IP, UDP, ICMP, etc.) is crucial. You'll need to know how these work to understand network traffic analysis.
• Operating systems security: Knowledge of common operating systems (Windows, Linux, etc.) and their security features is important for identifying vulnerabilities and analyzing system logs.
• Cryptography: Basic understanding of cryptographic principles, including encryption, hashing, and digital signatures, is necessary for analyzing secure communications and detecting anomalies.

II. Intrusion Detection and Prevention:

• Intrusion detection systems (IDS): Deep understanding of both Network-based IDS (NIDS) and Host-based IDS (HIDS), their deployment, configuration, and limitations. This includes analysis of IDS alerts and log files.
• Intrusion prevention systems (IPS): Knowledge of how IPS works, its capabilities, and its role in preventing attacks.
• Security Information and Event Management (SIEM): Understanding how SIEM systems collect, correlate, and analyze security logs from various sources.

III. Incident Handling and Response:

• Incident response lifecycle: Thorough understanding of the phases of incident response (preparation, identification, containment, eradication, recovery, lessons learned).
• Forensic analysis: Skills in collecting and analyzing digital evidence, including network traffic captures (pcap files), log files, and system memory dumps.
• Malware analysis: Ability to identify and analyze malicious software, including viruses, worms, Trojans, and rootkits.
• Vulnerability assessment and penetration testing: Understanding how to identify vulnerabilities in systems and networks, and how to perform penetration testing to assess security posture.

IV. Specific Attack Types and Techniques:

• Network attacks: Deep knowledge of various network attacks, such as denial-of-service (DoS), man-in-the-middle (MitM), and session hijacking.
• Host-based attacks: Understanding how attackers compromise individual systems, including buffer overflows, SQL injection, and privilege escalation.
• Malware techniques: Knowledge of how malware infects systems, spreads, and performs malicious actions.
• Social engineering: Understanding social engineering techniques used to gain unauthorized access to systems.

V. Tools and Technologies:

• Network monitoring tools: Familiarity with tools like tcpdump, Wireshark, and other network analysis tools.
• Security analysis tools: Experience with various security analysis tools, including IDS/IPS management consoles and SIEM platforms.
• Forensic tools: Knowledge of forensic tools used for evidence collection and analysis.

Important Note: The GCIH exam emphasizes practical, hands-on skills. While theoretical knowledge is important, the exam will heavily test your ability to analyze real-world scenarios, interpret log files, and use various security tools. Practical experience in intrusion detection and incident response is highly recommended before attempting the exam.