One major unknown for those of us enrolled in the SANS MSISE program is the Core Comprehensive Exam. Unfortunately, there is barely any public information available about it, which I suspect may be intentional. This makes for a good academic challenge, but can also leave students wondering how to prepare for the Exam.

This blog post will shed some light on what will help you excel at the exam. I won’t reveal any ‘secrets’ here. This entire post is 100% vetted by SANS.edu staff to comply with the NDA. Here, I share my proven preparation and toolset that helped me get through SANS Core Comp Exam without breaking a sweat. If you plan on pursuing the OSCP, this same preparation was fundamental to my pass on that as well, a few months later.

Who is this guy?

I’m a Software Engineer on a financial trading platform by day and a SANS MSISE student by night. Before becoming a Software Engineer, I got a BS in Computer Science from Oregon State’s excellent online program. In the past year, I’ve obtained the SANS Grad Certificate in Penetration Testing. Usually, I’ll complete a SANS course in 30 days with 90%+ exam scores, but I’ll leave how I approach that for another post.

Somewhere along the line, I was a grunt in the USMC with two deployments in Iraq. So the Core Comprehensive Exam, while daunting, barely registers on my degree of stressful activities.

Why?

As my first sergeant taught me, I mind my 6 P’s:  Prior Preparation Prevents Piss Poor Performance. That is the theme of this post.

What is this exam?

The curriculum gives us some critical clues as to what to expect.

• Three prerequisites:
  • ISE 5101 – SANS SEC 401: Security Essentials Boot-camp Style – GSEC
  • ISE 5201 – SANS SEC 504: Hacker Techniques, Exploits & Incident Handling – GCIH
  • ISE 5401 – SANS SEC 503: Intrusion Detection In-Depth – GCIA
• “The Core Comprehensive Exam tests your mastery of the core technical skills required by top security consultants and individual practitioners.”
• A series of exercises

From these few facts and a little experience in SANS classes, our expectations should be clear. Some sort of hands-on exercises focused on those three classes are in your future. Anyone who has taken a SANS capstone can use their imagination effectively to envision the various probable ways that the SANS staff might formulate these exercises; not the most giant mental leap you will have to make as a security professional.

With these facts in hand, I’ll describe what I did to prepare for the Core Comp exam.

Overview

Here is a summary of what we will take a look at.

Wiki

The art of writing is the single most valuable tool in your arsenal as a technology professional. I learned this on Day 1 at Amazon. You are one person. When you document knowledge, now anyone who accesses it will be able to take advantage of what you have discovered. If you think about it, that is what this post is all about.

Typically documentation is a gift to others. So let me flip that 180 for you.

Documentation is a gift from you to you.

You have three prerequisite classes, and you need to make all that information accessible. So I’ll break down the why, the how, and even the potential wiki platforms. The last thing you want to do is flip through one of three indices for over 15+ books in an exam.

Professionalism

Did you read the curriculum? Did you see that bit on top security consultants and individual practitioners? We are all students here, so it is time to close that gap.

If you drop into the exam and get thrown an exercise with zero prior exposure, you will have some problems. Professionals won’t find themselves in that situation.

Professionals prepare, plan for contingencies, and are confident in their readiness for engagements. Let’s get there.

Organization

What is our territory of information to organize? This exam is 30 days to complete with exercises over three classes that take most people the better part of a year to complete. Sticky notes are the clay tablets of organization tools in this modern information age.

We will review the modern organization tools and approaches. Some of this may be common sense, but together they will all keep you focused and on task when exam day #1 hits.

On top of that, I’ll cover what you can organize ahead of time. Finally, there are some common-sense conclusions you can draw from the three prerequisites. Think about Virtual Machines, tools, checklists.

Day 0

You should prep before you even start on your SANS MSISE journey.

What is an Index, and how do I make one?

How will I remember what tools I have learned? – there are many

How will I remember how even to use those tools?

Many tools X Many ways to use them = head explode

What software will I use to organize all of this?

The longer you wait to answer these questions, the harder of a time you will have.

Index

Your indexing solution is a personal question tailored to their exam taking-style. Everyone has their own ‘right’ answer. Some swear by Voltaire (I advocate against it), while others like me run away to Google Sheets for data input + Excel for formatting. Ultimately you need to figure out what works for you.

Here is how you do it:

1. Index the first book in a class, picking a method that seems OK
2. Try answering some questions (on-demand quiz) or make some up based on the labs.

Take that experience and ask yourself:

1. Was I able to look up what I needed fast? GIAC tests are timed.
2. Was the way I entered the data quick and efficient? – You will be writing a lot of indices—speed matters.
3. Will I be able to store this index electronically and search it easily during the Core Comp Exam?

If the answer is NO to any of those questions, find a new method.

Documentation

The number of tools and techniques you will be exposed to in just 3 SANS courses is staggering. When adding capstones into the mix, we will blow it off the chart.

I documented 85 tools and 53 techniques from my in-scope classes. I also didn’t document the ones I knew well, so your list will be even longer!

My suggestion is to document a roster of tools and techniques and how to use them to on a personal wiki. You have self-hosting options, one note, and Confluence Cloud (free). I went with Confluence Cloud.

Important Wiki Requirements:

• Backup – pdf? Print?
• Search with various options to help fine-tune your search

• Monospace formatting (for code and terminal copy&paste)

• Image embedding for screenshots
• Won’t kick you off for posting XSS proof of concepts or links to exploitdb & similar sights (confluence hasn’t yet!)
• Supports a document hierarchy – think about parent pages with children, different ‘spaces/environments’ for various classes

• Availability – high uptime
• Security – MFA/HTTPS/permissions/perma-delete (say you accidentally publish sensitive info?)

With that wiki:

• make a separate ‘section’ for each class you go through
• document all new commands you learn
  • note which ‘cheat sheets’ are best references for new commands- see the ultimate list
• document all new software tools you learn
  • tcpdump was a massive hole in my inventory, so I spent a lot of time documenting it
  • awk is something I am pro at, so I passed on documenting it in 503
• document techniques you learn (e.g., sqli, XSS, pivoting/relays)
• document run books for various types of investigations – commands, procedures, thought process
  • all three classes extensively cover this in multiple ways
• did you own a box in a 504 CTF? Document each step! Document the enumeration!
• Did a lab? You know what to do.
• Document
• DOCUMENT
• DOCUMENT!

Let me tell you how I use my wiki. Anytime I need to recall how I use a tool, it is one search away to the documentation that I’ll understand – because I wrote it. For example, suppose I am on a CTF or similar exercise. In that case, I am moments away from execution via wiki vs. a needle-in-a-hay-stack search through potentially malicious websites via google. Which do you prefer?

SANS Course Books

Count those course books. You can measure the depth in feet.

Your documentation doesn’t start and end with the labs. Did you ever notice a 5-page list of tools in 401 with little explanation as to what they do? Would it be a good idea to dig at least one metaphorical inch deep? Maybe write them down somewhere? I certainly did. Your courseware is littered with many pointers for you to explore further – perhaps you should? Based on the text of the core comp exam, those would all be in scope. I had to defeat my inner-lazy demon – you will too.

It may be a while from taking your first class to the core comprehensive exam. However, do perform these three essential tasks to ensure you have courseware to review when needed.

1. Store your books somewhere safe from pets, babies, ceiling leaks, unhinged roommates, etc
2. Save your course pdf’s locally, and a cloud or two (one drive, dropbox, google drive)
3. Save your pdf password in a password manager – double check!
   1. Backup your password manager passwords somewhere safe

What does the instructor spend a lot of time on? If I were writing a test that covers the class, I would write questions on that! As a counterpoint, if an instructor says something is for ‘completeness’ of the GIAC exam, maybe it isn’t an essential testable topic? Write your notes accordingly.

Professionalism

You are an information security professional.

One of the keys differences between a professional and an amateur is depth of experience. No one has seen everything there is, but the more you know, the more you can relate to. During the Core Comp exam, you don’t want that test to be the first time you are exposed to a concept. In that situation, you’ll already be playing catch up.

Instead, let’s think of what exposures you would like to have. One is an excellent historical perspective of modern cybersecurity. The book Sandworm and the podcast Darknet Diaries are my favorite resources for speeding from zero to hero. For a more up-to-date view, the SANS Internet Storm Center podcast, Krebs on security, Malwarebytes labs, and hacker news are all tremendous daily go-to’s. Beyond that, feed into your curiosity to stay motivated. Fuel this life-long career marathon with your interests.

You should be in tune with whatever is the latest and greatest in your preferred Linux Distro. Slingshot, Kali, Parrot, Black Arch, etc., all have their pros and cons. Whatever it is you choose, it is your responsibility to be keeping relatively up to date with that distro, the tools on it, and how to be proficient in it. You will have a bad day when you spin up a VM for game time on a professional event (e.g., the exam!), and there is a big surprise. Let’s minimize surprises. For instance, in Kali, you might end up with a zsh shell instead of bash, a very new development.

Here is the top secret of all professionals. Google. Are you good at using web search to find a problem? Can your BS radar detect when the website you are on won’t be worthwhile? If you can go from googling a question to a reasonable answer within minutes, then you are pro at this. If not, I suggest hitting up some CTF’s (see ctftime.org) with unfamiliar topics to force you to sharpen that skill. The ability to use the world’s most valuable information resource is your #1 skill. No one knows everything, but professionals know how to figure it out.

Surprise

Even the most prepared problem-solver will come face-to-face with surprise. Your toolkit is adapt and overcome. But how?

First, you need a framework for situations you can’t predict.

The OODA loop is a time-proven technique for decision-making in ambiguous situations. Each letter stands for one phase of the loop ‘Observe-Orient-Decide-Act.’ Observe is your information gathering stage. Orient is your analysis stage. Decide is your decision phase. Act is when you act. Then you loop back to Observe.

Repeat until the problem is resolved. This focused decision framework will keep you on a productive path when you are surprised/ambushed. Your enemy is “analysis paralysis,” and the OODA loop will defeat it.

Let me give you an entirely made-up example. Imagine you are tasked with reverse engineering a binary to find hidden strings and have had zero experience reverse engineering a binary. First, let’s go through some OODA loops.

Loop 1

Observe – I have to reverse engineer a binary to find a string

Orient – I need to figure out how to decompile it.

Decide – I will google and find & install a decompiler

Act – I google “how to reverse engineer a binary” and install Ghidra.

Loop 2

Observe – I have Ghidra opened, but I still need to decompile it.

Orient – I need to utilize Ghidra to decompile it.

Decide – I will find a Ghidra walkthrough and use it to at least open the binary

Act – I google “ghidra walkthrough to open a binary” and follow it

This iterative process will eventually converge on you solving your problem. If this still isn’t clear to you, I highly recommend practicing your web search skills to find resources for a further deep dive.

Disaster

Next, you need to prepare for disaster. Then it won’t be a surprise.

Here are some of my anticipated surprises:

• Backup your VM. Snapshots are even better.
• What if your main computer dies? Do you have a backup machine? Is your VM there? Will it run?
• What if your books are damaged or missing? Do you have the pdfs? Are the pdf passwords securely stored in two different locations?
• What if your notes are unavailable from wherever they are stored. Do you have backups? Are your backups all on the same cloud provider?
• Is your internet reliable?

Depending on your risk tolerance, you may address some, none, or all of these. To be honest, I only addressed some concerns, but at least know your risk tolerance.

Organization

We know the Core Comprehensive Exam covers three classes’ worth of material. So that is nine months’ worth of classwork, all in stuffed in one exam. SANS recognizes the workload and provides a generous 30 day time frame to complete it.

What follows is the official documentation from SANS Master’s degree requirements

To navigate this material, you will need to do some legwork in an orderly fashion. My key to staying sane and what I consider to be my most valuable tool is planning and preparation.  There is only so much I can say due to the NDA. So use your creative problem-solving process to map this section to your exam situation. What would you do on day 1 with access to “STI Fortune Cookies”? How you answer that question is your key indicator of success.

How do we work smarter, not harder?

Kanban

Human memories are fallible. Project planning will make sure you don’t forget that one essential task!

The Kanban board is a crucial tool to use your time efficiently. For a one-person show, it is the best ease-of-use task organization tool there is. You type up a list of tasks and move them from a “backlog” list to a “prioritized” list to a “in progress” list to a “done list.” In a simple glance, you can see what you need to do overall (to-do), what you intend to do soon, “prioritized,” etc. This creates the workflow you will use to power through dozens of tasks in a single evening. Remember to customize the workflow to whatever style best for you.

Before the exam, you can use this to

• Build your tools inventory
• Build your techniques inventory
• Build your VM & install all the tools
• Test your VM
• Develop checklists for your various disaster scenarios

During the exam, you’ll have to use your imagination to map these tools to your situation. However, your professional attitude will help fill in the gaps. Take a look at what you need to do, and use that professional attitude when you create the tasks on your Kanban board.

There are various Kanban tools out there. I know some swear by Jira or pivotal. For a 1-person gig, Trello is simple and easy to use. I recommend it, but if you are happy with some other solution, go with what you know.

If Kanban is new to you, follow up with your research on Kanban. Also, consider utilizing some of these for your personal life as a mini-practice run:

• Family Kanban board
• Kanban, your SANS.edu work for a class

Calendar

This exam is not a sprint. It is a marathon. Once you have determined the activities you need to accomplish, put some milestones down on a calendar. Life, work, and school all need to be in harmony. Thus planning out the academic marathon will keep it all in balance.

Take your personal calendar and make sure your plans for the exam match your plans for your life. There is only 1 of you to go around, so make it all work together in harmony.

Conclusion

On Day 1 of your Core Comprehensive Exam, I expect you to be a well-prepared professional with a force-multiplying toolset. Off-the-cuff inefficiency is for the amateur, which we are not. A 100% focused and organized junior engineer will beat a 5% focused off-the-cuff senior engineer every time. Whatever your skill level, working efficiently will get you to the finish line faster with improved results.

Being nervous about an unknown mysterious exam is entirely OK. Your reaction to the unknown is where you will sink or swim both in the exam and on the job. Use that energy to help marshall the mental resources and focus needed to mind your 6 P’s (Prior Preparation Prevents Piss Poor Performance). Those 6 P’s will let you focus on the new, while your deck of tricks will focus on the known.

At some point, you will take this exam. Don’t be a barbarian and forget all the civilized lessons from this article. Instead, take this foundation and build upon it. Channel the professionalism that your SANS instructors demonstrate, and consider how they would approach the same problems you face.