Interview Q/A

What is Data Exfiltration?

Basically, data exfiltration is a form of a security breach that occurs when an individual's or company's data is copied, transferred, or retrieved from a computer or server without authorization.

What do you know about cybersecurity framework?

It is a guideline for organization to practice to better management and reduce cybersecurity risk. Example= NITS framework.

Difference Between Logical and Physical Address in Operating System

Logical address is generated by CPU during a program execution. Physical address refers to a location in the memory unit.

What is SSL and TLS?

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network; for example, a client connecting to a web server. A "handshake" is done to establish trust and then negotiate what secret key should be used to encrypt and decrypt conversation at the start of a TLS or SSL connection. During this handshake the client and server will work out what mutual ciphers and hash algorithms are supported. This is also where a server will provide its digital certificate to a connecting client.TLS is the continuation of SSL. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled. Click here for the latest news on TLS 1.3.- in Summary - Establish a session - Agree on an algorithm - Share secrets - Perform authentication - Transfer application data - Ensure privacy and integrity

How would you create a secure login field on a high-traffic website where performance matters?

The login must be on an https paging using SSL. With HTTP, the attacker could gain the information.

FireEye-Hx Case Study

///NO Page - Actions to do - What We See /// 1. Dashboard - Go to Dashboard - 1.Total Hosts with alerts 2. Alerts on High-value hosts 3. Exploits 4. Exploits blocked 5. Malware 6. Active and inactive hosts /// 2. Dashboard - Click on the total hosts with alerts - • Host Name, • Host IP, • Host Operating System / 3. Dashboard - Select the host with alert Yaltunterim - 10.0.2.15 /// 4. Dashboard - See "Host Details" • Host Name:yaltunterim, • Host IP:10.02.15, • Host OS: Windows 10 Pro, •Number of alerts:10, •Number of quarantines:7 /// 5. Host Details Select the alerts and quarantines Trojan.GenericKD.34831941 on PO19102020PDF[4664].html /// 6. Host Details See Alert type:Signature detection, Malware name: Trojan.GenericKD.34831941, Status:Quarantined, File Path: C:\Users\messy\......4664.html File Hash (MD5): e8b2d7234a8d006443833d8b536be6d6, Time (File created): 2020.11.10 03:11:50, Username:messy /// 7. Host Details Check file hash on VirusTotal e8b2d7234a8d006443833d8b536be6d6, See:Trojan[Phishing]/HTML.Agent /// 8. Triage View Triage Summary on the right date Alerting process: HxTsr.exe /// 9. Triage See the chart at the top Click on the green blocks with a red square Little red squares in green rectangles shows the alerting actions and then Confirm the file path /// 11. Data Acquisition Select Agent Events—>DNS Lookup Events Change all Fields in Search—>Process name Type "HxTsr" in Find Field It displays 8 lines in a slightly different color, See User visited outlook.office.com and downloaded HxTsr.exe /// 12. Data Acquisition Agent Events—>File Write Events —-> Search in All Fields File Hash (e8b2d7234a8d006443833d8b536be6d6) Hostname:yaltunterim. Username:messy, File size:2.8 KB, File Path:Users\messy/AppData..., FileName:P019...html, Timestamp:2020.11.10. 02:31:54 /// 13. Data Acquisition Agent Events—>Browser Url History Using the timestamp:2020.11.10 02:31:54 See the Url visited, Https://outlookmobile-office365-tas....." ///

The whole purpose of an APT attack is to gain ongoing access to the system. Hackers achieve this in a series of five stages.

1 - Gain Access 2 - Establish a Foothold 3 - Deepen Access 4 - Move Laterally 5 - Look, Learn, and Remain

What are your greatest strengths and accomplishments?

1) My current skills in most advanced security tools, experience in life and office. 2) I can learn something quickly. I am a self-starter and well-organized person. 3) I am a team player and I have ability work under stress. Good culture fit: •Team player •Steady, calming presence with a healthy sense of urgency. •Reliable •Self-motivated, efficient, effective •Naturally organized.

Cloud Computing

1- Amazon Web Services 2-Microsoft Azure 3-Google Cloud Platform 4-IBM Cloud 5-Salesforce 6-Oracle Cloud.

What is the OWASP top 10 list and why is it important?

1- INJECTION; Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 2 - BROKEN AUTHENTICATION; Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. 3 - SENSITIVE DATA EXPOSURE; Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. 4 - XML EXTERNAL ENTITIES (XXE); Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 5 - BROKEN ACCESS CONTROL; Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users' accounts, view sensitive files, modify other users' data, change access rights, etc. 6 - SECURITY MISCONFIGURATON; Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. 7 - CROSS-SITE SCRIPTING (XSS); XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to malicious sites. 8 - INSECURE DESERIALIZATION; Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. 9 - USING COMPONENTS WITH KNOWN VULNERABILITIES; Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. 10 - INSUFFICIENT LOGGING & MONITORING; Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

What's the difference between stored and reflected CROSS-SITE-SCRIPTING?

1- Stored is on a static page or pulled from a database and displayed to the user directly. attacked puts malicious data into server then goes to user with his request 2- Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site. attacker injects script to website and steal user session cookie.

How do you prioritize the weakness? What does VPR mean?

1-Prioritizing Weaknesses Based Upon Your Organization's Mission 2-Due to the high volume of reported weaknesses, the situation in which they must prioritize which issues you should investigate and fix first. 3-Vulnerability priority rating (VPR) Helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level - Critical, High, Medium, and Low - determined by two components: technical impact and threat.

What is The Cyber Kill Chain?

1-RECONNAISSANCE; Information gathering aboout the target to find a weakness ( PASSIVE; whois, arin, google, shodan, job listings, company website / PROTECT;limit public information, social media acceptable use, modify server error messages, ACTIVE;Nmap, port scanning, banner grabbing, vulnerability scanners/ PROTECT;disable unused ports-services, honeypots, firewalls, IPS, TOR&3rd party VPN inbound blocking. 2-WEAPONIZATION; Find or Create the attack to exploit the weakness to select weapons based on earlier recon ( tools to use; metasploit exploit-db, veil framework, scoial engineering toolkit / PROTECT; patch management, disabling office macros, javascript, and browser plugings as administrative controls -- securtiy basics like AV, IPS, email security, MFA, audit logging as technical controls. 3- DELIVERY; selecting which avenue to deliver the exploit ( Websites - web filtering, dns filtering, social media - phishing campaigns, user input - ips/ids, email - DKIM&SPF, USB - disable usb and no admin rights 4 - EXPLOITATION; weapon delivered - attack executed to gain access ( SQL injection, buffer overflow, javascript hijack, malware / PROTECT; data execution prevention (DEP), anti-exploit, DETECT; sandbox 5 - INSTALLLATION; payload injected after exploit to gain better access ( offensive tools;dll hijacking, meterperter, RAT, registry changes, powershell commands / PROTECT; linux-chroot, windows;disable powershell, DETECT; uba/edr, RESPOND;follow incident response sops (i.d. device-isolate-wipe), RECOVER;restore or reimage. 6 - COMMAND AND CONTROL; remote control of the system by the attacker;PROTECT;network segmentation-micro segmentation-NGFW:C&C blocking-DNS redirect-application control-ioc (isolate-protect-detect), SSL deep packet inspection. 7 - ACTION ON OBJECTIVE; attacker executes desired action for financial, political, espionage, malicious insider, and laterel movement with Exfiltrate data ( PROTECTION; data leakage prevention (DLP), user behaviour analysis (UBA)), lateral movement (PROTECTION; network segmantation), zero trust security; trust no one by default to detect, response, and recover. https://www.youtube.com/watch?v=II91fiUax2g

How can we secure web-application?

1-Strong password policy. 2. Keep up to date 3- Install WAP. 4- Have back up 5-Scan website for vulnerability 6-Two factor authentications

Windows Event Viewer

1-Windows Log. 2-Application 3-Security 4-Setup 5- System; Windows event log management is important for security, troubleshooting, and compliance. When you look at your logs, you can monitor and report on file access, network connections, unauthorized activity, error messages, and unusual network and system behavior.

OSI MODEL (Open system interconnection)

1. Application (Layer 7). Identifies and establishes availability of communication partners, determining resource availability and synchronizing communication. 2. Presentation (Layer 6). Provides coding and conversion functions. 3. Session (Layer 5). Establishes, coordinates, and terminates communication sessions. 4. Transport (Layer 4). Provides transparent data transport and end-to-end transmission control. 5. Network (Layer 3). Provides routing and related functions. 6. Data link (Layer 2). Ensures that messages are delivered to the proper device across a physical network link. 7. Physical (Layer 1). Sends and receives bits across the network from one device to another.

What do you know about WEB-application security?

1. Application security describe security measure to prevent data and code withing the app. 2. Application security include hardware and software used to minimize the vulnerability.

How does SQL Injection work?

A SQL injection attack consists of the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. Input validation and stored procedures reduce the risk of SQL injection attacks. SQL Injection is a web vulnerability caused by mistakes made by programmers. It allows an attacker to send commands to the database that the website or web application communicates with. This, in turn, lets the attacker get data from the database or even modify it.

What is chain of custody?

A chain of custody is a document that is borrowed from law enforcement that tracks evidence from the time the Computer Forensics Examiner gains possession of the item until it is released back to the owner.

/var/log/auth.log

Show the most recent login activity using auth.log data

What is ect/

System configuration files are here.

So, What are some of the top cybersecurity threats to look out for in 2020?

" A few of the biggest threats include: Phishing Attacks: Phishing attacks are a kind of social engineering attack where the attacker generates a fraudulent email, text, or website to trick a victim into surrendering sensitive information—such as login credentials for work, passwords to online accounts, credit card info, etc. IoT-Based Attacks: Simply put, an IoT attack is any cyberattack that leverages a victim's use of internet-connected smart devices (such as Wi-Fi enabled speakers, appliances, alarm clocks, etc.) to sneak malware onto a network. These attacks target IoT devices specifically because they are often overlooked when it comes to applying security patches—making them easier to compromise. Ransomware: Ransomware attacks generally involve the attacker infecting a victim's systems with a piece of malware that encrypts all of their data. The victim is then presented with an ultimatum—either pay the ransom or lose their data forever. Internal Attacks: The reason why insider attacks remain one of the biggest cybersecurity threats to watch for year after year is that they have an enormous potential to cause damage. One disgruntled or careless employee can break your network security open wide enough to allow for a major data security breach. Additionally, these attacks can be hard to predict and prevent without thorough preparation. DDoS Attacks: Distributed denial of service (DDoS) attacks remain a significant cyber threat to many organizations. These attacks are designed to overwhelm a victim's network resources so they cannot process legitimate traffic on their network. The methodology of these attacks can vary from one to the next and may involve varying levels of complexity. This is part of what makes DDoS attacks such a worrisome cybersecurity threat. "

Difference between firewall and proxy?

" A firewall and a proxy server are both components of network security. To some extent, they are similar in that they limit or block connections to and from your network, but they accomplish this in different ways. Firewalls can block ports and programs that try to gain unauthorized access to your computer, while proxy servers basically hide your internal network from the Internet. It works as a firewall in the sense that it blocks your network from being exposed to the Internet by redirecting web requests when necessary. Firewalls and proxy servers both can help you block viruses and other forms of malware from infecting your computers. A firewall can block ports commonly used by malicious viruses and worms. You can also use the firewall to specify which ports can be open. Common ports that are usually open are HTTP (port 80), SMTP (port 25), and POP3 (port 110). You may wish to leave certain other ports open as well while closing other ports. Proxy servers, on the other hand, create a barrier by being the "middleman" that sits between your network and the Internet. Users outside your network can only see your proxy server, while those inside the network can access the Internet only by passing through the proxy. This limits the window of opportunity through which viruses and worms can enter."

What is a SOC (Security Operations Center)?

" A security operations center is an organizational structure that continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks. A SOC tracks and analyzes activity on servers, endpoints, networks, applications, databases, websites, and other technology systems. Its team members provide a critical layer of analysis needed to seek out any irregular activity that could suggest a security incident. While technology systems such as IPS or firewalls can prevent basic attacks, human expertise is needed to respond to serious incidents. Security information and event management (SIEM) is a solution that empowers SOC analysts by collecting security data from across the enterprise, identifying events that have security relevance, and bringing them to the attention of the SOC team. A modern SIEM puts all the relevant information in front of security specialists to help them identify and mitigate incidents faster. Security Operations Center (SOC) Analysts use IDS/IPS (such as Snort, Bro, Security Onion, and Cisco IPS) and SIEM tools (such as Splunk, ArcSight, and QRadar) to perform their daily functions (these tools from various vendors work mostly the same way). SOC Analysts also need to have some Windows, Linux, and SQL skills to understand various network communications from different servers and network devices that may require their attention. They also need to understand the TCP/IP protocols and related IP and ports, so they know what IP addresses and ports to block in modifying access control lists on a router or on the network firewall in order to isolate a network from the Internet and stop attackers that are actively coming into the organization's network through such IP services or certain domain names/source networks. SOC Analysts often work with and share the same tools and ticket tracking systems with the Network Operations Center (NOC Analysts who are network admins who monitor the network devices' availability and troubleshoot them when they are down and keep them running 24/7. NOC Analysts typically hold CompTIA Network+ or Cisco CCNA/CCNP certifications, and they monitor network performance using network asset inventory/discovery tools running on Ping/Internet Control Message Protocol (ICMP) or Simple Network Management Protocol (SNMP) like Nmap ("Network Mapper"), Wireshark, LogRhythm Netmon and Solarwinds Network Performance Monitor, which also serve as or integrate with security IDS/IPS or SIEM tools. NOC Analysts make sure switches and routers are functioning properly to keep the network connected internally and externally, and that other servers and devices on the network are communicating properly. A SOC Analyst however focuses on security incidents on those network devices and they often work in shifts 24/7 as well. They use tools to perform network behavioral or heuristic analysis that goes into judging what legitimate network activity is and what it is not. The first task that would have been done in setting up the security monitoring tools to receive raw security-relevant data (e.g., logon/logoff events, persistent outbound data transfers, firewall allows/denies, etc.). This includes making sure the critical cloud and on-premises infrastructure (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to the log management, log analytics, or SIEM tool. The second task is to use these tools to find suspicious or malicious activity by analyzing alerts; investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.); reviewing and editing event correlation rules; performing triage on these alerts by determining their criticality and scope of impact; evaluating attribution and adversary details; sharing the findings with the threat intelligence community; etc. The tools from various vendors that can perform the above functions are required for effective SOC activities in the form of defense-in-depth/layers of security measures, which may however be integrated into a few or single tools (s), such as Splunk, AlienVault USM, and Manage Engine Log360. These tools are connected to all systems on the network and pull copies of their logs in order to report on their availability status and any security event on them."

How do you keep up to date yourself and improve your skills?

" Actually Google helps me a lot to keep myself up to date. I have a Google News app which gives me a daily briefing on the current cyber security related news. I follow cybersecurity related websites like wired.com, ZDnet.com, Securityweek.com. I also follow SANS Institute and SwiftOnSecurity Twitter accounts and listen to Darknet Diaries podcast. I also take online courses from Coursera and Udemy to improve my skills as well."

Walk me thru QRADAR incident handling process?

" As a SOC analyst, one of my duties is to go through those offences, analyze them, and try to find what has happened. 1.I assign the offense to MYSELF. 2. Check SOURCE IP and DEST IP - I make sure that the IP addresses are coming from different, same, local, internal, external, 3.I Perform Background check on IP addresses from IBM-X-Force or verify in virustotal.com or from other open-source solutions. 4 Check asset details for the server, I try to see if the incident physical location, or determine if offense committed remotely. If it is internal incident I always call and contact the person associated with the offence to verify the details (example, for multiple password authentication failures check with user in question if s/he tried to login multiple times) 5. Check the EVENTS and FLOWS. Try to see the pattern of the events, I always take a note if that will give me an idea on the incident. 6. After that I Filter/Display events by LOW LEVEL CATEGORY and/or EVENT NAME to see the types of events associated with this offence 7. I take a note of any suspicious behavior by analyzing the events associated with SAME USER. I click on user and perform a search for a specified period of time to check whether any other related alerts were triggered/offences registered. 8. I always want to check incidents within 24 hours to see before the incident and after the incident time. 9. I make sure that I go into individual events, if necessary, to find out more details and grab the evidence 10. After all the steps I write my ticket in out ticketing system (THEHIVE) to document my work and I always communicate with my team. If the incident needs to be further investigation, then I escalate it to Tier-2"

SQL Injection?

" Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the phrase ' or '1'='1′ - to trick the database server into providing information. Protect; Input validation and stored procedures reduce the risk of SQL injection attacks"

How would you strengthen user authentication?

" Authentication, the process of proving that someone is who he claims to be, is one of the most important components of your security infrastructure. Users need information, but you want to make sure that you know who is accessing that information. Only specific To make authentication stronger, you can combine methods, often referred to as multi factor or strong authentication. The most common type is two-factor authentication, such as using a PIN code as well as a SecurID token to log on to your network. The example of two-factor authentication with which you are probably most familiar is your ATM card -- you insert your card (something you have) into the ATM machine and enter your PIN (something you know) to access your account number and perform transactions.individuals should see your company's payroll data or product source code, for example. To be effective, authentication works together with identification and authorization. (Access control) Identification, such as a username, determines whether a user is known to the system. Authorization determines whether the user is allowed to access the requested resource or data."

Why DNS monitoring is important?

" DNS has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Botnets/Malware connecting - What websites visited by an employee - information for forensic analysis. "

The process of data encryption...

" Data, or plaintext, is encrypted with an encryption algorithm and an encryption key. The process results in ciphertext, which only can be viewed in its original form if it is decrypted with the correct key. Symmetric-key ciphers use the same secret key for encrypting and decrypting a message or file. While symmetric-key encryption is much faster than asymmetric encryption, the sender must exchange the encryption key with the recipient before he can decrypt it. As companies find themselves needing to securely distribute and manage huge quantities of keys, most data encryption services have adapted and use an asymmetric algorithm to exchange the secret key after using a symmetric algorithm to encrypt data. On the other hand, asymmetric cryptography, sometimes referred to as public-key cryptography, uses two different keys, one public and one private. The public key, as it is called, may be shared with everyone, but the private key must be protected."

How do you analyst PCAP file in WIRESHARK?

" I was requested to find a specific username, password, and file in a PCAP file. What I did step by step was. ● I opened PCAP with Wireshark. ● To see the traffic activity types and file sizes I went to 1) Statistics Tab 2) Protocol hierarchy(hayırärki) (communication task into several layers) and checked the results. ● I observed significantly higher size of data in FTP DATA under TCP protocol ● Then right clicked on the FTP data 1) Apply as Filter 2) Selected ● After this filter, I observed high size file packages with a name InfoSec.zip. ● Then right-clicked on one of the lines 1) Follow 2) TCP Stream ● I obtained a page beginning with PK and continuing with unreadable characters. ● Then I saved it using Raw DATA option and renaming as InfoSec.zip then closed ● Then I extracted the zipped file to the folder. ● Then observed the info in the file and I saw a CAT file.jpg. ● Then removed the filters in Wireshark to find username and password ● Clicked on the magnifier tab, changed the display filter to String Filter and then searched for "logged in" or "USER" Detected. ● Right Clicked on that package 1) Follow 2) TCP Stream ● Obtained the detailed information including Username and Password "

What is ICMP?

" ICMP (The Internet Control Message Protocol) is the housekeeping protocol of the internet. It works on the Network layer in the OSI model. It's the equivalent of one system asking another,'Are you there?' (ICMP echo request) and the target system responding, 'Yes, I am.' (ICMP echo reply). The ping command is one of the most basic network troubleshooting commands available. When a system sends a ping command over the network, the receiving system responds with an acknowledgement. ICMP also enables the use of the traceroute command. Traceroute performs more detailed troubleshooting by not only showing you whether a system is alive on the network, but also shows you the path over the network between those two systems. Internet Control Message protocol that used by network devices to diagnose the communiction issues. • ICMP is standing for Internet control message protocol. • ICMP works over layer 3 Network. • ICMP checks connectivity like "are you there". • ICMP works over port 0."

Phishing Email Handling process

" If the phishing incident was reported by a user, I will thank the user for reporting and tell them that I am beginning an investigation. · If the user did not send the headers or the original email as an attachment, ask for the headers or original email. · Create a ticket in Case Management/Ticketing tool. · If there is a potentially malicious attachment, send to sandbox/malware analysis tool. If there is a potential credential harvester, begin analysis of website for validation, then block domain if there is a true positive. Search to identify the scope of the incident. For example: • Were other users affected? •If credential harvester, did the user visit the site? •If malware, did it run on any systems? I can act if any user has compromised. I will Lock user account or quarantine machine if needed. Then require password reset or reimage machine afterwards, as needed. Contact Abuse Records, if necessary. I will Create executive summary detailing the incident and the response in clear details. If needed, discuss "lessons learned" so they can be applied to avoid or mitigate a similar incident from happening in the future."

What is man in the middle attack and how Can you Prevent?

" MITM attack happens between two party's communication. Basically, it listens the communication. • Most important prevention will be encryption. • Avoid open Wi-Fi networks. • VPN connection. Type of MITM attack: Rouge access point- ARP spoofing- DNS Spoofing How they attack: Sniffing = Use packet capture tools - Session Hijacking= They steal your session key. "

What is a SIM/SIEM?

" SIEM software collects and aggregates log data generated throughout the organization's technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. The software then identifies and categorizes incidents and events and analyzes them. The software delivers on two main objectives, which are to: ● provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and ● send alerts if the analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue. Splunk, IBM QRadar, McAfee are top SIEM providers. It basically collects logs, security related information from security devices and customer end points and runs AI and analytics to bring forward correlated and user actionable (human readable) information."

What is SQL Injection and Cross-site Scripting attack?

" SQL injection is a cyberattack which is a hacker inserts their own code into a website to breach its security measures and access protected data. Once inside, they can control the website's database and hijack user information. SELECT ItemName, ItemDescription FROM Item WHERE ItemNumber = ItemNumber. Cross-site scripting (XSS) XSS attacks are a type of code injection attack to inject client-side scripts into the application, for example, to redirect users to malicious websites. ><SCRIPT> in HTML Programing "

What is IP addressing? Name the IP address classes?

" The IP (Internet Protocol) is the fundamental protocol for communications on the Internet. It specifies the way information is packetized, addressed, transferred, routed, and received by network devices. An IP address is a number identifying a computer or another device on the Internet. It is similar to a mailing address, which identifies where postal mail comes from and where it should be delivered. IP addresses uniquely identify the source and destination of data transmitted with the Internet Protocol. IPv4 addresses are 32 bits long. An example of an IPv4 address is 216.58.216.164, which is the front page of Google.com. In the 1980s, this was sufficient to address every networked device, but scientists knew that this space would quickly become exhausted. Technologies such as NAT have delayed the problem by allowing many devices to use a single IP address, but a larger address space is needed to serve the modern Internet. A major advantage of IPv6 is that it uses 128 bits of data to store an address. The size of IPv6's address space — 340 duodecillion — is much, much larger than IPv4. IP address classes: With an IPv4 IP address, there are five classes of available IP ranges: Class A : 1-126/16m, Class B:128-191/65k, Class C:192-223/254, Class D:224-239/multi cast, Class E:240-254/R&D "

Malware analyzing process and Malware file analyzing?

" There are two Malware Analyzing type 1-Statistic and 2-Dynamic / Static Analyze: 1. Testing using Anti-virus 2. Malware Hashing 3. Detected malware packet (Pattern) / Dynamic Analyze: 1. Do it in Virtual Machine 2. Testing Malware Sandbox 3. Monitor Malware activity 4. Detect DNS activity 5. Packet Analyze in Wireshark"

How would you understand someone connected to your computer?

" • Check Recent Activities (The netstat command displays network statistics netstat -a to see the list), • Check Your • Check Windows 10 Logon Events (Event Viewer and click on the app. Go to Windows Log > Security) • "Applications and Service Logs" From there, EVENT ID 100,200,300 Diagnostics-Performance log mean that Windows has started up, shut down, or resumed from standby (sleep or hibernation)."

What are the basic responsibilities of a SOC Team?

" ● Implement and manage security tools. ● Investigate suspicious activities, contain and prevent them.● Reduce downtime and ensure business continuity.● Plan security strategies.● Audit and compliance supportSOC Analysts Levels/Tiers, Roles and Responsibilities Although a SOC is often manned by a single individual on 9-5 regular duty in small organizations, a SOC team made up of 4 -5 staff members in a mid-sized or large organization and typically on 24/7 shifts will look like this:Role: Tier 1: Security Analyst Description: Alert Analyst or Triage Specialist (Separating the wheat from the chaff) Skills Preferred: System admin skills (Windows, Linux, etc.); Common programming/scripting languages to parse logs (Python, Perl, PowerShell, Java, Ruby, etc...Note that SIEM tools like Splunk can also be used to parse log information.); security skills (CISSP, CEH, SANS GCIA or GCIH, CompTIA Security+ and CySA+, etc.) Responsibilities: Reviews the latest alerts to determine relevancy and urgency. Creates new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. Runs vulnerability scans and reviews vulnerability assessment reports. Manages and configures security monitoring tools (Netflows, IDS, correlation rules, etc.) In other words, he/she continuously monitors the alert queue; triages security alerts; monitors the health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work. Note that triage is the procedure of assigning levels of priority to tasks or individuals to determine the most effective order in which to deal with them. Role: Tier 2: Security Analyst Description: Incident Responder (IT's version of the first responder) Skills Preferred: All of the above + natural ability, dogged curiosity to get to the root cause, and the ability to remain calm under pressure. Being a former white hat hacker is also a big plus. Responsibilities: Reviews trouble tickets generated by Tier 1 Analyst(s). Leverages emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack. Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determines and directs remediation and recovery efforts. In other words, performs deep-dive incident analysis by correlating data from various sources; determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats. Role: Tier 3: Subject Matter Expert (SME) Security Analyst Description: Threat Hunter (Hunts vs. Defends) Skills Preferred: All of the above + be familiar with using data visualization tools (e.g. Maltego) and penetration testing tools (e,g. Metasploit) Responsibilities: Reviews asset discovery and vulnerability assessment data. Explores ways to identify stealthy threats that may have found their way inside the network without detection, using the latest threat intelligence. Conducts penetration tests on production systems to validate resiliency and identify areas of weakness to fix. Also recommends how to optimize security monitoring tools based on threat hunting discoveries, searching data and users for newly reported vulnerabilities, identifying anomalies in IT systems using correlations and behavioral analytics, using tips from peers or the media and searching historical data for attack patterns or signatures similar to known attacks, and searching security data for patterns similar to a current or previous security incident. Role: Tier 4: SOC Manager Description: Operations & Management (Chief Operating Officer for the SOC) Skills Preferred: All of the above + strong leadership and communication skills Responsibilities: Supervises the activity of the SOC team. Recruits, hires, trains, and assesses the staff. Manages the escalation process and reviews incident reports. Develops and executes a crisis communication plan to the CISO and other stakeholders. Runs compliance reports and supports the audit process. Measures SOC performance metrics and communicates the value of security operations to business leaders. Also manages resources to include personnel, budget, shift scheduling and technology strategy to meet SLAs; provides overall direction for the SOC and input to the overall security strategy"

What is the difference between Malware and Exploit?

"Malware is malicious software code that typically damages, takes control of, or collects information from an infected endpoint. Malware is typically delivered over a network, though it can also be delivered via physical media, and it is classified by the payload or malicious action it performs. The classifications of malware include worms, Trojans, botnets, spyware viruses. An exploit is a piece of code or a program that takes advantage of a weakness (aka vulnerability) in an application or system. Exploits are typically divided into the resulting behavior after the vulnerability is exploited, such as arbitrary code execution, privilege escalation, denial of service, data exposure"

SOC Activities Stages

"The security incident handling within the SOC team may go through the following few stages: 1) CLASSIFICATION AND TRIAGE; In this first stage of event classification and the triage stage, Tier 1 SOC Analysts review the latest events that have the highest criticality or severity. Once they've verified that these events require further investigation, they'll escalate the issue to a Tier 2 Security Analyst (please note: for smaller teams, it may be that the same analyst will investigate issues as they escalate into a deeper investigation). The key to success in this stage is to document all activities (e.g. notation, trouble ticket, etc.).2) PRIORITIZATION & INCIDENT ANALYSIS; By prioritizing alarms in the exploitation & installation and system compromise categories, SOC analysts zero in on the threats that have already advanced beyond primary security defenses. SOC Analysts will review and respond to any activity that indicates an adversary has infiltrated your environment. This can range from the installation of a rootkit/RAT or backdoor virus taking advantage of an existing vulnerability of network communications between an internal host and a known bad IP address associated with a cyber adversary's network/infrastructure. Asset discovery which provides access to an updated and automated asset inventory is invaluable here, as the tool that does this provides information on all the IP-enabled devices on your network, as well as what software and services are installed on them, how they're configured, and whether they include potential vulnerabilities.3) REMEDIATION & RECOVERY; It is important to be able to detect events quickly so you can respond in time to prevent further damage. Each attack will differ in terms of the appropriate remediation steps to take on the affected systems, but it will often involve one or more of the following steps:1. Re-image or rebuild compromised systems, possibly from image copy, and take care to remediate any security vulnerabilities that may have contributed to the incident systems.2. Restore backup data, if necessary, to replace data of questionable integrity.3. Patch or update systems (e.g. apps and OS updates).4. Re-configure system access (e.g. account removals, password resets).5. Re-configure network access (e.g. ACL and firewall rules, VPN access, etc.).6. Review monitoring capabilities on servers and other assets (e.g. enabling HIDS).7. Validate patching procedures and other security controls by running vulnerability scans.8. Supplement existing security controls, if necessary, to fill gaps identified during the incident analysis. Some SOC teams hand off remediation and recovery procedures to other groups within IT. In this case, the SOC analyst would create a ticket and/or change control requests and may delegate them to those responsible for desktop and system operations. 4) ASSESSMENT & AUDIT; Running network vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may also review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve the SOC team's performance and efficiency. It is important to be able to run continuous vulnerability scans against all of your assets (internal and external assets, as well as those in your cloud environments) to detect any system changes that may signal an exposure."

Where Is the Windows Registry Stored?

%SystemRoot%\System32\Config\ folder.

LDAP (Lightweight Directory Access Protocol)

(Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data about organizations, individuals, and other resources such as files and devices in a network.

QRADAR OFFENSE HANDLING CHEAT SHEET

1. Assign offense to yourself 2. Check SOURCE IP and DEST IP - are these different, same, local, internal, external, etc? Perform X-Force check for IPs, verify in virustotal.com or other open-source solutions as necessary. Check asset details for the server, see if you can determine the physical location, or determine if offence committed remotely. Can you call/contact the person associated with the offence to verify the details (i.e., for multiple password authentication failures check with user in question if s/he tried to login multiple times)? 3. Check the EVENTS and FLOWS. Try to see the pattern by quickly skimming through the events, take a note of the graph that will give you an idea on spikes, and if it's an automated attack (you'll notice intervals with spikes if it is). Filter/Display events by LOW LEVEL CATEGORY and/or EVENT NAME to see the types of events associated with this offence. 4. Take a note of any suspicious behavior by analyzing the events associated with same USER. Click on user and perform a search for a specified period of time to check whether any other related alerts were triggered/offences registered. 5. Go into individual events, if necessary, to find out more details and grab the evidence for escalations 6. Compare your findings on QRadar with the user's testimony/intel you gathered outside of QRadar to draw your conclusion 7. Add your notes to the offense and close it. Depending on company policy/protocol, work in your ticketing system to document your work and communicate with other teams for escalation or further investigation. Shortly; Assignt to yourself, understand the attack ( google if necessary), check related events/fows, Add notes regrading the information gathered, add closure notes regarding investigation steps and remediation actions, close offense.

Where Malware and Ransomware May Be Hiding?

1. Critical system files 2. Windows registry 3. Temporary folders 4. .Ink files 5. Word files

How to deal with Ransomware?

1. Disconnect the infected system from the network to ensure the attack does not spread to other computers and devices. 2. Validate the attack. 3. Gather the incident response team. 4. Analyze the incident and identify which ransomware strain has been used. 5. Contact law enforcement. 6. Restore data from backup. 7. Perform analysis and learn from the attack. Phishing Attack, JavaScript, Exploit Kits= Ransomware common delivery system.

What steps will you take to SECURE Data?

1. For Data protection we need to secure the servers. These servers should use SSL protocol for encryption and decryption. 2. Secure the use password. 3. Remove remote access. 4. Best firewall configuration. • Defense-in-Depth Architectural Engineering • Network & Communications Design and Build • Physical Security • Enterprise Continuity • Training and Awareness • Mobile Device Management

How will you handle credential lost incident?

1. Immediately lock the user's account. 2. Change the user's password to a new value. 3. Look for the activity logs to see whether any logins have taken place after the time that the user reported his or her credentials to be compromised.

What is the first three steps to secure a Windows server?

1. Set Firewall Rules 2. Set Strong Password Policies 3. Disable File Sharing 4. Backup Your Server

PHISHING RESPONSE PROTOCOL

1.Acknowledgement. Respond to the internal user with thanks and confirmation that you're starting investigation. Request the original email as attachment (NOT forwarded email) or ask them to copy the email header and screenshot the body of the email. (Guide on how to get email headers). Ask if any links were followed or attachments downloaded. 2.Create ticket in The Hive or other ticketing system to track your findings and communicate to your team internally that you're working on the issue. 3.Identification. Collect as much information and data about the phishing email, as follows: •The email address of the sender; •The intended recipient of the email;•The subject line of the particular email; •Carefully examine the email message, and if there is an attachment with it, make sure that you use the appropriate protocols to download it safely, make sure you store it in a separate folder (or even a zip file), and that it is also password protected so that only the appropriate IT personnel can access it. Use public sandboxes if needed: https://www.hybrid-analysis.com, https://app.any.run •If there is a suspicious link, which takes the recipient to a potential spoofed website, this will also have to be investigated. However, for these purposes, it is important to use a dedicated computer solely for just these purposes, (such as VM that you can restore from snapshot). Do not use any other server, workstation, or wireless device for this, as the potentially spoofed website could contain malware which could download itself rapidly. 4. Investigation: Examine the actual email message and its contents carefully to understand the impact and degree of damage. • Analysis of the email header: use https://mxtoolbox.com/EmailHeaders.aspx to analyze the header, https://spamcheck.postmarkapp.com/ to check the spam score of sender, https://whois.domaintools.com/ to check IP address or domain info • Analysis of the email message: carefully examine the email body for any links, and other suspicious details - there might be signs that can be difficult to spot at first • Analysis of the domain link(s) if the phishing email contains a suspicious link, carefully examine the spoofed website, and determine if the data on the website is actually posted. 5. Triage: If your investigation confirms that actual phishing attack is underway, determine the type of the attack by analyzing logs in your SIEM, and/or verifying similar phishing reports from other users: •BEC (Business Email Compromise) •Spear Phishing (where one particular individual or individuals are targeted);•Clone Phishing (where an original email message has been transformed into a malicious one);•Whaling (this is similar to BEC, but primarily C-Level Executives are specifically targeted);•Link Manipulation (this is where a spoofed website is involved);•Website Forgery (this is where JavaScript code is used to alter the URL bar maliciously);•Covert Redirect (this when a website address looks genuine and authentic, but the victim is taken to a spoofed website);• Social Engineering (this occurs typically in a business environment where lower-ranking employees [such as administrative assistants] are targeted and conned to give out corporate secrets);• SMS (in these instances, wireless devices, primarily Smartphones are targeted, and malicious text messages are sent instead).Once the above has been determined, determine the priority level (low to high, or mild to severe depending on company rules). Notify the IT staff, Security manager (and other relevant teams to remediate the situation), that an attack is underway if they are not aware of the situation already and escalate accordingly. • Take action if you find a compromise. Lock user account or quarantine machine if needed. Then require password reset or reimage machine afterwards, as needed. Contact Abuse Records, if necessary. Create executive summary detailing the incident and the response in clear details. If needed, discuss "lessons learned" so they can be applied to avoid or mitigate a similar incident from happening in the future.

Do you have any questions for me?

1.How is the environment in the company? 2.How big is the team in whom I will work with? 3.What will be my day-to-day responsibilities? 4.What kind of tools they use? 5.Will you provide training if yes how many weeks? 6.What would this SOC analyst position look like compared to other SOC analyst positions? 7.How would you see my first few weeks or months activities if I were to get this position? 8.How long do you expect the process to take in deciding on the candidate for this position?

Digital Signature=

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. INTEGRITY

What is the most secure way of protecting data?

A good way to start answering this question is by simply asking What type of data are we talking about? SSN, PII or public data. Depending on the sensitivity of the data element that we are dealing with we may want to protect using various mechanisms. Encryption and tokenization is one of them. Currently, encryption is one of the most popular and effective data security methods used by organizations. Two main types of data encryption exist - asymmetric encryption, also known as public-key encryption, and symmetric encryption. Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext. Tokenization is another method that is even more secure than encryption. The idea is to swap tokens for each data element and reduce the usage of raw clear text data elements across the organization.

What is port scanning and why would you use it?

A port scan is a method for determining which ports on a network are open. (NMAP) is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

Can you describe a salted hash?

A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables. In order to mitigate the damage that a rainbow table or a dictionary attack could do, we salt the passwords. According to OWASP Guidelines, a salt is a fixed-length cryptographically-strong random value that is added to the input of hash functions to create unique hashes for every input, regardless of the input not being unique. • A salt is added to the hashing process to increase their complexity. •Mitigate password attacks like Rainbow tables and dictionary attack.

What is SOC (Security Operations Center)?

A security operations center is an organizational structure that continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks. A SOC tracks and analyzes activity on servers, endpoints, networks, applications, databases, websites and other technology systems. Its team members provide a critical layer of analysis needed to seek out any irregular activity that could suggest a security incident. While technology systems such as IPS or firewalls can prevent basic attacks, human expertise is needed to respond to serious incidents. Security information and event management (SIEM) is a solution that empowers SOC analysts by collecting security data from across the enterprise, identifying events that have security relevance and bringing them to the attention of the SOC team. A modern SIEM puts all the relevant information in front of security specialists to help them identify and mitigate incidents faster. Basic responsibilities of a SOC Team: ● Implement and manage security tools. ● Investigate suspicious activities, contain and prevent them. ● Reduce downtime and ensure business continuity. ● Plan security strategies. ● Audit and compliance support.

Subnet?

A subnet is a logical partition of an IP network into multiple, smaller network segments. It is typically used to subdivide large networks into smaller, more efficient subnetworks. Each organization's network can be composed of many smaller networks, or subnets. Each subnet allows its connected devices to communicate with each other, and routers are used to communicate between subnets. The size of a subnet depends on the connectivity requirements and the network technology employed. A point-to-point subnet allows two devices to connect, while a data center subnet might be designed to connect many more devices.

What is a switch?

A switch, in the context of networking, is a high-speed device that receives incoming data packets and redirects them to their destination on a local area network (LAN). A switch determines the source and destination addresses of each packet and forwards data. A network segment is a logical group of computers that share a network resource. This can be accomplished with a router, VLAN, switch segmentation, etc. Unfortunately, with a hub, everyone sees every packet which is why hubs have pretty much died in the market. Switching is a much better technology. You can segment a network either logically (through VLANs or mapping) or physically (connecting switches back to a core).only to specific devices, while hubs transmit the packets to every port except the one that received the traffic.

What is the difference between a threat, a vulnerability, and a risk?

A threat is an event that has a potential to compromise confidentiality, integrity and availability. Vulnerability is a weakness. Risk is the likelihood of a threat exploiting a vulnerability resulting in a loss. One of the basic goals of implementing IT security is to reduce risk. Risk mitigation is reducing the risk or impact of the risk by implementing security controls. Threat: Someone with the potential to cause harm to a system or an organization. Vulnerability: A weakness of an asset that can be exploited by one or more threat actors. Risk: Potential for loss or damage when a threat exploits a vulnerability. Risk= Threat x Vulnerability

What is a traceroute?

A traceroute, or tracert, can help you see where a breakdown of communications occurred. It shows what routers you touch as you move along to your final destination. If there is somewhere you cannot connect, you can see where it happened.

What is a Watering Hole Attack?

A watering hole attack is a method in which the attacker seeks to compromise a specific group of end users by infecting websites that members of that group are known to visit. The attacks have been adopted by criminals, APT groups and nation states alike and we see the amounts rising. The goal is to infect a victim's computer and gain access to the network. Cybersecurity professionals don't see this as the end of Spear Phishing, because the watering hole attacks are still targeted attacks, but they cast a wider net and trap more victims than the attacker's original objective.

What is ARP and NAT and how they it works?

ARP Address resolution Protocol. Use for resolving IP address to MAC address. Whenever device needs to talk with another device, they need MAC addresses. NAT simplify, network address translation makes computers outside the local area network (LAN) see only one IP address,

Active and Passive attacks in Information Security?

Active attack involves some modification of the data stream or creation of false statement. Passive attack attempts to learn or make use of information from the system but does not affect system resources.

Why did you leave your previous jobs?

All my previous jobs gave me lifelong experiences and knowledge that I can use. I applied the first job I had and rest of the jobs I got offers and for the career advancement I decided to take the offers. I departure from all my companies in good terms and I always had mutual agreement for the leave notice time with my managers to transfer the knowledge.

What is the difference in Hash, encryption and encoding?

All these techniques are used for converting the format of data. In the ENCODING method, data is transformed from one form to another for efficient transmission or storage. The main aim of encoding is to transform data into a form that is readable by most of the systems or that can be used by any external process. It can't be used for securing data, various publicly available algorithms are used for encoding. It can easily be reversed. It does not require a key. ENCRYPTION transforms data into another format, and it is used for keeping the data secret. In encryption, data to be encrypted (called plain-text) is transformed using an encryption algorithm like AES encryption or RSA encryption using a secret key called a cipher. The encrypted data is called cipher-text, and finally, the secret key can be used by the intended recipient to convert it back to plain text. There are two types of encryption algorithms - symmetric and asymmetric encryption. In the case of symmetric encryption, data is encoded and decoded with the help of the same key, for example, AES encryption algorithm but in the case of asymmetric encryption algorithm, data is encrypted with help of two keys, namely public and private key, for example. RSA algorithm. In HASHING technique, data is converted to a message digest or hash, which is usually a number generated from a string of text. Hashing ensures the integrity of the data. Hashing is not reversible. This technique is also used in storing data. For example, passwords are hashed and stored in the database. When the password is entered during the next login, the entered password is hashed and the hash is compared against what is stored in the database. If both the values are identical, then access is granted. Blockchain and indexing have widespread uses for the hashing technique. • Encoding is Converting data format between two different systems. Ex=ASCI or Base64 • Encryption is Ensuring the data is secure and only the authorized person can access it. Confidential • Hashing is maintaining the integrity of the message or data. Making sure data is not modified. Integrity

How would you prevent a zero-day attack?

An attack that exploits a vulnerability in a program or an application is called a zero-day attack. Zero-Day Exploits are unexpected and they can bring about an attack by exploiting the user's vulnerable software and programs. Following are the deal with Zero Day Attacks: ● Update all the applications and software once the security patches are released. ● Implement the use of Web Application Firewall (WAF) to protect your website. It helps to identify possible website attacks with much accuracy. ● Install an Internet Security suite that is loaded with a smart antivirus, sandboxing techniques, default deny protection, heuristic file behavioral analysis.

/usr/bin

Application/distribution binaries meant to be accessed by locally logged in users.

Why IPS needs to be behind firewall?

Because it will protect internal network from malicious attack, IPS are doing deeper packet inspection. >>IPS and IDS analyze the traffic and act like, sending alerts, dropping malicious packet or blocking it. >>IDS need to be Install on the firewall since IDS is passive system scan internal network traffic and report potential threats. IPS dedicated to inspect network packets to match them against signatures of known malicious attacks. Then, traffic is either blocked or an alarm is issued. IPS protect exploits against services such as webservers, SMTP, RDP, DNS, windows OS, Linux OS etc.

Do applications or operating systems create logs?

Both

What is a Brute-Force attack and how can you Prevent it?

Brute force attack is attempted to access your system trying to break username and password. It usually tries with hundreds time in a second unhuman try. • We can put threshold to have access limitation. • Use strong password policy. • Multi-Factor Authentication. Type of Brute-Force attacks: Hybrid Brute-force - Dictionary Attack

What are the different classes of IP addresses and give the range of each?

Class A, B, C, D and E and give range and Subnet mask of each. IP ranges: Class A : 1-126/16m, Class B:128-191/65k, Class C:192-223/254, Class D:224-239/multi cast, Class E:240-254/R&D

What is the CIA Triad?

CIA stands for Confidentiality, Integrity, and Availability. The CIA is a model that is designed to guide policies for Information Security. CONFIDENTIALITY (level of secrecy): The information should be accessible and readable for only authorized personnel. The information should be strongly encrypted just in case someone might try to hack it and even if the data is accessed, it should not be readable or understandable. INTEGRITY (modification): Integrity ensures that data is not corrupted or modified by unauthorized personnel. If an authorized individual/system tries to modify the data and the modification isn't successful, then the data should be reversed back and should not be corrupted. AVAILABILITY: The data should be available to the user whenever the user requires it. Hardware maintenance, regular upgrading, data backups, data recovery, and network bottlenecks should be taken care of.

How would you defend against a cross-site scripting (XSS) attack?

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. When you visit a website, there is a presumption that the data transferred between your browser client and the webserver is visible only to the owner of the website and its authorized partners. But when an XSS attack muscles its way into this relationship, it can expose data to a malicious third party - without the knowledge of either the end-user or website owner. * Developer training complements Security testing to help programmers prevent Cross-site scripting with best coding best practices, such as encoding data and input validation.

You said that you are a shift lead at the CyberNow Labs, have you considered becoming Tier 2 analyst at your SOC?

Cybernow Labs has a small SOC and Tier 2 positions are limited. That is one of the reason that I am looking to change my company. And they want me to back in the office after covid is over and I still am interested in working remotely so that is another reason. ( I use this answer if I am talking to a local company or a remote one)

Could you please tell me more about CNL? What kind of company is that and what are your responsibilities there?

Cybernowlab is a company that has this emersion program, while we take the program and after as a SOC analyst I am responsible to act as an incident responder, monitor and analyze the most well-known SIEM tools, as well as maintaining end point security utilizing FireEye HX for the internal SOC, moreover I managed the vulnerability scanning process that is scheduled to have report every week and communicate remediations with related parties, we also have access to carbon black and we use Jira to communicate with other teams.

What do you mean by CYBERSECURITY?

Cybersecurity combination of technology design to protect network, computer, and data information by the attack. (SOC) A security operations center is an organizational structure that continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and security risks.

Cyber Security VS Information Security?

Cybersecurity is a subset of information security which protects cyberspace against threats & vulnerabilities. InfoSec is defined as protection for information assets. The goal of information security is to control access to information as much as possible, to help the organization do business, make money, and succeed.

Difference between Cybersecurity and Network Security

Cybersecurity; Avoids and keeps track of unauthorized access, exploitation, modification, or denial of the network and network resources / Network Security; includes both cybersecurity and physical security.

What is DDOS attack and how can you prevent it?

DDOS is Distributed denial of service attack. Usually, It send large of number request. These requests making the server unavailable. • You need to protect your entire network infrastructure Install new technology tool IPS-IDS-NGFW • Monitoring the internet traffic • Back-up of your DATA

What is a DDoS Attack?

DDoS is short for Distributed Denial of Service. DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

What protocol does DNS use?

DNS primarily uses the User Datagram Protocol (UDP) port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server.

What is DNS and how DNS work?

DNS stands for Domain Name Servers. Use port number 53. • DNS service helps to translate domain names to IP addresses. • DNS uses TCP and UDP / How it works: When a computer needs to reach to website domain it sends a request to the DNS server. If the server has that website in the cache then it will return the IP address but if not then it will go, ask to the Root server. Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses. Information from all the domain name servers across the Internet is gathered together and housed at the Central Registry. Host companies and Internet Service Providers interact with the Central Registry on a regular schedule to get updated DNS information. Every domain that is registered creates a DNS record, usually hosted by the company that registers the domain; however, once registered, the domain name can be transferred to be hosted elsewhere. This is simply a text record that stores details about what information should be given to anyone requesting details about this domain name. This includes web-based resolution details as well as other information such as where mail servers should connect to (MX records). When you type an address into a web browser: • A check is made to see if the details of that name are known locally, e.g., if the browser has made a previous request from that same domain name or there is an entry in the local DNS registry (e.g., hosts.txt on Windows). • If no local record is found, a request is sent to your local DNS server. This could be running locally on your machine or on an office network, but most commonly it is provided by the ISP that supplies your internet connection. • The local DNS server again checks if it already has the details of the name being requested. If there is no cached record, then the DNS server needs to locate the details of the name server that hosts the domain record for the address you are trying to resolve (the authoritative domain name server). • To do this the DNS server breaks the name down into its different sections, starting from the righthand side of the domain name. For example, for www.google.com, this would be split into com, google, and www. The section after the final of the domain name (in this case, com) is known as the top-level domain (TLD). A root name server is connected to find details of the server that holds the domain record for the TLD. • The DNS server will make a request to the TLD name servers asking for details of the name servers that contain the details of the next section of the domain name (in this example, google). The DNS server then makes a request to the name server that holds the details for google.com. This name server may then return details of another name server that holds the records for www.google.com or, more likely at this point, will return the address associated with www.google.com. • The address returned by the remote name server can be an IP address or it could be another domain name, known as a CNAME; for example, www.google.com may return a reference to cdn-us.aa1.google-us.com. • If a CNAME is returned, the DNS server then repeats the process with the CNAME until an IP address is resolved.

When would DNS use TCP instead of UDP?

DNS: Domain Name System - resolves IP addresses to names/URLs Port 53. DNS would use TCP when the size of the query is greater than 512 bytes such as with responses that have many records or many IPv6 responses or most DNSSEC responses.

What is DLP?

Data Loss Prevention (DLP) is a set of tools and processes designed to ensure that sensitive or confidential data on your network is not lost, stolen or misused by unauthorized users, hackers or compromised / malicious insiders. By utilizing both DLP software and techniques, security professionals can stop data loss on their networks, preventing costly security events from occurring before they start.

Data Exfiltration mean?

Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server.

How will you prevent data leakage?

Data leak is data goes out of the organization. We can prevent with using DLP. Restriction on upload on internet - Mail and Printing.

What's the difference between Diffie-Hellman and RSA?

Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol.

Digital Certificate=

Digital certificate is issued by a trusted third party which proves sender's identity to the receiver and receiver's identity to the sender. AUTHENTICITY

Describe DNS?

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses. Information from all the domain name servers across the Internet are gathered together and housed at the Central Registry. Host companies and Internet Service Providers interact with the Central Registry on a regular schedule to get updated DNS information

Why do you want to make a career in cybersecurity?

During my professional career, I always had the IT hat that I always the one who has the most knowledge when it comes to IT-related problems. It grows in me and the more I learn the more I seek information and experience in cybersecurity. The best part of cybersecurity is how it is dynamic that you always learn, excel, and stay updated.

What is encryption and why it is important?

Encryption is the process of converting data into unreadable from unauthorized people. It is important because It is hiding confidential information from the attackers.

What is /etc and /bin in Linux?

Etc/ = system config file, Bin/ = user binaries (Most of the command lines under this file), Var/ = logs,news,mail files are under this file

If I crate user in Linux where does Linux keep them?

Etc/passwd/ Ect/shadow/ >> Keeps all the hash file here md5.

Scenario: you are on the shift in the evening, Qradar alerts for one of the most critical assets at your company connecting every 15 min with an external IP. What would you check for?

Evening time - means the user is most likely at home and not using his work PC. His PC connecting with an external PC - possible compromise (malware which created a scheduled task to download malicious payload/exfiltrate data/connect with command-and-control server). You`d check for external IP reputation (IBM X-force, Virustotal, AbusedIP), for malware presence. Since it is a critical asset - containment is not an option, you should immediately contact with your manager, SOC Analyst Tier 2, with affected user.

What application do we use on windows host to see the local logs?

Event viewer (you type event viewer on your computers left bottom search and then open event viewer- type "netstat -n" to review your computer's logs.

What are your weaknesses? How did you overcome your weakness?

Everyone makes mistakes, and no one is good at everything. But the thing is to learn from mistakes. In the past, I tried to do a lot of things together at the same time, learn everything. But I should have prioritized them. Now I am trying to control myself and go step by step.

What was the last case you worked on FIREEYE-HX?

FireEye HX alert triggered by internal user upon downloading malicious file. After the alert I called the user immediately and ask him how he gone true, and I did the acknowledgment with him. After that I started my investigation. I have founded that He was accessed with his company e-mail and he downloaded a zip. File. This zip file was extracted, and it ran and created another doc. File When this .doc file ran, it ran an CMD (Command Script) that attempted to reach out to pastebin.com The Machine was infected so containment was requested as well as password reset and system re-image as well.

Why are you leaving your current company?

First of all, I am good at my job and General Manager is happy with me at United Granite LLC. We both decided on a path and stick with it after deciding change in career. I am transferring my knowledge to future operation manager while working remotely until end of April which gives me enough time to work at CyberNow Labs. I am happy with the CNL and learning a lot and I have a good relaitanship with the SOC manager. CNL gave me tremendous hands on knowledge on cyber security tools such as FireEye HX, QRadar/Splunk, The Hive and etc. I desire to gain new skill and grow current skills.

A SOC Analysts' Day: Some Scenarios:

First order of the day: Situational Awareness For a SOC Analyst, some days start out quiet. Others, not so much. A day can start out calm or start out on fire and very quickly go from one to another. For an analyst coming on shift, the first task of the day is receiving a hand-over of activity and information from the analysts on the previous shift, especially if they are in a 24/7 security operations center. The analyst gets a briefing on the current events: ongoing incidents or things that are suspicious that need monitoring, and any related tickets that have been opened to track such activities. Fighting Attacks: Reactive Mode Security analysts tend to work in two modes: 1) Reactive mode, where they respond to alarms and information from their security tool. 2) Calm/proactive mode, where they can proactively hunt for activity they think deserves attention so they aren't always chasing down an event/attack, such as a malware attack, virus escalation, a denial of service attack, or discovery of data theft. The ideal scenario is to intercept attackers before they cause damage or steal information. If analysts detect adversaries setting up an infrastructure to launch an attack or tunneling into the network, ideally, they would isolate the network from the Internet and move to remediate the compromised machines before damage is done. That's why analysts need to constantly monitor for activity such as a compromised host system calling out for malware updates or applications calling out for command and control type activity. But the ideal doesn't always happen. So, if a network is under attack, the logical step for the analyst to do is to develop a case file or incident file and start tracking the assets the security team thinks are under attack as well as track where the attacks are coming from. This activity becomes the focus point in the network. Depending on the types of tools you have in hand, you can trade searches off of that or elevate the monitoring of specific applications. An analyst will also watch for lateral movement to determine if the adversary is using the primary compromised applications or systems as a jumping point to get deeper into the network. Automated remediation systems, or even the network engineering/NOC teams, should start closing systems down if that is warranted. Doors/ports into the network and systems need to be shut quickly. Analysts are also to be focused on preserving any type of forensic evidence the SOC team can use internally to figure out how the bad guys got in or to preserve evidence in case the organization needs to call in law enforcement. The bad guys most likely will attempt to clean up after the attack to effectively delete their tracks, including attempts to delete logs of their activities. Fighting Attacks: Calm Mode Analysts can use the quieter times to proactively catch and mitigate attacks and security breaches. If proactive analysts who are curious by nature see something, they can pull on that thread to see where it leads them. Quiet time is mostly spent on researching notifications from tools, and on previously noted grey areas. Highly skilled attackers leave minimal tracks because they are stealthy. But an experienced senior analyst whose interest in an activity is piqued might be able to yield some fruit doing more in-depth analysis. Attackers are constantly changing the domains and IP addresses they use in order to escape detection, for example. If you keep enough history and enough memory of what has actually happened on your network, you can discover something you hadn't seen before. Using tools that reconstruct the state of a network at any given point in time can give an analyst a powerful forensic search capability. Instead of just analyzing log data, the analyst can reconstruct the full network down to the packet-level to see who was talking to whom and which protocols were in use. Or the analyst might find evidence of compromised systems from a zero-day attack lying hidden in the network, poised for future attack. It takes more than one approach to find malicious activity; there is no silver bullet. So an analyst must also rely on host-based detection systems. You need a view of both network and host activity to get a full picture of threats. SOC Analysts often need to adopt the intrusion/cyber kill chain model/framework developed by Lockheed-Martin Corporation in 2011 which details the chain of defensible actions (detect, deny, disrupt, degrade, deceive and contain) to be taken by security analysts to protect against defined attack/threat progression stages identified in the model, which are as follows: 1) Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network. 2) Weaponization: Intruders create remote access malware weapons, such as a virus or worm tailored to one or more vulnerabilities. 3) Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives). 4) Exploitation: Malware weapon's program code triggers, which takes action on the target network to exploit the vulnerability. 5) Installation: The malware weapon installs an access point (e.g., "backdoor") usable by the intruder. 6) Command and Control (C2): Malware enables intruders to have "hands on the keyboard" persistent access to the target network. 7) Actions on Objectives: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom. For additional information about attackers' behaviour (TTPs- Tactics, Technics and Procedures visit https://attack.mitre.org/ or watch https://www.youtube.com/watch?v=bkfwMADar0M

If the firewall allows an IP, what logs do you analyze?

First, I check the firewall traffic logs on the SIEM solution. Then, I write a certain query to check logs related to that IP address to pivot investigation. I also look at destination and source IPs, action, destination port number, time, and user. If it is a web related event, I check the URL, if any file is involved, I check the file hash and file name.

What if the alert comes for the PowerShell? How would you analyze the traffic (is it web traffic, SSH etc.)

For Powershell alert check source IP/port, dest IP/port, who is the host, what is the action (any other alerts realted to the powershell one). Powershell is extensively used by adversaries to escalate privileges, download malware, make registry changes, create scheduled tasks etc. Very strong tool that provides wide range of possibilities for an adversary to remotely do pretty much anything on the compromised PC using powershell. At the same time it could be just a sys admin doing some troubleshooting. So check the user - false positive or not, check external IP - its reputation. Check for any signs of the infected system. Suspicious processes with wrong parent processes, URL history, download history, ARP and DNS entries, prefetch events, tasks, services, new accounts, abnormal network traffic related with the host you are investigating

What is dwell time?

For about 50 percent of cybersecurity respondents, a 2017 SANS Institute survey found the average time between an initial compromise and its detection—known as dwell time—is over 24 hours. Twenty percent reported dwell time of a month or longer.Frequently, an intrusion is detected by a notable change, such as a rapid increase in network traffic, a suspicious system login location or time, or the unusual export of sensitive information such as with data exfiltration. But not all attacks have an obvious pattern.Often hackers who have gained access to your network conduct a "low and slow" attack. This is where they carefully and methodically move laterally across devices and users, so as not to attract attention—doing reconnaissance and strategizing on how best to exfiltrate your data.Machine learning on the other hand makes it faster to find anomalous and suspicious user and device behavior. Its algorithms can baseline normal behavior in your network environment, then alert your security team whenever anomalous activity occurs.

What are the steps in a DNS lookup?

For most situations, DNS is concerned with a domain name being translated into the appropriate IP address. To learn how this process works, it helps to follow the path of a DNS lookup as it travels from a web browser, through the DNS lookup process, and back again. Let's take a look at the steps. Note: Often DNS lookup information will be cached either locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process which makes it quicker. The example below outlines all 8 steps when nothing is cached. The 8 steps in a DNS lookup: 1. A user types 'example.com' into a web browser and the query travels into the Internet and is received by a DNS recursive resolver. 2. The resolver then queries a DNS root nameserver (.). 3. The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD. 4. The resolver then makes a request to the .com TLD. 5. The TLD server then responds with the IP address of the domain's nameserver, example.com. 6. Lastly, the recursive resolver sends a query to the domain's nameserver. 7. The IP address for example.com is then returned to the resolver from the nameserver. 8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially. Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is able to make the request for the web page: 9. The browser makes a HTTP request to the IP address. 10. The server at that IP returns the webpage to be rendered in the browser (step 10). DNS primarily uses the User Datagram Protocol (UDP) port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. DNS: Domain Name System - resolves IP addresses to names/URLs Port 53. DNS would use TCP when the size of the query is greater than 512 bytes such as with responses that have many records or many IPv6 responses or most DNSSEC responses.

What is Incident Response? Walk me through the incident response process?

Incident Response Procedures In summary of the above, typical/standard incident response includes multiple steps, starting with creating the incident response policy/plan using the NIST SP 800-61 (Computer Security Incident Handling Guide) as a guide.An incident response team (IRT) team or computer incident response team (CIRT), consists of senior management representatives. The Network administrator/engineer, Security/SQC analysts and Communications expert/company's spokesperson, is often activated when security incidents are declared. This team conducts the following Incident Response Procedures;1) Pre-incident preparation for the incident, such as defining security incidents and implementing security controls to prevent malware infections/incidents.2) Incident identification, such as verifying the nature of the incident.3) Incident isolation, such as taking the system offline to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack. The affected system is not powered down until after capturing an image/bit-by-bit copy of it, and a hash record made with tools like EnCase or Forensic Toolkit, in order to not lose the volatile random access memory (RAM) data/running programs, useful for any forensic analysis for possible court presentation, during which evidence is collected starting with the most volatile, such as items on the system cache memory or RAM and moving to the least volatile such as items on a hard drive or archive.4) Incident analysis, such as processing related events to determine the extent of the incident, including its cause and effect, and preserving any forensic evidence and tracking the events with a chain-of-custody form and an evidence bag that records the person and reason for evidence handling.5) Reporting, including notifying executives and personnel outside the organization of the incident, such as customers where a large number of PII (greater than 500 people) are compromised or involved in a data breach.6) Recovery, including restoring the system to bring it back into service, including re-imaging affected systems and applying all necessary updates/patches.7) Lessons learned and mitigation of future recurrence, including possible security awareness training, establishing additional controls, or update of patch management policies if for instance the incident was caused by inadequate or missing patching.Besides using tools like Snort IDS, Splunk SIEM tool, and the Wireshark network protocol analyzer, SOC Analysts use other tools like:● VirusTotal (https://www.virustotal.com) - uses multiple Antivirus engines to analyze files, hashes and URLs for viruses, worms, trojans and other kinds of malicious content (silent note: you may search for the url www.coolgang.com and the hash 8743b52063cd84097a65d1633f5c74f5P and see the result)● Hybrid-Analysis (www, hybrid-analysis.com) - malware analysis service, to detect and analyze unknown threats and provide other file/url details, (silent note; you may search for the same url)● HashCalc (www.slavasoft.com/hashcalc) to calculate file hashes in 13 different algorithms upon download.

What are HTTP methods?

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be safe, idempotent, or cacheable. GET : The GET method requests a representation of the specified resource. Requests using GET should only retrieve data. HEAD - The HEAD method asks for a response identical to that of a GET request, but without the response body. POST - The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. PUT - The PUT method replaces all current representations of the target resource with the request payload. DELETE - The DELETE method deletes the specified resource. CONNECT - The CONNECT method establishes a tunnel to the server identified by the target resource. OPTIONS - The OPTIONS method is used to describe the communication options for the target resource. TRACE - The TRACE method performs a message loop-back test along the path to the target resource. PATCH - The PATCH method is used to apply partial modifications to a resource.

HTTP Header?

HTTP headers are the name or value pairs that are displayed in the request and response messages of message headers for Hypertext Transfer Protocol (HTTP). Usually, the header name and value are separated by a single colon. HTTP headers are an integral part of HTTP requests and responses. In simpler terms, HTTP headers are the code that transfers data between a Web server and a browser. HTTP headers are mainly intended for the communication between the server and client in both directions.

What do you know about HTTP status codes?

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: Informational responses (100-199), Successful responses (200-299), Redirects (300-399), Client errors (400-499), Server errors (500-599)

What are the differences between HTTP, HTTPS, SSL, and TLS?

HTTP stands for Hypertext Transfer Protocol. It is an application layer protocol used to communicate between two machines, mostly used in client server model. HTTPS stands for HTTP over SSL. Often called HTTP over SSL or HTTP over TLS. HTTPS increases the privacy and integrity of the data that is communicated over the internet. SSL stands for Secure Sockets Layer. SSL is a cryptographic protocol that provides authentication and data encryption in network communication. TLS stands for Transport Layer Security. It is a successor to SSL. Provides a secure version of SSL. HTTP use port 80 and transmit data over the Internet as unencrypted. HTTPS use port 443 and transmit data over the internet as encrypted. (with either SSL or TLS) SSL (Secure Socket Layer) and TLS (The Transport Layer Security) are both cryptographic protocols providing communication security over a network. (secure HTTP, SMTP, LDAP) TLS (The Transport Layer Security) protocol is a replacement for SSL. Over the years vulnerabilities have been discovered in SSL and TLS. For this reason, we should disable SSLv2, SSLv3, TLS1.0 and TLS 1.1 and leaving only TLS protocols 1.2 and 1.3 enabled.

What is the difference between HTTP and HTTPS?

HTTP stands for Hypertext Transfer Protocol. It is an application layer protocol used to communicate between two machines, mostly used in client-server model. HTTPS stands for HTTP over SSL. Often called HTTP over SSL or HTTP over TLS. HTTPS increases the privacy and integrity of the data that is communicated over the internet. SSL stands for Secure Sockets Layer. SSL is a cryptographic protocol that provides authentication and data encryption in network communication. TLS stands for Transport Layer Security. It is a successor to SSL. Provides a secure version of SSL. HTTP uses port 80 and transmit data over the Internet as unencrypted. HTTPS uses port 443 and transmit data over the internet as encrypted. (with either SSL or TLS) SSL (Secure Socket Layer) and TLS (The Transport Layer Security) are both cryptographic protocols providing communication security over a network. (secure HTTP, SMTP, LDAP) TLS (The Transport Layer Security) protocol is a replacement for SSL. Over the years vulnerabilities have been discovered in SSL and TLS. For this reason, we should disable SSLv2, SSLv3, TLS1.0, and TLS 1.1 and leaving only TLS protocols 1.2 and 1.3 enabled.

I will name a port number and you name the corresponding service/protocol:

Here are the important port numbers that you need to know: FTP 21, SSH 22, RDP 3389, Windows 137,138,139, DNS 53, SMTP 25, POP 110, IMAP 143, HTTP 80, HTTPS 443, Telnet 23, IMAP4 143,

Can you tell me about yourself?

Hi, Thank you for this opportunity. My name is 007. I live in Virginia and I am 1 class away from my master's degree in Cybersecurity studies from American Public University. I came to the states in 2000, I worked as a financial analyst/District manager for 6 years and then operations manager for 12 years. When I was working as operations Manager at my previous companies, I had to deal with technical issues in the company to help the team members as I was the one who has the most knowledge. In time, I set up a G-Suit business, CRM cloud program, manage the VOIP call system, and administer all IT infrastructure of the company. I had to get in touch with our email provider, Cloud server provider for the CRM program we used from setting the basic rules to maintaining the accounts and it grows in me to seek more information about cybersecurity and I start to take classes such as networking, c++ and finally I decide to change my career to cybersecurity and apply for master degree in 2019 and for the last year I am attending classes and hands-on sessions with shift work in cybernowlabs in a SOC environment. I got security+ and Splunk fundamentals certification along with Udemy and YouTube learnings. I am currently working for CySA to take in May. The more I learn the more I seek information and experience in cybersecurity. The best part of cybersecurity is how it is dynamic in terms of defending your network against the evil intendent adversaries with their advancement which makes you learn new technologies.

What are the port numbers for protocols below?

Http: 80, Https: 443, LDAP:389, LDAPS: 636, FTP:21, SFTP: 22, FTPS:990, SSH:22, Telnet:23, SMTP:25, POP3:110, IMAP:143, SNMP: 161, Remote Desktop Protocol (RDP): 3389, DNS: 53

What is motivating you to look for a new opportunity? / Why did you leave your last position?

I always had an interest in computer and IT and untitled IT hat in my last jobs grow the passion for cybersecurity and I am happy when I spend time on the computer and try to solve problems with going in detail. After I decided to change my career to CyberSecurity 2 years ago, I did master and got hands-on experience for a year and now ı want to grow my career into cybersecurity. I am a life-long learner and the environment is always changing. we are in an information age and cybersecurity has become critical to any modern business. Cybersecurity is and continues to be an essential job and there are many job opportunities that keep the job interesting as well: I believe that I will face many challenges I must analyze and conquer. I know Cybernowlabs is a good place to work and, I had amazing progress and work experience at my current company. The people are very friendly and open mind since Cybernowlabs has limited opportunities I wanted to take my knowledge to next level.

What would you consider to be your areas of strength and what are some areas you'd like to improve?

I am a lifelong learner and I can learn quickly. One of my greatest strengths is being able to explain difficult technical issues to customers in a way they can understand or relate as I did in the retail and manufacturing business for 19 years and also be an enabler. This has allowed me to have great relationships with my customers in the past. Because cybersecurity is a profession that requires constant learning and being outside of my comfort zone, my number one bucket item when it comes to improvement is to never stop learning new technologies and be on the lookout for new trends and share my knowledge.

Have you completed packet captures and interpreted them (for example WireShark)?

I do have hands-on experience in Capturing and analyzing PCAP files in Wireshark. I used to join capture the flag competitions and usually, they are giving you the task to analyze PCAP files in Wireshark so, basically, they were asked to find any clear text message like user name and password and also to find extract file which is sent through unsecure protocol like TELNET, FTP and HTTP. Basically, What I do is I opened PCAP with Wireshark. To see the traffic activity types and file sizes I went to 1) Statistics Tab 2) Protocol hierarchy (communication task into several layers) and checked the results. I observed a significantly higher size of data in FTP DATA under TCP protocol After this filter, I observed high size file packages Then right-clicked on one of the lines 1) Follow 2) TCP Stream after that I obtained a page beginning with PK and continuing with unreadable characters. Then I saved it using Raw DATA option and renaming as zip file then closed. Then I extracted the zipped file to the folder.

Walk me through your resume

I grow up in Turkey and graduated with Bachelor's degree in Finance and I am 1 class away from getting my Master's degree in CyberSecurity Studies at APUS. I also took some IT classes such as Networking, C++ while I was working as Financial Analyst and Operation Managers for 19 years with an IT hat as I update the WordPress website, optimize them for SEO, implemented G-Suit business, and finally implement and manage the Cloud provided CRM which is Stone Profit Systems. I have hands-on experience in monitoring and analyzing threats using security tools like IBM QRadar and Splunk SIEM solutions, FireEye HX EDR, Carbon Black and I used The Hive, Resilient, Jira, and ServiceNow ticketing system. I am familiar with the fundamentals of information security including network technologies and tools, identity and access management, network security, and risk management. I analyzed PCAP files, narrow down anomaly traffic with Wireshark, I also had hands-on experience in using various tools like Burp Suite, NMap, Nessus, Kali Linux, and Metasploit and, I had hands-on experience in phishing analysis. I got my Security + certification in November. As a self-motivated cybersecurity analyst, I am looking forward to new opportunities to grow in my career and advance my skills. I know XXX is a great place to work to pursue my passion. I had amazing progress and work experience in CyberNow Labs which is a wonderful company and great people to work with, but it has limited opportunities to move forward. Now I want to take my career to the next level and move out of a small SOC environment to structured SOC for a company where I can be a part of a team and therefore, I'd like to build a strong, long-term professional career in cybersecurity field.

Which security tools can you use and what can you do by using them? Give examples.

I have hands-on experience in monitoring and analyzing threats using security tools like IBM QRadar and Splunk SIEM solutions, FireEye HX EDR, Carbon Black and I used The Hive ticketing system. I am familiar with the fundamentals of information security including ▪ network technologies and tools, ▪ identity and access management, ▪ network security, and risk management. I analyzed PCAP files, narrow down anomaly traffic with Wireshark, I also had hands-on experience in using various tools like Burp Suite, NMap, Nessus, Kali Linux, and Metasploit and, I had hands-on experience in phishing analysis.

Do you have operational experience with SQL Injections or any other web technologies (Apache weblogs, IIS, Active Directory, and other security logs)?

I have hands-on experience in using DVWA and SQLmap tools. I have been testing them on my VM environment just to see how this vulnerability discovered and exploited. (https://pentestbox.org/) Example: I have tried to interest SQL Injection into a vulnerability website at this sample website. https://www.hacksplaining.com/exercises/sql-injection ( bu sayfaya mutlaka git)

Monitoring & Incident Response:

I use FireEye HX in the SOC for Endpoint Detection and Response to detect, identify and contain threats of endpoints. I monitor alerts and respond accordingly. - Acquire triages/acknowledge them. - Look at the type/details of the incident. - Inspect recent endpoint activity. - Determine whether containment is needed. - Communicate with different parties. - Document via the Hive. QRadar/Splunk (SIEM tools give us visibility by using different log sources and correlate these events and generate offenses based on rules.) We monitor the events on QRadar/Splunk. QRadar is mainly used for correlations and Splunk for log collection. I monitor the offenses and assign individual offenses to myself and conduct IR processes on them and document everything using the Hive. I would say that the number of offenses that I see mostly are firewall denies, authentication failures, brute force attempts, connection to a known malware site, traffic from an untrusted network, and potential data loss.

Walk me through your day-to-day activities at your current job (CyberNow).

I work with the Incident Response / SOC team at CyberNow. My regular day-to-day activities focus around Monitoring, Phishing Analysis, and Incident Response. Most incidents I respond to in a regular shift are either firewall denial, authentication failures, brute force attempts, connection to known malware sites, traffic from untrusted networks, or potential data loss. They all follow the same general workflow: - Alerts fire into the SIEM, - Alert details are used to determine the risk level of the event, - Triages are acquired and queries are run to collect more details about the event, - Conversations are held with stakeholders to help determine the impact of the incident, and make sure all groups are responding appropriately, - Infected systems are quarantined to make sure they can't infect other assets, - The incident is documented in a ticketing system to aid future investigations. We have a wide range of tools deployed to help with this process. I regularly use: - QRadar - SIEM and event correlation, - Splunk - Log storage and searching, - FireEye HX - Endpoint protection, forensic triage data, and system quarantines, - TheHive Project - Ticketing and Incident Documentation. IR Cycle 1) Preparation 2) Identification 3) Containment 4) Investigation 5) Eradication 6) Recovery 7) Follow-Up

A blacklisted IP is connecting to an internal IP, how would you respond?

I would block it initially and then investigate the incident. First, I would collect the logs and try to see what that IP has done in our system and is there any other affected users or systems. I try to collect all the evidence and if I see any indication that our system is compromised, I would create a ticket and go through incident response process.

Explain packet structure?

IP Header - TCP header - Payload

How to investigate the offense that came from WAF (Web Application Firewall)?

If it comes from your WAF to your SIEM tool, it has already matched a rule or multiple rules that triggered this offense. After you investigate the offense, investigate IOCs, check the payload, determine what type of attack is being detected/alerted and pivot further as needed. For instance, if it is SQL injection or XSS, you will notice the HTML or SQL query in the payload and check if the website is compromised.

Types of Firewall denies:

If we alerted on firewall denies, we have taken more of an approach of only receiving actionable alerts. Of course, people are scanning us from the Internet, and we can't stop that. We care more if someone is scanning us from INSIDE our network. We do have a rule for login failures that looks for brute forcing. The only problem is that there is a lot of false positives. 1. False Positive. 2. Failed user authentications. 3. Brute force attack. 4. Passed authentications.

TCP Flags?

In TCP connection, flags are used to indicate a particular state of connection or to provide some additional useful information like troubleshooting purposes or to handle a control of a particular connection. Most commonly used flags are "SYN", "ACK" and "FIN". Each flag corresponds to 1 bit information. Types of Flags: Synchronization (SYN) - It is used in the first step of the connection establishment phase or 3-way handshake process between the two hosts. Only the first packet from the sender as well as receiver should have this flag set. This is used for synchronizing sequence numbers, i.e. to tell the other end which sequence number they should accept. Acknowledgement (ACK) - It is used to acknowledge packets which are successfully received by the host. The flag is set if the acknowledgement number field contains a valid acknowledgement number. In the given diagram below, the receiver sends an ACK = 1 as well as SYN = 1 in the second step of connection establishment to tell the sender that it received its initial packet. Finish (FIN) - It is used to request for connection termination i.e. when there is no more data from the sender, it requests for connection termination. This is the last packet sent by the sender. It frees the reserved resources and gracefully terminates the connection. Reset (RST) - It is used to terminate the connection if the RST sender feels something is wrong with the TCP connection or that the conversation should not exist. It can get sent from the receiver's side when the packet is sent to a particular host that was not expecting it. Push (PSH) - Transport layer by default waits for some time for the application layer to send enough data equal to maximum segment size so that the number of packets transmitted on the network minimizes which is not desirable by some applications like interactive applications(chatting). Similarly, the transport layer at the receiver's end buffers packets and transmits them to the application layer if they meet certain criteria. This problem is solved by using PSH. Transport layer sets PSH = 1 and immediately sends the segment to the network layer as soon as it receives a signal from the application layer. The receiver transport layer, on seeing PSH = 1 immediately forwards the data to the application layer. In general, it tells the receiver to process these packets as they are received instead of buffering them. Urgent (URG) -Data inside a segment with URG = 1 flag is forwarded to the application layer immediately even if there is more data to be given to the application layer. It is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received.

Other Layered Defenses/ Security Measures

In addition to having IDS/IPS, anti-malware, and SIEM/log analysis tools. and responding to incidents detected by them, and from end-user reporting, as discussed here, personnel may implement the following preventive measures to protect against and detect attacks (including operational controls and other defense-in-depth layered defenses; silent note: cybersecurity arsenal): 1) Patch management, to keep systems and applications up-to-date.2) Vulnerability management, including periodic vulnerability assessments/scanning and correction, to identify and protect the system against known vulnerabilities (dynamic software testing).3) Penetration testing, to identify the techniques attackers can use to circumvent security on the system/network. 4) Removing or disabling unneeded services and protocols (i.e., hardening/protecting the systems against attacks by reducing known routes of attack, which also include removal of unnecessary software, usernames, or logins). 5) Firewalls, to block unwanted network traffic and Denial-of-service (DoS) attacks. 6) Warning banners to inform users and intruders about basic security policy guidelines ("no trespassing" sign), as a basis for prosecution if the system is abused.7) Whitelisting software/app store, to identify a list of applications authorized to run on a system, and/or black-listing to identify those not authorized.8) Sandboxing from virtual machines to achieve security boundaries for applications and prevent the application from interacting with other applications on the network.9) Data loss prevention (DLP) systems, to detect and block data exfiltration/theft attempts.10) Account review, including periodic access reviews, to ensure that separated and inactive accounts are disabled and that employees do not have excessive privileges.11) Business continuity and disaster recovery planning (BCP/DRP), including backup and offsite storage procedures, to prevent interruption of business activities and ensure continued operation of security controls.12) Fault tolerance measures, including using server failover and load-balancing clusters, and secondary power supply like UPS and generators, to prevent system failure and corruption.13) Security training, to enlighten personnel of attacker's tactics and promote positive behavior towards the organization's security.14) Adopting the least privileged and need-to-know principles, to prevent excessive access and unnecessary access to information and systems.15) Separation of duties, job rotation, and mandatory vacation, to prevent overdependence on certain employees and conflict of duties that may result in unauthorized activities or fraud.16) Logging and monitoring of privileged operations and administrative/sensitive job tasks, to ensure that users granted these privileges do not abuse them. These logs of activities to be monitored include creating new user accounts, removing or modifying user accounts, altering Firewall configuration, and accessing system log and audit files. Certain tools can log these events and send an alert.17) Protect information throughout its life cycle, which includes marking, handling, storing, and destroying data properly; to ensure adequate protection of information.18) Using service level agreement (SLA) as an agreement in contract arrangements with vendors or third-party service providers to stipulate performance and security expectations.19) Hardware inventories, possibly using databases and inventory applications to perform inventories and track hardware assets through the entire equipment life cycle to determine the physical/location and security status of systems.20) Software licensing, to ensure that systems do not have unauthorized software installed and that the organization is in compliance with software licensing rules.21) Physical security/assets protection, using fences, barricades, locked doors, guards, closed-circuit television (CCTV) systems.22) Media management, including tapes, disks, CDs and DVDs, portable USB, external drives, and hard-copy data to ensure that they are adequately protected from unauthorized access and that they are properly maintained for optimal performance.23) Change/configuration management, to ensure changes are authorized, adverse effects are considered to minimize system failure and that system changes are documented, tracked, and audited. Changes are typically reviewed and approved by a CAB (change approval board).24) Security impact analysis of changes, to ensure that system changes do not lead to reduced or compromised security.25) Software static testing/source code review, including the use of automated tools such as Fortify to detect common software flaws, such as buffer overflow, SQL injection, and cross-site scripting attacks, which respectively expose to attack the system memory and databases and allow the use of unauthorized script; mainly due to the absence of input validation or system stress testing such as fuzz testing or misuse case testing.26) Security controls testing/assessment, including NIST, ISO, CSC, and industry compliance standards like PCI DSS and HIPAA to determine compliance status with security control requirements.27) Adequate record retention, to retain records and audit logs for the earliest of 3 years, length of time specified by any applicable laws and regulations, or the usefulness of the records.

How would you handle a compromised endpoint?

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as a security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. The following are a few examples of common incidents that can have a negative impact on businesses: ● A distributed denial of service (DDoS) attack against critical cloud services.● A malware or ransomware infection that has encrypted critical business files across the corporate network.● A successful phishing attempt has led to the exposure of personally identifiable information (PII) of customers. ● An unencrypted laptop is known to have sensitive customer records that have gone missing. I would use the SANS Incident Handler steps I am trained in. Preparation is key. According to the SANS Institute, there are six key phases of an incident response plan:1) Preparation: Preparing users and IT staff to handle potential incidents should they arise. 2) Identification: Determining whether an event qualifies as a security incident. 3) Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage. 4) Eradication: Finding the root cause of the incident and removing affected systems from the production environment. 5) Recovery: Permitting affected systems back into the production environment and ensuring no threat remains. 6) Lessons learned: Completing incident documentation, performing analysis to learn from the incident, and potentially improving future response efforts. 1.I can isolate the machine from the network at the containment state 2.I can do enterprise search with the EDR tool to identify whether is any compromised host. If there is any compromised host, we must isolate them from the network. 3.I can search what is the ROOT CAUSE of the incident 4.I can create the ticket for the help desk to re-image the infected host and password requesting as well. For malicious I can request blocking to domain from network team. 5. Completing incident documentation, performing analysis to learn from the incident. 6. Lessons learned: Completing incident documentation, performing analysis to learn from the incident, and potentially improving future response efforts.

What sorts of anomalies would you look for to identify a compromised system?

Indicators of compromise (IOCs) help detect intrusion attempts or other malicious activities. Security researchers use IOCs to better analyze a particular malware's techniques and behaviors. IOCs also provide actionable threat intelligence that can be shared within These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise:● Unusual Outbound Network Traffic● Anomalies in Privileged User Account Activity● Geographical Irregularities● Log-In Red Flags● Increases in Database Read Volume● HTML Response Sizes● Large Numbers of Requests for the Same File● Mismatched Port-Application Traffic● Suspicious Registry or System File Changes● Unusual DNS Requests● Unexpected Patching of Systems● Mobile Device Profile Changes● Bundles of Data in the Wrong Place● Web Traffic with Unhuman Behavior● Signs of DDoS Activitythe community to further improve an organization's incident response and remediation strategies. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.

Do you provide any recommendations to the user after an investigation is over? In phishing emails, customers click the link.

It is important to educate employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation. However in this case I would explain to the user about how to be careful about the suspicious e-mails with attachments from people they don't know. Let the user know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don't employ https are fraudulent, as are sites that begin with IP addresses.

Difference between LAN and VLAN?

LAN stands for Local Area Network is a group of network devices which allow the communication between connected devices. LAN work on single broadcast domain. VLAN (Virtual LAN) is a type of LAN. VLAN works on multiple broadcast domain and in local area network, The basic need of implementing VLAN is the splitting of networks.

The last

Linux command is the best for looking at recent logins for all users or one individual.

What is Log aggregation?

Log aggregation is the practice of gathering the log files for the purposes of organizing the data in them and making them searchable.

Where are logs on Linux and Windows hosts?

Log files are a set of records that Linux maintains for the administrators to keep track of important events. They contain messages about the server, including the kernel, services and applications running on it. Linux provides a centralized repository of log files that can be located under the /var/log directory. In Windows, Event Viewer is a troubleshooting tool. Event Viewer displays detailed information about system events. This information includes the event type, the date and time that the event occurred, the source of the event, the category for the event, the Event ID, the user who was logged on when the event occurred, and the computer on which the event occurred.

/32 and /24 how many hosts?

Looking at a Classful Range: Consider a classful IP range of 192.168.1.0/24. It supports 254 usable IP addresses in the range of 192.168.1.1 through 192.168.1.254. Using the Formula to Determine How Many Hosts: The formula for determining the number of hosts a network supports is 2n-2, where n is the number of bits used for the host. ● 2n-2 is sometimes expressed as (2^n) - 2. Both indicate 2 raised to the power of n. ● You subtract two to reserve one IP for the network ID and one for the broadcast address. Consider the classful IP range of 192.168.1.0/24. The /24 is Classless Inter-Domain Routing (CIDR) notation indicating that 24 bits are used for the subnet mask. An IPv4 address includes a total of 32 bits. With 24 bits used for the subnet mask, that leaves 8 bits for the hosts (32-24). If you plug 8 into the formula, it is (2^8) - 2. 2^8 is 256 and 256 - 2 is 254.

How do I check MAC or Linux recent activity?

Netstat -b 5 > scan.txt (By this command we can keep eye on your computer log process)

How do I check windows recent activity?

Netstat -n 5 > scan.txt (By this command we can keep eye on your computer log process)

You are pretty new to cybersecurity, 5-6 months only, was it easy for you to step into the Cyber? How was the learning part for you?

No, it was not difficult to learn and work in cyber security because I have an interest. I am naturally a curious person and I like to investigate and find solutions. I feel also bad that I discovered my dream job late. Working in soc environment makes me so excited. I love working on different cases. Every day is a challenge and excitement. There are so much to learn and grow in to in this field.

Are all logs across all devices standardized in the same format?

No. good majority in syslog, but we will still see logs formats like LEEF, CEF and Json etc.

Authenticated (credentialed) and unauthenticated (uncredentialed) vulnerability scanning?

Non-credentialed: A non-credentialed scan will monitor the network and see any vulnerabilities that an attacker would easily find; we should fix the vulnerabilities found with a non-credentialed scan first, as this is what the hacker will see when they enter your network. For example, an administrator runs a non-credentialed scan on the network and finds that there are three missing patches. The scan does not provide many details on these missing patches. The administrator installs the missing patches to keep the systems up to date as they can only operate on the information produced for them. Credentialed scan: A credentialed scan is a much safer version of the vulnerability scanner. It provides more detailed information than a non-credentialed scan. You can also set up the auditing of files and user permissions.

What was the most challenging incident that you worked on it OR, what was the last incident that you worked on it?

One of the incidents that was most challenging for me is: A source IP 173.243.140.53 had attempted to establish an IRC chat session with Next Generation Firewall. Initially I examined the source IP address and detected that it belongs to Fortinet. We communicated with Fortinet to figure out the situation. They verified that they are updating cloud based NGFW Firewall software. We examined our LSA (Standard Operating Procedure) with Fortinet and confirmed that they will provide the CeyberNow Labs in a quarter basis. This determined as true positive incident and there is no risk.

Explain the OSI model?

Open Systems Interconnection (OSI) model is a conceptual framework that describes the functions of a networking system. The model uses layers to help give a visual description of what is going on with a particular networking system. Most descriptions of the OSI model go from top to bottom, with the numbers going from Layer 7 down to Layer 1. Layer 7 - Application: The Application Layer is the one at the top - it's what most users see. In the OSI model, this is the layer that is the "closest to the end user.'' Applications that work at Layer 7 are the ones that users interact with directly. A web browser (Google Chrome, Firefox, Safari, etc.) or other app - Skype, Outlook, Office - are examples of Layer 7 applications. Layer 6 - Presentation: The Presentation Layer represents the translation of application format to network format, or from network formatting to application format. In other words, the layer "presents" data for the application or the network. A good example of this is encryption and decryption of data for secure transmission - this happens at Layer 6. Layer 5 - Session: When two devices, computers or servers need to "speak" with one another, a session needs to be created, and this is done at the Session Layer. Functions at this layer involve setup, coordination (how long should a system wait for a response, for example) and termination between the applications at each end of the session. Layer 4 - Transport: The Transport Layer deals with the coordination of the data transfer between end systems and hosts. How much data to send, at what rate, where it goes, etc. The best-known example of the Transport Layer is the Transmission Control Protocol (TCP), which is built on top of the Internet Protocol (IP), commonly known as TCP/IP. TCP and UDP port numbers work at Layer 4, while IP addresses work at Layer 3, the Network Layer. Layer 3 - Network: Here at the Network Layer is where you'll find most of the router functionality that most networking professionals care about and love. In its most basic sense, this layer is responsible for packet forwarding, including routing through different routers. You might know that your Boston computer wants to connect to a server in California, but there are millions of different paths to take. Routers at this layer help do this efficiently. IP addresses work at Layer 3, the Network Layer. Layer 2 - Data Link: The Data Link Layer provides node-to-node data transfer (between two directly connected nodes), and also handles error correction from the physical layer. Two sublayers exist here as well - the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. In the networking world, most switches operate here. Layer 1 - Physical: The physical Layer which represents the electrical and physical representation of the system. This can include everything from the cable type, radio frequency link (as in an 802.11 wireless systems), as well as the layout of pins, voltages and other physical requirements. When a network problem occurs, many networking pros go right to the physical layer to check that all of the cables are properly connected and that the power plug hasn't been pulled from the router, switch or computer, for example.

What is PCAP File?

PCAP files are data files created using the program and they contain the packet data of a network - PCAP file can be view in Wireshark -Lipcap for Linux. Winpcap for Windows.

What port must be open for web server?

POP3: Mail server / 110 -- FTP: Mail server / 21-20 , SMTP: External access / 25 - HTTP: WEB PAGE /80 , SSL: enable Webpage and open 443 HTTPS.

How would you handle patch management?

Patch management is the process of managing a network of computers by regularly deploying all missing patches to keep computers up to date. It typically includes evaluating and testing patches before deploying them. - Leaving software and operating systems unpatched puts your organization at risk of serious security breaches. - Soon after a security update is released, cybercriminals are already on the move, looking to exploit any unpatched systems. Steps: -Vulnerability scanning -Patching schedule (off-hours patching) -Testing and monitoring

Penetration vs Vulnerability?

Penetration test is helping to identify and address the security vulnerability (External) Vulnerability is scan and look for bug or weakness of the system (Internal)

Penetration testing vs Software testing?

Penetration test is helping to identify and address the security vulnerability (External),. Software testing is focus on software function and security. (Internal)

Tell me about penetration testing...

Penetration testing also called pen testing or ethical hacking is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations, or risky end-user behavior. This is an intentionally planned attack on a software or hardware system seeking to expose the inherent security flaws that may violate system integrity and end up compromising the user's confidential data. Primarily, penetration tests fall under five categories: · Network Services · Web Applications · Client-side · Wireless Networks · Social Engineering

How would you explain phishing to a non-IT person?

Phishing is a cybercrime in which a target is contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

What is phishing?

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Port scanning and tools?

Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. Common tools below: 1. Nmap. Nmap stands for "Network Mapper", it is the most popular network discovery and port scanner in history. ... 2. Unicornscan. Unicornscan is the second most popular free port scanner after Nmap. ... 3. Angry IP Scan. ... 4. Netcat. ...5. Zenmap

Rainbow Table Attack?

Rainbow table attacks are a type of attack that attempts to discover the password from the hash. However, they use rainbow tables, which are huge databases of precomputed hashes. It helps to look at the process of how some password crackers discover passwords without a rainbow table.

Explain the three-way handshake.

SHORTLY: TCP is a connection-oriented protocol. • The systems must go through a handshaking process to create a connection before transmitting data. • In the first step, the system originating the connection sends a packet with an SYN-flag set. This indicates that it would like to open a connection to the destination system. • Second, the destination system receives this packet and replies with another packet SYN-ACK • Finally, the original system receives the SYN/ACK packet and sends a final ACK-Flag to the destination. DETAIL: Because TCP is a connection-oriented protocol, systems must go through a handshaking process to create a connection before transmitting data. This process is known as the three-way handshake. In the first step, the system originating the connection sends a packet with a SYNflag set. This indicates that it would like to open a connection to the destination system. The destination system receives this packet and replies with another packet that does two things. It acknowledges the original connection request and then asks to open a reciprocal connection in the other direction. This packet has both the SYN and ACK flag set and is known as the SYN/ACKpacket. Finally, the original system receives the SYN/ACK packet and sends a final ACKto the destination system, completing the reciprocal connection. Once the three-packet sequence completes, the connection is open, and the systems may begin exchanging data. In TCP connection, flags are used to indicate a particular state of the connection or to provide some additional useful information like troubleshooting purposes or to handle a control of a particular connection. The most commonly used flags are "SYN", "ACK" and "FIN". Each flag corresponds to 1-bit information. Types of Flags: Synchronization (SYN) - It is used in the first step of the connection establishment phase or 3-way handshake process between the two hosts. Only the first packet from the sender as well as a receiver should have this flag set. This is used for synchronizing sequence numbers i.e. to tell the other end which sequence number they should except. Acknowledgement (ACK) - It is used to acknowledge packets which are successfully received by the host. The flag is set if the acknowledgement number field contains a valid acknowledgement number. The receiver sends an ACK = 1 as well as SYN = 1 in the second step of connection establishment to tell the sender that it received its initial packet. Finish (FIN) - It is used to request for connection termination i.e. when there is no more data from the sender, it requests for connection termination. This is the last packet sent by sender. It frees the reserved resources and gracefully terminate the connection. Reset (RST) - It is used to terminate the connection if the RST sender feels something is wrong with the TCP connection or that the conversation should not exist. It can get sent from the receiver side when the packet is sent to a particular host that was not expecting it. Push (PSH) - Transport layer by default waits for some time for application layer to send enough data equal to maximum segment size so that the number of packets transmitted on network minimizes which is not desirable by some application like interactive applications(chatting). Similarly transport layer at receiver end buffers packets and transmit to application layer if it meets certain criteria. This problem is solved by using PSH. Transport layer sets PSH = 1 and immediately sends the segment to network layer as soon as it receives signal from application layer. Receiver transport layer, on seeing PSH = 1 immediately forwards the data to the application layer. In general, it tells the receiver to process these packets as they are received instead of buffering them. Urgent (URG) -Data inside a segment with URG = 1 flag is forwarded to application layer immediately even if there are more data to be given to application layer. It is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received."

Explain how to make a SQL query to search a database?

SQL (Structured Query Language) is used to communicate with a database. It is the standard language for relational database management systems. SQL statements are used to perform tasks such as updating data on a database or retrieve data from a database.

Explain how an HTTPs session is established.

SSL session uses PKI, public key to exchange information needed to encrypt data for transit and restrict decryption to host at each end.

Does TLS use symmetric or asymmetric encryption?

SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session.

What is the first three steps to secure a Linux server?

STEP 1 - Update your server. STEP 2 - Disable root access via SSH. STEP 3 - Change your SSH port. STEP 4 - Enable your firewall. STEP 5 - Check for open ports. STEP 6 - Read your logs.

What is static IP vs Dynamic IP?

Static IP; It is providing by ISP, It does not change / Dynamic IP; Provided by DHCP, Does change any time

What is the first three steps to secure a Web server?

Step 1 - Shut Down Access Step 2 - Patch Your Servers Step 3- Tightly Control User Access

What is the difference between symmetric and asymmetric encryption?

Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption uses different keys for encryption and decryption. Asymmetric encryption is commonly used to secure an initial key-sharing conversation, but then the actual conversation is secured using symmetric crypto. Communication using symmetric crypto is usually faster due to the slightly simpler math involved in the encryption/decryption process and because the session setup doesn't involve PKI certificate checking. Certificates are an important part of asymmetric encryption. The certificate includes public keys along with details on the owner of the certificate and on the CA (Certificate Authority) that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

Would you recommend Sysmon or standard windows log syslog for your environment?

Sysmon would be preferable since it gives you more information. The only problem is the cost and the storage.

Linux System log stores under= VAR/LOG

System activity Log data; It is mainly used to track the usage of authorization systems. It stores all security related messages including authentication failures. It also tracks sudo logins, SSH logins and other errors logged by system security services daemon. VAR/LOG/SYSLOG/

Explain the difference between TCP and UDP?

TCP (Transmission control Protocol) ; Connection Oriented, Guaranteed the Delivery, Reliable and Slower. / UDP (User Datagram Protocol); Connectionless, No Guaranteed Delivery Not Reliable and Faster

What is the difference between TCP and UDP?

TCP is connection - oriented, reliable, and guarantees the delivery with acknowledgement such as HTTP/HTTPS, SMTP, SSH. UDP is not reliable, no acknowledgement, and no re-transmission such as voice and video connections.The two main transport layer protocols are the Transmission Control Protocol, TCP, and the User Datagram Protocol, UDP. TCP is responsible for the majority of internet traffic. It is a connection-oriented protocol, meaning that it establishes connections between two systems before transferring data.TCP is also a reliable protocol that guarantees delivery by having the destination system acknowledge receipt of every packet. TCP's reliability makes it widely used for applications that require this guaranteed delivery, such as email and websites.The User Datagram Protocol, UDP, on the other hand, is a much more lightweight protocol that doesn't use this three-way handshake because it is not connection-oriented. Systems basically send data off to each other blindly, hoping that it is received on the other end. UDP does not perform acknowledgements, and therefore, cannot guarantee delivery. UDP is often used for applications like voice and video where guaranteed delivery is not as essential.

The TCP/IP Model

TCP/IP is an acronym that stands for Transmission Control Protocol/Internet Protocol. It is specifically designed as a model to offer a highly reliable and end-to-end byte stream over an unreliable internetwork. The TCP/IP Model helps you to determine how a specific computer should be connected to the internet and how you can transmit data between them. It helps you to create a virtual network when multiple computer networks are connected together. For more information click here.

What type of encryption method is used for an SSL handshake?

The handshake itself uses asymmetric encryption - two separate keys are used, one public and one private.

What is a PCAP file? Can you read a PCAP and explain what you saw there?

The PCAP file extension is mainly associated with Wireshark; a program used for analyzing networks. .pcap files are data files created using this program and they contain the packet data of a network. These files are mainly used in analyzing the network characteristics of certain data. These files also contribute to successfully controlling traffic of a certain network since they are being monitored by the program. The data and the results of the network analysis are saved using a pcap file extension which is why they are called pcap files. These files are used to determine network status, allowing analyzers to attend to problems that may have occurred on the network and allowing them to study data communications using Wireshark. Since Wireshark can be accessed in Windows, MAC and Linux, these pcap files can also be opened provided the appropriate applications used to open them are found on the system. Some common applications that can open pcap files are Wireshark, WinDump, tcpdump, Packet Square - Capedit and Ethereal.

TCP Header?

The Transmission Control Protocol (TCP) header is the first 24 bytes of a TCP segment that contains the parameters and state of an end-to-end TCP socket. The TCP header is used to track the state of communication between two TCP endpoints. Since TCP segments are inserted (encapsulated) in the payload of the IP packet the TCP header immediately follows the IP header during transmission. TCP does not need to keep track of which systems are communicating, it only needs to track which end to end sockets are currently open. Internet Protocol handles the logical addressing, routing and host-to-host connectivity. TCP uses port numbers on each side of the connection to track the connection endpoints, state bits such as SYN, ACK, RST, FIN, sequence numbers and acknowledgement numbers to track the communication at each step in transmission.

Windows Registry: What it is & what it is used for

The Windows Registry is a collection of databases of configuration settings for Microsoft Windows operating systems.

Phishing Analysis

The attacker sends an email to the victim, a targeted person, to have them click the URL or have them download the malicious file in their PCs. As a SOC analyst, once I reported a phishing case, the first thing I would look at is the phishing email header. Because the header shows me the details of this email such as, where it was sent, who was the actual sender, and also where it originated from in terms of the IP address. If there is any URL in the email body, first I analyze this. I hover over the hyperlink to see the original URL it will take me, and check if it is the same domain or not. If I see a different domain name other than what email is coming from, this is the time I should be suspicious of. And if this is the case, I will carefully copy this link and paste that into virustotal.com, anyrun.com, or any other online sandboxing solutions to see where that URL takes me. Also, this is very common that there might be an attachment in the phishing email asking you to download an important document such as your shopping invoice. By downloading and executing such an attachment, your host machine might be compromised. In order to analyze this attachment, I download it in my virtual environment and calculate the hash of this file. Later I submit the hash to virustotal.com. If there is a match on the hash, if ever been submitted on virustotal.com in the past, it will give me the report. If I think that the file belongs to my company and it might have some confidential information, so we have the Cuckoo Sandbox installed in our environment which is only available for our network, so I just submit the file into Cuckoo to get my result. After analyzing the file, if it is determined as malicious, this is a phishing case and I start my IR process.

What is the security advantage of using a proxy in front of a web server?

The proxy can be used to filter bad HTTP traffic. The proxy can look what is coming across separate from the webserver.

What can be typically found in a DMZ?

The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network and if its design is effective, allows the organization extra time to detect and address breaches before they further penetrate into the internal networks. Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:● Web servers● Mail servers● FTP servers● VoIP servers

Five Stages of an Evolving Advanced Persistent Attack

The whole purpose of an APT attack is to gain ongoing access to the system. Hackers achieve this in a series of five stages. 1 - Gain Access Stage 2 - Establish a Foothold 3 - Deepen Access 4 - Move Laterally 5 - Look, Learn, and Remain

How do you report RISK?

There are two way analyzing the risk. First, Quantitative = The business guys see the possible loss in numbers. Second, Qualitative= Technical and business guys need to analyst it.

Splunk Brute-Force Attack

There was a Brute-Force attack triggered by SPLUNK. I started looking this incident From the Notable evets. After looking raw logs. fail* password | stats count by src, dest, user, sourcetype | sort - count | where count > 2

What was the last ticket that you have escalated to T2?

There was a suspicious alert in QRadar from legitimate source IP 173.243.140.53 that belongs to Fortinet Firewall company attempt to establish an IRC chat session with our Next Generation Firewall. We pivoted IP(s) from IBM Ex-Force Exchange. We verified that it was a clean and unsuspicious IP address. Before escalating this case to Tier 2 analyst I did further investigation to figure out this case by myself. From initial search, I could not find any useful information. Then I communicated with Fortinet technical support team. They clarified that they do not use IRC chat with their clients. Therefore, it seemed that the incident was suspicious and needed to be escalated to Tier 2.

What was the last incident that you work on SPLUNK?

There was an alert by SPLUNK. From the Notable evets I start my investigation. There was internal user who connected to malicious website and attempted to downloading a file. Once he started downloading the file than it got block by our Fireeye-HX EDR. Since it was an internal user, I called him immediately and asked him couple of questions regarding the incident that he involve. He admitted that he wanted to download a PDF converter from a google search. He was not aware of malicious website. After this acknowledgement I started further investigation in Fireeye-HX. Fireeye-HX: Inspecting, Analyzing, and containing known or unknown threads at any endpoint. Where to look at on Fireeye: Tasks, processes, prefetch, Registry, Browser History, File Download History, DNS lookup events. Action Steps: • I contained the user machine. Because this machine is already infected and compromised as well. • I have checked Triage-Summary of this Incident and I have seen that this PDF Converter file had executable malicious file. During the downloading it ran and executed itself. Therefore, our Fireeye-HX is Blocked this action. • I have requested re-image for this machine from the networking team because we must make sure the malware will be removed from the user machine. • After containment request, I Opened a ticket in TheHive and write an executive summary and reported the case and have follow up.

What was the last incident that you work on QRadar?

There was an alert in QRADAR. First, I assigned it to myself. In the incident there was source IP was attempted to establish an IRC chat session with Next Generation Firewall. I examined the source IP address from IBM X-Force and verified that it was belongs to Fortinet. So, I communicated with Fortinet to figure out the situation. They verified that they are updating cloud based NGFW Firewall software. We examined our LSA with Fortinet and confirmed that they will provide the CeyberNow Labs in a quarter basis. This determined as true positive incident and there was no risk at all.

What is Hub, Switch and Router?

These network hardware devices are letting us connect to the internet. Hub= Not intelligent. When a data packet arrives, they just pass the packet to all the ports. Switch= They are intelligent devices. They are connecting two or more computers. Switch decide which computer sends Message directly to the right computer. The switch works on Layer 2. Router= The most intelligent among these 3 devices. The router is connecting two or more networks. The router can calculate the best route for sending data from one point to another one. They can redirect or reject the internet traffic.

Threat Intelligence Team:

Threat Intelligence Team: Some SOC teams (especially those with more resources) have developed a dedicated threat intelligence function. This role, which could be staffed by one or more analysts, would involve managing multiple sources of threat intelligence data, verifying its relevance, and collaborating with the larger threat intelligence community on indicators artifacts, attribution and other details surrounding an adversary's TTPs (tools, tactics, and procedures). For smaller teams (fewer than 5 members), it is recommended that they look for ways to automate the consumption of threat intelligence from reliable threat intelligence service providers, such as US CERT (United States Computer Emergency Readiness Team, which is part of DHS) and other vendor sources below: 1) AlienVault.com: Multiple sources including large honeynets that profile adversaries.2)CrowdStrike.com: Advanced threat intel as part of their threat protection platform.3) Cyveilance.com: Unique feeds on threat actors: indications of criminal intent.4) EmergingThreats.net: A variety of feeds.5) FireEye.com: DTI- Dynamic Threat Intelligence service.6) HackSurfer.com (SurfWatch): Insights tailored to your business.7) HexisCyber.com: Feed supports automated actions.8) Internetidentity.com: Threat feeds from their big data solution ActiveTrust.9) iSightPartners.com: ThreatScape series.10) LookingGlass.com: Maps of infrastructure, connectivity and ownership, plus threat intel.11) MalwareCheck.org: Intelligence on any URL.12)MatwareDomains.com: A list of domains known to be associated with malware.13) RedSkyAlliance.com: A vetted team of corporate computer incident responders and security professionals.14) RecordedFuture.com: Real-time threat intelligence from the web.15) SecureWorks.com: Provides feeds and also instrument networks.16) Synmantec.com: DeepInsight feeds on a variety of topics including reputation.17) Spytales.com: Everything there is to know about the past, present and future of spies.18) Team-Cymru.com: Threat intelligence plus bogon lists.19) TheCyberThreat: Our Twitter feed. High level but comprehensive and curated.20) ThingsCyber.com: The most critical lessons in cyber conflict and cybersecurity, relevant to your defense today.21) ThreatConnect.com: by Cyber Squared. Focused on information sharing.22) ThreatGrid.com: Unified malware analysis. Now part of Cisco.23) Threat IntelligenceReview.com: Updated reviews of threat intelligence sources.24) ThreatStop.com: Block Botnets by IP reputation.25) ThreatStream.com: Famous team. Multiple sources in an interoperable platform.26) ThreatTrack.com: Stream of malicious URLs, IPs and malware/phishing related data.27) Verisigninc.com: iDefense feed, highly regarded by some key institutions.28) https://www.darkreading.com/threat-intelligence.asp : Threat intelligence, news, analysis, discussions.29) Infosecurity Magazine : Threat intelligence, news and articles.30) https://krebsonsecurity.com : Security news and investigation.31)BleepingComputer.com - : News, Reviews, and Technical Support.See other related web references here: http://thecyberthreat.com/other-web-referencesNote that the SIEM secret sauce is threat intelligence. Dynamic threat intelligence is important to the SIEM, and the overall functioning of the SOC, and some SIEM tools have this feature. Without threat intelligence, your SIEM would have no alarms, and no interesting reports to review. While it would be nice to have no alarms to respond to (because that means nothing is wrong or you're on vacation), it basically means that there's no correlation or analysis being done on your raw event log data. Or, you may have some sample or DIY correlation rules as a starting point, but you're no longer looking for the latest threats because your threat intelligence hasn't been updated to include those from recent security intelligence. The point is threats are constantly evolving, cyber attackers are constantly upping their game, and so too must every good SOC. As new indicators and countermeasures are being discovered, collected, shared, analyzed and implemented, the more difficult it will be for the bad guys. Most threat intelligence sources are crowd sourced (where the cybersecurity community share information and collaborate on the latest threats and how to mitigate them) and proprietary (in the case where cybersecurity hardware and software vendors (e.g. including Anti-Virus, firewalls, IDS, etc.) offer their own proprietary threat intelligence, based on the information they collect from their customers and their own threat research teams).

How do routers work?

To put it simply, a router connects devices within a network by forwarding data packets between them. This data can be sent between devices, or from devices to the internet. The router does this by assigning a local IP address to each of the devices on the network.

How does traceroute work?

Traceroute ensures each hop on the way to a destination device drops a packet and sends back an ICMP error message. Traceroute can measure the duration of time between when the data is sent and when the ICMP message is received back. What protocol does it use? ICMP-0

What are some common HTTP attacks?

URL interpretation attacks (By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages that they are not supposed to have access to), SQL injection attacks (The hacker is inserting their own code into a vulnerable website just to access the confidential data.), Input Validation attacks(An input validation attack occurs when an attacker deliberately enters malicious input with the intention of confusing an application and causing it to carry out some unplanned action.), Impersonation attacks(An impersonation attack is a form of fraud in which attackers pose as a known or trusted person to dupe an employee into transferring money to a fraudulent account, sharing sensitive information), Buffer overflow attacks(A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.), Session Hijacking(In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.), Cross-Site Scripting (Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user.)

EDR ALERTS INVESTIGATION AND ANALYSIS PROTOCOL

VALIDATION (Identification); Quickly review the alert to verify it is not a False Positive. Ask yourself these questions: •Is this an actual attack? •Was the attack attempt successful? •What happened on the endpoint/server that was attacked? •What is the severity of the malware or alerted activity at first glance? (will vary depending on your company/business nature) Analysis & Investigation Question you should ask: •Is the host compromised? •Was any sensitive data accessed? •Where did the attacks originate? As each incident has unique characteristics and evidence, and you need to exercise creativity and critical thinking to tackle the particular challenges each set of data presents. Information you need to pay attention to when analyzing malicious files in the alert: •Compromised User - local/domain • File name •File type (extension may tell which OS is this targeting). Check/google file type headers if unsure for the file header •Hash (MD5, SHA)- check with VirusTotal.com to gather data about the file hash. Google using "double quotes". Use Hybrid-analysis.com. Pay attention to the size of the recorded file and compare with your file size in FireEye. •File path - where was it saved in the system As you continue to investigate the incident and dig deeper, try to communicate with the user reported as compromised, and try to answer these questions: •How did a file get there? •Who previously logged in? • Was this file previously executed? To do that, you may check the URL history from the Audit Viewer in FireEye, check if there are any scheduled tasks in the system Please note: Cases often involve hostile actors who have a vested interest in not being discovered, giving you a disappearing evidence problem. Tracks will be hidden, and evidence could be deleted. The evidence of these events could be in various places, nearly all of which do not exist for investigative reasons. For example, when a program is executed, various places in the registry store it, depending on how it was run. You need to know about all of these places to make a conclusion. It's important to try to find alternative explanations of things and not stop at the first hypothesis. For example, imagine you found some malicious files in "\Users\Adel\Downloads." Before you conclude that Adel user actually downloaded it, you should (among other things) compare Adel's login times to the timestamps on the file. It could turn out that: Another user was logged in at the same time and had access to that folder. No user was logged in and a service was running that was exploited. A scheduled task ran at that time, reached out to a command and control server, and downloaded it.

Where are logs stored in Linux Operating System?

Var/log

Vulnerability scanning and tools?

Vulnerability scanning is a security technique used to identify security weaknesses in a computer system. Vulnerability scanning can be used by individuals or network administrators for security purposes, or it can be used by hackers attempting to gain unauthorized access to computer systems. Types of vulnerability scanners include: ● Port Scanner: Probes a server or host for open ports. ● Network Enumerator: A computer program used to retrieve information about users and groups on networked computers. ● Network Vulnerability Scanner: A system that proactively scans for network vulnerabilities. ● Web Application Security Scanner: A program that communicates with a Web application to find potential vulnerabilities within the application or its architecture. ● Computer Worm: A type of self-replicated computer malware, which can be used to find vulnerabilities.

What are the differences between vulnerability scanning and penetration testing?

Vulnerability scans look for known vulnerabilities in your systems and report potential exposures. Penetration tests are intended to exploit weaknesses in the architecture of your IT network and determine the degree to which a malicious attacker can gain unauthorized access to your assets.

Difference between VULNERABILITY and EXPLOIT?

Vulnerability= The weakness of the system or Bug in the system. Exploit= Take advantage of the vulnerability in the system.

How do you determine malicious activity based on traffic?

We can detect malicious activity by using IDS, IPS, DLP, SIEM, tools in our environment.

How can you identify the vulnerability of the network?

We can identify doing vulnerability scanning OR Penetration testing. We can identify it from internal and external.

Does your SOC run 24/7 shifts or some of the shifts are outsourced to the other country?

We run an internal SOC and work daytime only (8am - 6pm etc., hours are up to you), but SOC is accessible 24/7 and sometimes we do our late-night incident responses. It is not outsourced outside the US.

Can you tell me about the logs you investigate in Splunk?

We take mostly security logs in Splunk such as firewall, IPS/IDS, antivirus, EDR, Windows servers, Linux servers, Nessus, Web proxy logs, DNS logs, OS logs (security &amp; login logs), VPN logs, switch logs, Authentication logs, Picus logs [Breach and simulation logs], email server logs, Domain Controller logs, [Application logs, WAF logs, database logs (varsa) - bizde yok] - that's the short answer.

Vulnerability Analysis

We use Nessus to conduct vulnerability scanning of the environment. I work with system owners to define the scope and timing of the scan and also determine the type of scan (audit scan, ad-hoc scan). I run the scans on a regular cadence. I report the vulnerabilities along with recommended remediation plans to system owners and track this process using The Hive to keep everyone up-to-date and accountable to close the vulnerability within the expected time frame.

Tell me about a time when you worked in a team, what was your specific contribution to the success of the team?

We were working on a case with other team mates and we were trying to understand why we were not able to see and analyze this specific file , there was no content available, after getting it from our soc manager, then I figure out that we couldn't see it because it was cleaned by the fireeyehx. The soc manager send it to us directly after cleaned by fireeye and we couldn't see if the file was malicious.There is also an answer on the book:

Can you tell me your day-to-day responsibilities at your current company?

Well, I work on three major areas. The first one is incident handling. I have been using QRadar as a SIEM solution to detect abnormal activities within our CyberNowLabs network. I also use Splunk security essentials and Enterprise Security as a SIEM solution and had a chance to have an experience on it as well. As you know, QRadar and Splunk normalize logs coming from different sources and correlate these events and generate offenses or notables based on rules. As a SOC analyst, one of my duties is to go through those offences, analyze them, and try to find what has happened. Most of the time I would say number one offense that I see on QRadar or Splunk is firewall denies. So, I go to the related events and see if there was any firewall permit after that firewall denies traffic. If there is no permit, I close this offense as a non-issue. But if there is a firewall permit, I create a case because this is something serious and a big indicator that someone might be in our network. I start my IR process and create a ticket in our ticketing system The Hive. So, if I can handle it, I start the investigation, if not I escalate it to Tier 2 analyst. Another example I can give you is authentication failures that I see most of the time in our network. I go to each of these authentication failure offences and see if I can validate the activity by contacting the user. So, if the user validates it, we are good, if they don't have any idea then I focus on brute force attempt. As you know, brute force is a password attack type that tries different passwords on a targeted user to in order to access to the system as an intended user. If they become successful, they can easily login to our network, so they can escalate privileges from that point. We have FireEye HX and Carbon Black EDR solutions as well and I monitor it and if there is an alert I initially check it quickly and try to decide if I need to contain the host or not and then create a ticket in the Hive and go through the incident response process as well. (if the file is executed, then the host is compromised, if not then it is not compromised.) (Where to look at on Fireeye: Tasks, processes, prefetch, Registry, Browser History, File Download History, DNS lookup events) Phishing is another major area I work on. Phishing is a social engineering technique. It is a campaign done by attackers to lure the victim. So basically, the attacker sends an email to the victim, a targeted person, to have them click the URL or have them download the malicious file in their PCs. As a SOC analyst, the first thing I would look at is the email header in a phishing case. Because the header shows me the details of this email such as, where it was sent, who was the actual sender, and also where it originated from in terms of the IP address. You know, if there is any URL in the email body, I hover over the hyperlink to see the original URL, domain name of this link. If I see a different domain name other than what email is coming from, this is the time I start being suspicious of. And if this is the case, I will carefully copy this link and paste that into virustotal.com, anyrun.com or any other online sandboxing solutions to see where that URL takes me. Also, this is very common that there might be an attachment in the phishing email asking you to download an important document such as an invoice or a job application. By downloading and executing such an attachment, your host machine might be compromised. In order to analyze this attachment, I download it into my virtual environment and calculate the hash of this file or I can send the email as an attachment to [email protected] which gives me a detailed report about the file including its hash and if it is clean or malicious. If I think that the file belongs to my company and it might have some confidential information, so we have the Cuckoo Sandbox installed in our environment which is only available for our network, so I just submit the file into Cuckoo to get my result. After analyzing the file, if it is determined as malicious, this is a phishing case and I start my IR process. The third major area I work on is vulnerability management. I work on vulnerability reports to analyze weaknesses and the risk background and then work on a remediation plan with system owners. I use Nessus. As you know, Nessus is a vulnerability scanner. With a credentialed scan you can discover flaws in your systems and take necessary actions before someone exploit those vulnerabilities. Nessus gives you a report including the name and description of the vulnerability, also whether it can be exploitable or not. You can also use Nessus for audit scan to see if your systems are up to date according to a specific industry or government policy. So, I use Nessus to run a periodic scan. I get the list of the assets and create a policy then start my scan. Once the results are available, you will see all the vulnerabilities exist on the targeted system. As a SOC analyst, I review the scan result and provide my analysis on the report to the system owner. I then work with the system owner on remediation plan and make sure findings are fixed. We use an open source ticketing system which is called The HIVE and everybody has access to it. I assign a ticket to the system admin and once they update the ticket with a remediation action, then I will go ahead and rescan the system. This is pretty much the vulnerability management that we follow.

What happens when you type google.com in your browser?

When you type "google.com" 1- thing that happens is a Domain Name Server (DNS) matches "google.com" to an IP address. 2- the browser sends an HTTP request to the server and the server sends back an HTTP response. 3- The browser begins rendering the HTML on the page while also requesting any additional resources such as CSS, JavaScript, images, etc. Each request completes a request/response cycle and is rendered in turn by the browser. / 1. You enter a URL into a web browser, 2. The browser looks up the IP address for the domain name via DNS, 3. The browser sends an HTTP request to the server, 4. The server sends back a HTTP response, 5. The browser begins rendering the HTML, 6. The browser sends requests for additional objects embedded in HTML (images, css, JavaScript) and repeat steps 3-5. 7. Once the page is loaded, the browser sends further async requests as needed. That's really it. Here's a more detailed description regarding this website: When you type "google.com" into your browser the first thing that happens is a Domain Name Server (DNS) matches "google.com" to an IP address. Then the browser sends an HTTP request to the server and the server sends back an HTTP response. The browser begins rendering the HTML on the page while also requesting any additional resources such as CSS, JavaScript, images, etc. Each subsequent request completes a request/response cycle and is rendered in turn by the browser.

Difference between stored and reflected XSS?

XSS attacks can generally be categorized into two categories: stored and reflected. Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS. Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable website, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS. Input validation techniques at the server help prevent XSS attacks.

Are you familiar with web application attacks including SQL injection, cross-site scripting, and remote file inclusion?

Yes, I am familiar the concepts of these types' attacks: 1.SQL Injection: The hacker is inserting their own code into a vulnerable website just to access the confidential data. 2. Cross-site Scripting: This is a code injection attack that the hackers are injection their malicious code in client site scripting so that the attack will redirect to user to malicious website. 3.Remote file inclusion: An RFI occurs when a file from a remote server is inserted into a web page. This can be done on purpose to display content on a website from a remote website. The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.

Have you monitored controls based on OSI layer 7 attack and threat indicators?

Yes, if there are any alerts trigged by the SIEM engine rules that means, it has already matched a rule or multiple rules that triggered this offense. After I look into the offense, look into IOCs (Indicator of compromise), check the payload and try to determine what type of attack is being detected/alerted for further investigation as needed. we have (NGFW) next generation firewall if there is any attack it comes to our SIEM solution attack like brute force this is one of the popular attack types that we are having. Basically our internal users are trying to access company environment through VPN When they attempt to access more than couple of times then it comes to our SIEM as a brute forced attacked typed brute forced attack usually happing by SSH port number which is 22 so, during the investigation I try to acknowledge with the user if he/she was the one who tried at that exact time frame after that I can confirm this case as false positive than I can open a ticket and write everything that I collect from the Preparation to Post-incident activity. Example: Port scanning, a method by which to identify vulnerable or open network ports, operates at layer 4 of the OSI model. Implementing effective firewalls and locking down ports only to those required can mitigate risks at this level. Example: Web application work on Application layer. OWASP Top 10 is addressing the most common attacks and vulnerabilities that expose the organization to attack.

So you run an internal SOC and manage 1 client?

Yes, we run an internal SOC, and manage 1 client - CyberNowLabs.

Possible signs of malware infection:

You might notice changes to the behavior of your computer or device, such as strange ads or pop-up windows. You may also notice unwanted changes to your browsers' behavior and changes to its homepage, a slower overall experience on your computer, and a sudden lack of storage space.

Why are you applying to this position?

Your Company's reputation is certainly a factor. I would be proud to work for a company with such a reputation in the industry. And I'm also confident that my experience in CyberSecurity would be fitting for the CyberSecurity Analyst position.So that's why I applied for this job - it seems like an opportunity to grow in my career, while working in the industry I'm most interested in. Also, since I've been doing this exact type of work for the past year in my current job, I'd be able to hit the ground running and start contributing immediately to your team's efforts.

Shodan,

a search engine for all ports within the internet, can help enterprises identify and lock down security vulnerabilities.

Liaison

describes a person or entity that helps to facilitate communication between two parties.

Secure Sockets Layer (SSL)

is a cryptographic protocol for managing authentication and encrypted communication between a client and server to protect the confidentiality and integrity of data exchanged in the session. Transport layer security(TLS) is the successor to SSL (although it is still commonly referred to as SSL).

TCPDUMP

is a data-network packet analyzer computer program that runs under a command line interface.

OpenVAS ( Open Vulnerability Assessment Scanner

is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. Open source FREE

DNS Tunneling

is a method of cyber-attack that encodes the data of other programs or protocols in DNS queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS server and used to control a remote server and applications.

A uniform resource locator (URL)

is a unique reference (or address) to an internet resource, such as a webpage.

Harvester

is designed to capture public information that exists outside of an organization's owned network.

/bin

is for "system administrator" commands.

Active directory

is the directory service database to store the organizational based data, policy, authentication.

Cryptography

is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.

Information Security Governance (GSI)

is the system by which the information security activities of a particular organization are directed and controlled.

OSINT

or open-source intelligence TOOL, is the practice of collecting information from published or otherwise publicly available sources.

All local user account

passwords are stored inside windows. They are located inside C:\windows\system32\config\SAM

What is better for security, storing all logs locally or sending them to central SIEM tool.

sending them to central SIEM tool is always the better option. When attacker reach and delete the local copy, we will have the other copy stored in central SIEM tool.

Maltego

specializes in uncovering relationships among people, companies, domains, and publicly accessible information on the internet.

On Linux,

user account details and encrypted passwords are stored in /etc/passwd, but this file is universally accessible. Consequently, passwords are moved to /etc/shadow, which is only readable by the root user.

What is difference between IPS and Firewall?

• An IPS will inspect content of the request and be able to drop, alert, or potentially clean a malicious network request based on that content. • A firewall will block traffic based on network information such as IP address, network port and network protocol.

What is DHCP and How does it work?

• DHCP stands for dynamic host configuration protocol. • DHCP is automatically assign IP address. This way the devices can talk each other. How does DCHP works? 1) broadcast packet (DHCPDiscover) 2) respond with a DHCPOffer packet 3) broadcasting a DHCPRequest packet 4) DHCP server approves the lease with a DHCPACK (Acknowledgement) packet

What is DMZ?

• DMZ stands for Demilitarized zone. • DMZ isolate public facing server from internal servers. • When DMZ is compromise it will not affect your main network.

If the user clicked the malicious link (from the phishing email), what would be your actions? Do you provide any recommendations to the user after investigation is over?

• Disconnect your device from the internet immediately. Either by switching off the network connection on your device or unplugging the network cable. This will help to contain any malware infection. • Scan your machine using anti-virus/anti-malware software. Use the full-scan mode. Remain disconnected from the internet during the scan. • Change the user's passwords. • back up files somewhere safe.

How do you know the host is compromised?

• Exceptionally slow network activity, disconnection from network service or unusual network traffic. • A system alarm or similar indication from an intrusion detection tool • Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods) • Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which there is no correlation) • Unsuccessful logon attempts • New user accounts of unknown origin • Unusual log entries such as network connections to unfamiliar machines or services, login failures. • New files of unknown origin and function • Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files • Unexplained addition, deletion, or modification of data • Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console • System crashes • Poor system performance - System appears to be slower than normal and less responsive than expected. (Note: Unexplained disk activity might be due to disk-related system maintenance such as disk file clean-up while the system is idle, this is completely normal.) • Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords • Port Scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts) • Unusual usage times (statistically, more security incidents occur during non-working hours than any other time) • An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account • Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)

Difference between FireEYE-HX and Carbon Black?

• FireEye is inspecting, analyze and contain known and unknown threats at any endpoint. • Triage Viewer to view known indicators of compromise. • FireEye detect MALWARE even if you are Offline. • HX (endpoint security) NX (Network Security) EX (Email Security). Carbon Black is Endpoint security tool; • Continuously recording and collecting everything • Much Faster than FireEye • For could platform. And better for threat hunting.

What is Difference firewall deny and drop?

• Firewall DENY is blocking the connection. Sends RST packet to requester. • Firewall DROP is dropping the request without informing to requester.

What is firewall?

• Firewall is network security system that monitor and control incoming and outgoing network traffic. Firewall works on layer 3 and 4. • Firewall is filtering the network or blocks ports or a program from unauthorize access.

What is Better approach for setting up a firewall?

• Modify default password of USERNAME/PASSWORD. • Display the remote feature. • Configuration of the ports-Port forwarding. • Install exiting DHCP server. • Enable the login. • Set up a solid security policy. Firewall setting from CMD for Windows - Firewall setting from CMD for Linux? get-net firewallrule-all OR netsh advfirewall -L ----- cat/ect/syslogconfiq/iptables

What is NIST?

• NIST Stands for National Institute of standard and technology. • NIST is computer incident handling guide. • NIST is assisting company to mitigate the RISK and IMPACT.

What port does PING use?

• PING use ICMP (internet control massage protocol) • PING does not use TCP or UDP. • ICMP has no port. • ICMP work over port 0 or 8 from echo requesting.

What is your understanding of stateful firewalls and able to interpret firewall rules?

• Stateful Firewalls doing filter packets based on the content of the network and check individual packets. • Yes, I can interpret firewall rules Basically, firewall rules define what kind of Internet traffic is allowed or blocked and also Firewall rules have a priority order that determines the order in which the rules are applied to network traffic. Example: FROM any TO all vms ALLOW tcp PORT 80 so, basically what we are saying here is to allow HTTP connections from any IP address to all instances in a data center.

What is the difference between stateful and stateless firewall?

• Stateless firewalls are designed to protect networks based on static information such as source and destination. • Stateful firewalls filter packets based on the full context of a given network connection, stateless firewalls filter packets based on the individual packets themselves.

How do you Identify theft prevention?

• Strong and unique password. • Protection of the confidential information. • Install advance security tool. • Update the system or the software.

What is TCP/IP

• TCP stands for transmission control protocol. • IP stands for Internet Protocol. • TCP and IP two main protocol for modern network. • TCP is responsible for the majority of the network. • IP is assigning number to network hardware to identify the device for communication purpose.

Patch Management Life Cycle

• Update vulnerability details from software vendors. • Scan the enterprise network for vulnerability. • Examine the Vulnerability and identify the missing patches. • Deploy patches and validate patch installation. • Generate Status Report on the latest patch updates.

How does Web-firewall work and where do you have to install it?

• WAFs sit between the clients and the web services they wish to connect to. Client connections are routed to the WAF where checks take place. • We should install it Front of Web server. WAF will detect SQL Injection attacks, Cross Site Scripting, Javascript attacks, RFI/LFI attacks etc.

if someone puts a USB in your computer and gets something How will you understand?

• Windows Registry Editor to check if a USB device was connected or not to your computer! • Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems.

Network Troubleshooting using PING, TRACERT, IPCONFIG, NSLOOKUP?

•Ipconfig= This Command Displays all the current TCP/IP Network. Basically, it gives basic information to get your IP addresses. (Default get way=ROUTER) •Ping= This Command allow us to send signal to another device to check the network connectivity. It does work over ICMP (internet control massage protocol) •Tracert= This command let us see step by step router the packet takes to the destination. •Nslooup= This command will fetch the DNS records and give you domain name and IP address. •Nmap (Network Mapper) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. •Netstat command displays network statistics netstat -a to see the list.

Basic responsibilities of A SOC Team:

● Implement and manage security tools. ● Investigate suspicious activities, contain, and prevent them. ● Reduce downtime and ensure business continuity. ● Plan security strategies. ● Audit and compliance support

How do you determine whether an email is a phishing email or not?

● The email looks suspicious and contain intimating message or too good to be true offers, sense of urgency, the unusual sender. Find the errors that should not be in a real/official email. ●Does the email contain an attachment? ●Does the email contain a URL? DO NOT click the link, hover over the link, and look at the bottom of the page to find the landing page. ●We can analyze the email header to find the sender's IP, email address in the return path, and domain. ●We can analyze the sender's information/Sandbox the attachment using open-source tools such as virustotal, any-run, hybrid analysis. ● OSINT tool= MxTool Box, AnyRun, Mail Header, VirusTotal. Hybrid Analyzer, Cuckoo, Joe Sandboxing.

EDR ACTION STEPS find the relevant host.

● put the host quarantine and isolate it from the network if necessary, ● take the file hash ● find the file path ● look at the triage summary ● look at the data acquire ● and then, start for the documentation,