How to Pass the GCIH (GIAC Certified Incident Handler) Exam

GCIH: The Incident Handler's Certification

The GCIH (GIAC Certified Incident Handler) validates your ability to detect, respond to, and resolve security incidents. Based on the SANS SEC504 course, it covers both attacker techniques AND defender responses. This dual perspective makes GCIH uniquely valuable — you learn how attacks work so you can better defend against them.

The exam has 106 questions in 4 hours with a passing score of 70%. Like all GIAC exams, it is open book.

What GCIH Tests

GCIH is structured around the incident handling process combined with knowledge of specific attack techniques and tools.

The Incident Handling Process

Six-step process (know this cold):

1. Preparation: IR plan, team, tools, communication plans

2. Identification: Detecting that an incident has occurred

3. Containment: Limiting the damage (short-term and long-term)

4. Eradication: Removing the attacker and their artifacts

5. Recovery: Restoring systems to normal operations

6. Lessons Learned: Post-incident review and improvements

For each attack type on the exam, you should be able to map it to the appropriate response at each phase.

Attack Techniques (The Core of the Exam)

Reconnaissance: DNS enumeration, port scanning, OSINT, Google dorking, Shodan. Know the tools and what each reveals.

Scanning and enumeration: Nmap scan types and output interpretation. Service enumeration. Vulnerability scanning.

Exploitation: Web application attacks (SQL injection, XSS, CSRF, command injection). Network attacks (ARP spoofing, MITM, DNS poisoning, LLMNR/NBT-NS poisoning). Password attacks (brute force, dictionary, password spraying, credential stuffing, pass-the-hash).

Post-exploitation: Privilege escalation (Linux and Windows techniques). Lateral movement (PsExec, WMI, RDP, SSH pivoting). Persistence (scheduled tasks, registry keys, cron jobs, web shells, rootkits). Data exfiltration techniques. Covering tracks (log manipulation, timestomping).

Denial of service: Volumetric attacks, protocol attacks, application-layer attacks, amplification attacks.

Malware: Types (virus, worm, trojan, ransomware, rootkit, keylogger, RAT). Indicators of compromise. Basic analysis: strings, behavioral analysis, sandboxing.

Defensive Techniques

For each attack technique, know the corresponding defense:

Building Your GCIH Index

Your index structure should follow the attack-defense pattern:

For each attack technique, index: definition, tools used, indicators of compromise, detection methods, containment strategy, and eradication steps.

Example index entry:

"Kerberoasting → SEC504 Book 3, p.47 → Attack: request TGS for service accounts, crack offline → Detect: Event ID 4769 with RC4 encryption → Response: disable RC4, use AES, enforce strong service account passwords"

This format lets you quickly answer any question about a technique — whether it asks about the attack mechanism, detection, or response.

Study Strategy

Weeks 1-2: Incident handling methodology and preparation concepts.

Weeks 3-5: Attack techniques (this is the bulk of the exam). Study each technique: how it works, tools used, and how to detect/respond.

Weeks 6-7: Defensive techniques and mapping attacks to responses.

Week 8: Index refinement and practice exams.

Exam Strategy

GCIH questions often present a scenario — "A SOC analyst observes the following in the SIEM logs..." — and ask you to identify the attack, determine the appropriate response, or select the correct tool.

Read each scenario carefully. The specific details (log entries, network traffic patterns, file system artifacts) are clues that point to a specific attack technique. Match the clues to the technique, then select the appropriate response.

Prepare for GCIH with CyberCertPrep's incident handler practice questions covering attack techniques, detection methods, and response procedures mapped to the SEC504 curriculum.