How I study for SANS | GIAC exams
The Index
GIAC exams allowing books and notes while taking the test is not the blessing it seems to be. There are generally 8–9 books (including the lab workbooks) and searching for something can be like finding a needle in a haystack. I have a very rudimentary process for creating an index that I have used for the last 4 exams, and it has worked well for me. I am not saying this is the best way to do it, but it is how I do it. If you want to be a B-C student read further!
The (sometimes) Included Index
Depending on the author of the course, there may be an existing index included in the last pages of the workbook. Most of the SANS classes I have taken up to this point have included this index, however, it is up to the course author’s discretion. It can be good enough to pass the class, but if I took a class that did not have an index I would recreate the list of topics and the page number and book they appear in. This basic index is helpful for Hail Mary searches during an exam where you have to find all the mentions of a topic very quickly. I find it hard however to parse the context of something like this:
| Topic | Locations |
|---|---|
| Azure AD | 3.111, 4.21, 5.161 |
| AWS S3 | 2.11, 3.21, 4.161 |
In the middle of the test, I am forced to think about what day of class and what book that correlates to. Then I have to find the context of the question I am researching and hope that my guess is close enough to confirm the answer.
My Custom Index
Instead of tying a topic to a simple page number, my personal index takes a different approach. I create a spreadsheet with the following columns:
| Book | Page | Slide Title | Keyword 1 | Keyword 2 |
|---|---|---|---|---|
| 1 | 1 | Introduction to Slide Topic | Azure | AD |
| 1 | 2 | Introduction to Slide Topic | AWS | S3 |
This allows me to take each book and have a quick way to reference slide titles and the potential data located on each slide. The keywords are made up of the paragraphs of content underneath the slides.
I do this for every book. When I am done I have a spreadsheet with sheets for each book. You could print the various sheets, but I find it hard to parse the information in this format.
Indigo - XLSX to Markdown
I created a tool called indi-go that takes the XLSX file and converts it to Markdown. I then print the markdown files as PDFs. This allows me to have a parsable index that I can scan for keywords and slide titles.
Practice Exams
The graduate certificate price includes two practice exams. I take the first practice exam with no assistance from any index. This test is a baseline to see where I am falling short in certain areas. I then take the second practice exam with the index. This is to see if I can find the information I need quickly and accurately. If I run into problems parsing my notes I can make adjustments to my system before I sit for the final exam.
The Final Exam
SANS retakes are notoriously expensive. Since I don’t want to pay harder for another shot at the test, I make sure to run through all the labs for the class once or twice before I sit. My notes also include cheat sheets for the lab exercises that include many of the commands that are used.
Adding a Word Cloud
Since I had digital PDFs on my last exam (SEC541), I decided to play around with running some pandas and matplotlib in Python to scrape the PDFs for each day and create a word cloud to represent the contents of the book. This was harder to do well! I eventually cleaned the extracted PDF data of all watermark text, UUIDs, home addresses and more. I was able to write a simple script to display the data. It’s a chunky boy and includes some PII, so I don’t have it up on GitHub, here is the generate_wordcloud() function I wrote:
def generate_wordcloud(text, exclude_words=None):
if exclude_words is None:
exclude_words = []
nlp = spacy.load("en_core_web_sm")
doc = nlp(text)
# Extract proper nouns (NNP) and compound proper nouns (NNP + NNP)
proper_nouns = [token.text for token in doc if token.pos_ == "PROPN"]
compound_proper_nouns = [token.text for token in doc.noun_chunks if token.root.pos_ == "PROPN"]
# Combine proper nouns and compound proper nouns
filtered_words = proper_nouns + compound_proper_nouns
# Remove single-character words and common irrelevant words
irrelevant_words = ['is', 'the', 'and', 'or', 'of', 'in', 'for', 'on', 'as', 'to', 'at', 'by', 'with', 'from', 'into', 'during', 'including', 'until', 'against', 'among', 'throughout', 'despite', 'towards', 'upon', 'concerning', 'to', 'in', 'for', 'on', 'by', 'about', 'like', 'through', 'over', 'before', 'between', 'after', 'since', 'without', 'under', 'within', 'along', 'following', 'across', 'behind', 'beyond', 'plus', 'except', 'but', 'up', 'out', 'around', 'down', 'off', 'above', 'near']
filtered_words = [word for word in filtered_words if len(word) > 1 and word.lower() not in irrelevant_words]
# Remove specific phrase "SEC Monitoring"
filtered_words = [word for word in filtered_words if word != "SEC Monitoring"]
# Join the filtered words back into a string
filtered_text = ' '.join(filtered_words)
wordcloud = WordCloud(width=800, height=800,
background_color='white',
min_font_size=10,
stopwords=set(exclude_words)).generate(filtered_text)
# Print the words going into the word cloud
print("Words in the word cloud:")
for word, frequency in wordcloud.words_.items():
print(f"{word}: {frequency}")
plt.figure(figsize=(8, 8), facecolor=None)
plt.imshow(wordcloud)
plt.axis("off")
plt.tight_layout(pad=0)
plt.savefig("wordcloud.png")
plt.show() # if you are in a notebook you can use plt.show() to display the image.
I am about as good a Python developer as I am a mechanic (that is to say: not very good), but I was eventually able to hammer something into place that met my needs. These word cloud images were great at the front of each book’s page of notes, a super quick reference on where I might find topics in the book by font weight and size.
Wrap Up
I didn’t get the best grades ever but I feel this method helped me quickly scan through multiple books of material and find the relevant information to confirm the answers quickly. I don’t want to be in a position where I don’t know an answer. I want to be 98% sure of what I should put, but in those cases where I truly have no idea I use the 15-question skips as wisely as possible. If I don’t know an answer, there is a chance I will stumble upon it looking for other information as the test progresses. Hopefully, this helped you, and if you have any tips and tricks for passing - I encourage you to share them with me and others through appropriate channels (your own blog, LinkedIn, Twitter).