Introduction
Entering the field of cybersecurity is a dream for many individuals. Those with experience in cybersecurity are eager to keep learning and expanding their skill sets. The opportunity to innovate and excel in this fast-paced industry is truly exhilarating. Security professionals mostly develop their skills by pursuing professional certifications.
Having already obtained the BTL1 certification in defensive security from Security Blue Team1, I am now actively seeking further opportunities to enhance my cybersecurity skills, with a specific focus on defense. Recently, I discovered the eCIR certification2, which perfectly aligns with my development goals.
In this article, I will share my experience with the eCIR exam, provide some tips, and discuss how I prepared for this certification.
Exam Format
The exam spans 4 days, with the first two dedicated to investigation and the remaining two for writing a report. Therefore, if you do not finish your investigation within the first two days, you will not be able to continue.
My Experience
What happens in this machine?
The exam realistically simulated real-world incident response by providing only a brief overview of the scenario. This limited information, just like in a true security breach, makes it challenging to distinguish between genuine threats and normal network activity. This lack of detail initially presented a challenge due to my limited experience. However, as I delved deeper, the exam became surprisingly enjoyable.
During the investigation, I discovered a large amount of data related to the incident scenarios. It’s highly recommended to take notes, as they will be very helpful when writing the report.
I believe that obtaining this certification will enable me to apply the knowledge gained from this exam to real-life incident handling situations. Despite this positive outlook, there are a few issues that I would like to address.
VPN Connection -
It sounds weird, right? The portal provided us with an instruction, course scenarios, and the VPN configuration file. Everything is documented in the instruction document. However, when I first connected to the VPN with OpenVPN, it didn’t work for me. I spent some time searching the internet. Luckily, I came across an eCTHPv2 blog written in Thai3 that mentioned the same issue with connecting to the VPN. So, I followed the blogger’s solution. This led to the realization that I was using the wrong VPN version (2.6.x), so I downgraded to version 2.4.7 and it then works perfectly.
Lab always crashed -
I’m unsure about the problem, but during the exam for the first scenario, I had to pause and resume the lab every 2 hours because it was not responding. This issue only happened while analyzing the first scenario, as the second one worked correctly.
How Do I Prepare?
I can confidently say that I dedicated a lot of time and effort to this course in order to pass on my first attempt. However, focusing on a single point of learning is not the best strategy for me. Therefore, in conjunction with following the INE Learning Path, I took the initiative to set up my own virtual lab on my laptop to enhance my understanding and hands-on experience with SIEM technology.
INE Course
The certification program suggests you to take IHRP4 learning path where you will learn from the very first foundational concepts of incident responder. From each stage of IR life cycle based on NIST framework, how to detect each stage of cyber kill chain, network detection, as well as Security Event and Information Management (SIEM) system.
These modules offer a comprehensive foundation of incident response, including in-depth explorations of some technical areas. Learning styles differ, and you might find additional resources like video tutorials or practical case studies helpful for mastering complex topics. Actively seeking out different learning methods will significantly enhance your ability to apply these learnings.
Extra Miles Practice
Offensive Tools
To enhance our detection abilities, we must step into the attacker’s shoes. Familiarizing ourselves with offensive tools can help us quickly identify the sources of investigation. I highly recommend setting up a lab environment and practicing running post-exploitation tools on a virtual machine. This will allow you to find and analyze the artifacts that these tools leave behind on the system.
Splunk Boss of The SOC
I can confidently say that going the extra mile helped me significantly during my exam by familiarizing myself with Splunk Platform and SPL. Here are some datasets and online labs that you can use to practice using Splunk.
ELK Stacks Hunting Lab
Unfortunately, I did not come across many ELK labs during my preparation time. All I could find is listed below,
Tips for The Exam
- Keep track of everything you find during the investigation. Like me, I use OneNote to organize all my findings, but any note-taking app that works for you will do the trick!
- To stay organized while taking notes, consider separating desktop workspace on your Windows5 or using multiple monitor if available. This will help you avoid information overload when dealing with large amounts of data.
- If you find yourself in a difficult situation, it’s okay to step back and take a break.
- Do not rush, take your time. By rushing through the investigation, you may miss out on valuable clues.
Conclusion
This certification exam is realistic and suitable for individuals interested in an incident response role. It is both challenging and rewarding, particularly for someone with limited experience like myself. The steps taken by the attacker in the scenario closely resemble what a real adversary might do in a similar situation.
References
-
(2024, SecurityBlueTeam), Blue Team Level 1 Certification ↩
-
(2024, INE), eLearnSecurity Certifiend Incident Responder ↩
-
(2022, Medium), eCHTPv2 Review by Pen-tester ↩
-
(2024, INE), Incident Handling & Response Professional ↩
-
(2023, PCWorld), Use virtual desktops in Windows 10 and 11 to help you stay more organized ↩