ECSA Review by a Senior Penetration Tester

A few months ago, I took EC Council's "EC Council Certified Security Analyst" (ECSA) course.  ECSA is EC Council's next step in its course hierarchy for penetration testers, which culminates in the LPT (Licensed Penetration Tester) Master certification.

EC-Council iLabs. A cyber range used for exploition and the ECSA practical.

EC-Council iLabs. A cyber range used for exploition and the ECSA practical.

The ECSA takes the material covered in the Certified Ethical Hacker (CEH) course and applies structure and a disciplined methodology to it.  The class consists of lecture and hands on exercises in EC Council's "iLabs" environment, with 30 days of access included in the price of the course.  iLabs allows you to practice your hacking skills against a network of computers, right from your browser anywhere in the world with internet access!  The exercises guide you through various tools and hacking techniques, but you can also go "free range" if you like, to experiment with other tools and tactics.

The first part of the ECSA exam is the hands-on pentest, which consists of about a dozen "challenges," which are pentesting tasks with particular objectives specified.  The objective may be obtaining the hash of a protected file, using a particular method to break into a machine, and even one task of obtaining evidence against a corporate spy!  The actual tools you need to use for each challenge are not specified, but some of the challenges will naturally lead you to using one tool over another.  As you progress through the challenges, they get increasingly, well...challenging.  The latter challenges require you to apply multiple tools in multiple steps to get you closer to the objective.  The variety of objectives, tools, and tactics really makes the hands-on section interesting and even fun.  It will, however, require persistence, ingenuity, and research to complete.  Once you are done with the challenge tasks, you will be required to submit a pentest report.  The pentest report is not exactly like a real pentest report, in that the objectives were specified for you.  And the only section of the pentest template that you will be required to submit will be section 2.0, entitled "Comprehensive Technical Report", where you detail the steps of what you did, how you did it, and your recommended fixes. 

Windows Snipping Tool. Useful for screen captures.

Windows Snipping Tool. Useful for screen captures.

Since iLabs does not have the ability to upload or download files to the Virtual Machines, you are required to illustrate your work with screen captures.  This can make the final document, including the template portions that are not required to be modified, a little bulky.  My final report came to 95 pages.


Once you have submitted your pentest report, you wait a few days to be contacted by email by an EC Council representative, who will tell you if you passed or failed.  If you passed, you may then schedule the second part of your exam, a four-hour, 150 question multiple choice exam.  I highly recommend taking the few days between the notification and your exam to go back and study the ECSA materials thoroughly!  The written exam is much more challenging than the CEH.  It goes into much more detail about the actual tools and techniques than the CEH does.  Keep in mind that just because a topic didn't get much coverage on the CEH test, that doesn't mean that it won't be covered on the ECSA in depth!  So, don't give any of the topics short shrift, because you will be required to know all of the material covered.  Once you complete the exam, you will know immediately whether you passed or failed.  Once you pass, you will receive your ECSA certificate within a few days.

The ECSA is great certification for demonstrating that you didn't just memorize answers to a test, but that you can apply the tools and principles in a realistic scenario.  The skills you learn in the ECSA course will be directly applicable to real-word pentesting engagements.

Author Bio

Doc Sewell in Dandong, China, across the Yalu River from Shinuiju, North Korea

Daniel "Doc" Sewell works as a Senior Cyber Security Engineer for Alpine Security in Fairview Heights, Illinois. He currently holds nine security-related certifications, including EC Council Certified Security Analyst (ECSA), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). Doc has many years of experience in software development, working on web interfaces, database applications, thick-client GUIs, battlefield simulation software, automated aircraft scheduling systems, embedded systems, and multi-threaded CPU and GPU applications. Doc's cybersecurity experience includes penetration testing a fighter jet embedded system, penetration testing medical lab devices, creating phishing emails and fake web sites for social engineering engagements, and teaching security courses to world-renowned organizations such as Lockheed Martin and the Hong Kong Police Department. Doc's hobbies and interests include home networking, operating systems, computer gaming, reading, movie watching, and traveling.