Purpose
The primary purpose of this document will be to provide tried and true tips to make the studying and exam a bit less painful. These tips will apply to all SANS courses/exams.
Indexing Philosophy
If you haven’t taken a SANS exam before, they are open note/book and a polished index is your safety net for finding or confirming answers to questions you might not know off the top of your head.
After 7 SANS exams, I have realized what types of things will be the subject of questions on the exam. If you haven’t taken many exams, this is where quizzes and practice tests will come in handy. Do them early and often.
Here is my GCIA Index for reference: Copy of SEC503 GCIA Index
Terms/Keys
My philosophy revolves around a sort-of “index within an index” strategy, where I preface topics with key words. For example, if we are talking about Intrusion Detection Systems, I will start the term with IDS, then the key topic found on that specific page. Then, I will make note of that keyword on a separate page containing all of my keywords. That way, when it comes time to find the information during the exam, I can narrow down the search by identifying which category the question falls into and flip to that section of my index.
Examples:
IDS Checksum Validation
IDS Choke Point (TAP)
IDS DoS Insertion/Evasion
IDS Load Balancer
IDS Log Analysis
If the term falls into multiple different categories (such as IDS & Snort), create multiple entries! Don’t be stingy here. You want to make sure you can find this information in a pinch.
If I believe a term is important enough, I will make an entry with the preface (IDS) and a separate entry without the preface.
/tabl
| 56 | signatures.log |
|---|---|
| 56 | Zeek signature.log |
Notes/Definitions
Keeping detailed notes in the column to the right of the term is not something I did in the beginning, but this can be one of the most important steps in creating a comprehensive index and, if you’re anything like me, the ability to understand and retain the information during the exam and beyond.
At minimum, I create an entry for every page in the book (using the strategy above). Then, I add the entire contents of the slide to the “Notes” section to the right of the term. I’ve learned that most of the questions on the exam can be answered with this information alone, so why not have it right there when you are taking the test to validate your choices? Here is an example:
| Zeek signature.log | when running in “readback mode”, Zeek creates log in working directory.sig_id is the name of the matching signaturesub_msg is “extracted payload data or extra message”Zeek searches the first 1024 bytes for a match by default |
| STARTLS | “opportunistic” encryption. Extension to transform unsecure comms chanel to a secure one using TLS.Does not require separate listening portmostly used between SMTP message transfer agents (MTA server to server) which means anyone with access to those servers can see cleartext (not end-to-end encrypted) |
If there is no slide content, or there is too much content, I will write down key words I can find on this page. Here is an example:
| Zeek Variables | sig_id, event_msg, sub_msg, dpd_buffer_size |
|---|
You can also add notes from different pages to a high level topic, such as Zeek Scripting
| Zeek Scripting | p.61 Zeek doesn’t react to packets, it exposes events. to access these events, we must write scripts using a publisher-subscriber design pattern p.63 Similar to GUI progrmaming with an event loop always running. When an event occurs, the event loop sends it to the first responder. Zeek vs GUI all subscribers get the events p.59 user-written scripts require an event to be processed that invokes the script |
|---|
Labs
If your exam contains labs, make sure you index your labs book! This does not have to be as in-depth or as detailed as the main books, but you still have to know where to find each lab.
My approach to this was to create a separate index just for labs that contains the starting page and the title of each lab. Then, if there are any key topics, include the page number for those topics in the “Notes” section of that lab. Here is an example:
| 2.3 | 89 | TCP Concepts | p89 – What is the embedded protocol checksum p92 – Suspicious Sequence Numbers p93 – Retries vs new connections p97 – crafted packet anomalies |
|---|
I created the entire labs index in 1 hour the night before my exam. It really doesn’t have to be that detailed. Just make sure you can find which lab relates to the activity in the exam. Most exams won’t have that many labs, so you can quickly glance at this index and find which one you are looking for.
Books
In the left-most column of your index, you should make note of the book number. Each book should be assigned a primary color (RGBPYO). This color will highlight the entire row of your index. The book should also have tabs that are this color so that they can be easily grabbed on your desk during your exam.
A lot of study guides have you create markers for the beginning of each section throughout the book, but I found that to be overkill and frankly not that useful. Instead, the night before the exam, I create a tab every 25 pages that indicates which page it’s on. I start with the back of the book and work my way forwards to ensure they are lined up neatly.
Place a tab on page 175 that clearly says “175” on it.
This has really improved my speed when finding terms from my index in the books. Grab the book with the matching color and the tab closest to the page listed. Boom.
Overall Study Plan
There are many different ways you can study for the exam, depending on your learning style and the amount you want to retain the information. Some people believe that SANS courses are worthless because the exam is open-book. And you can definitely create (or buy) an index and ace an exam without learning anything if you are a good test taker. But why would you want to do that? Since that is a common perception, I pride myself on learning as much as possible.
My Approach to Studying
For the first half of the time you have to complete the course, do the following:
- Added a new entry in the index for each page of the book.
- Write down the full content from the slide in your index “notes” for this page.
- Watch the lecture on this page and add to the notes in your index.
- Read the page and add more notes to your index.
Doing this for every page in the book really helped me understand the material while preventing burnout.
First Practice Exam
Once you have read all the books and have a solid Index, take your first practice exam. The primary purpose of this exam is to find the gaps in your index (and in your knowledge, though that’s less important). Take it seriously, but don’t burn yourself out on it.
Though it’s not allowed, I recommend taking screenshots of every question, especially the ones you get wrong. This will help you avoid the temptation to update your index as you are taking the practice test. Do that later!
SANS provides helpful blurbs when you get a question wrong. Copy those right into your index.
Once you are done, delete the screenshots. Don’t ever share them with anyone else.
Labs
You can definitely do the labs as-you-go, but I tend to burn out when I do this. Instead, I do the labs after my first practice test. Makes for a nice weekend activity.
Saving the labs for closer to exam time help bring the concepts back to the front of your mind and solidify them all at once.
Second Practice Test
Now that you’ve completed the course, it’s time for the second and final practice test. This should be taken exactly like you’d be taking the real test. Don’t CTRL+F through the book or your notes for answers. Don’t Google things. You might even consider staying seated the whole time, like you would during the real exam.
The primary purpose of this exam is to get a good idea where you will score on the real exam.
Bootcamps/Capstone
If your course has bootcamps, THESE are the best thing you can do to solidify the knowledge. Do them the week before the exam and update your notes with anything you learn along the way. These really force you to understand the material because there is no guide. If you can’t figure out a question, you get it wrong. Trial by 
. Use whatever you can to figure out all of these questions. If you struggle on a certain section, do that section again until you fully grasp the concepts.
Test Time
Here are some tips to focus on during the test, especially if you’ve followed the guidance in this doc.
- Read all of the answers before you go hunting through your index.
- I can’t count the number of times I’ve searched through the index, then my books for 5-10 precious minutes only to realize that 3 out of the 4 answers were obviously wrong.
- Read your notes in the index before opening a book.
- If you’ve written down the contents of each slide in the notes section, you can answer over 50% of the questions without opening a book.
- Take one or two deep breaths with your eyes closed between each question. This will help reset your brain to focus on the new question in front of you.
- This is especially useful if the last question absolutely destroyed you and you lost some confidence. When this happens to me, I have the tendency to get angry and rush through the next few questions out of spite, leading to rash decisions and avoidable mistakes.
- Watch out for distractors.
- Almost every question will contain a “distractor” answer. It may contain mostly correct information that doesn’t answer the question, or will use key words related to the question, just not the correct answer. The goal of this option is to try to get you to click it. Think “too good to be true”.
- Skip questions you aren’t sure about.
- There have been SO many times I’ve found the answer to an earlier question while researching a later question. There are only so many topics to be tested on, so the likelihood that you’ll stumble on the answer later during the test is pretty good.
- Keep track of questions you may have gotten wrong.
- The exam provides a “whiteboard” that will save after you close it. Use ticks to count questions you were unsure of. This count will likely not be accurate, but it is helpful to gauge how close you are from the pass/fail line as you make decisions later in the test.
Leave a Reply