Why is the GNFA relevant? What are the benefits to companies and to certified GNFA professionals?
Anyone involved in information security is familiar with the SANS (SysAdmin, Audit, Network and Security) Institute, given that it’s a global organization with an excellent reputation. Offering research, breaking news, training, and security alerts, it also serves on numerous task forces and industry organizations. Coincidentally, it is also behind the GIAC Global Information Assurance Certification (GIAC) program, which offers a wide variety of courses for those seeking globally recognized certification in incident response, threat investigation and forensics.
One such course is the GIAC Network Forensic Analyst Certification (GNFA) and focuses on the processes necessary to investigate network-based evidence. Available since November 2014, it’s designed to aid forensic professionals in environments where traditional full-disk data analysis is compromised by the huge volume of data involved.
As Phil Hagen, SANS Author and Certified Instructor said in a press release, “A GNFA holder will be able to incorporate evidence from a wide variety of sources to improve the fidelity of their findings. This certification is designed to measure how the holder can analyze network data as a part of the investigation rather than focusing on a specific tool to do so.”
Rather than go into detail, consider this post an overview of the subject, given that GNFA certification needs renewal every four years and course material will always evolve to reflect new attack methods, countermeasures, and related tools. It’s best to include evergreen material rather than deal with fact-checkers calling me out for inaccuracy in future comments.
You Get What You Pay For
GIAC courses may seem expensive and it’s true that the cost makes the cost of an iPad rather insignificant but for those with an interest in data forensics, investigation and threat assessment, the GNFA is a critical certification and training material is extensive (see course syllabus).
What GIAC calls certification attempts (and I call exams) currently costs $1,899 without SANS training or bundled options. If you already have a SANS qualification, then a discount of $800 applies (you need to email them for a discount code). Alternatively, if you avail of the recommended SANS training course (FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response), you pay just $769 for the exam ‘attempt’. Bear in mind that the FOR572 on-demand training will cost $6,610, making a grand total of $7,379. This seems like a substantial investment but is outweighed by other factors.
Personally, if I was to choose, I’d prefer to take the training, rather than risk failing the exam and having nothing to show for my investment. With just four months' access to training and the same concurrent limit on taking the exam in an approved Pearson test center, it’s probably best to avail of the available training, whether self-study, online or private. Pricing will vary, and it’s best to verify all available options in your jurisdiction before committing to training.
Given that most cyberattacks and data breaches have network elements, the GNFA is a worthwhile investment although certification is by no means guaranteed as a pass mark is 70%.
It is even possible to obtain a graduate degree (Master of Science in Information Security Engineering), with the GNFA one of the options available when selecting up to 8 GIAC certificates for inclusion.
Forensics in the traditional sense involves gathering evidence to detect criminal activities and ultimately use this evidence to identify the culprit. Cyber, data, or network forensics is no different, and professionals in this area could , as modern-day Sherlock Holmes, rather than the super-geeks they actually are. Not destroying evidence is a crucial element, i.e. don’t disturb the crime scene.
When a significant data breach occurs, forensic investigators determine how it happened, the data affected, and the users it impacts (if personally identifiable information (PII) is involved. How would it look when the next big data breach occurs and the affected company is unable to explain the events? “We were hacked… we don’t know when who did it or if data was captured.” Substantial fines are sure to follow from regulatory authorities and perhaps a few class-action suits thrown in from irritated customers.
Many companies don’t have their own forensic experts and outsource according to requirements, for rates of $200 to $600 an hour, with even basic projects taking several days to complete. Forensics experts are in high demand and command six-figure salaries. A search on “GNFA” on recruitment sites yields pages of results and positions often include law enforcement or even the U.S. Navy.
Consider Your Options As An Employer And Employee
As a former employee of several high-tech multinationals, I believe that in-house training budgets are the best way to retain key employees, especially in the IT area. If a company is willing to invest in its existing IT team, adding to their skillset, it shows commitment and is far more rewarding than so-called team-building exercises where you end up stuck at a dinner table next to the boring accountant.
Why not put a few IT team members on different GIAC courses such as the GNFA? Okay, it could cost around $8,000 per course but that’s just $2,000 per year before renewal (around $400) is necessary. OR when hacked, you could blow $2,000 in a few hours with a consultant.
Admittedly, it’s better to have in-house expertise that can dedicate a portion of their working day to advanced threat assessment and traffic investigation. If a hack occurs, it’s pointless blaming IT team members that lack advanced skills in these areas. Techies are often keen to learn new skills and if the employer will pay for certifications that enhance company operations and reduce potential risk, then everyone wins.
Of course, employees that achieve certification in sought after areas also deserve a raise, don’t they?
In conclusion, forensic certification is a huge benefit to security professionals and employees who feel they are stuck in a rut could find new opportunities in the forensic field, especially if they have a background in programming or information security. With the GNFA just one of the forensic courses available, but a very important one, prospective jobseekers can specialize by industry (healthcare for example) infrastructure, mobile, wireless and more.