soa

Question 1

Front

Answer 1

Back

Question 2

What is an asset?

Answer 2

An asset is anything of value to an organization. This includes tangible items like database servers, SCADA systems, or firewalls, as well as intangible assets like customer data and intellectual property. Identifying and protecting critical assets is a core goal of cybersecurity.

Question 3

What is a threat?

Answer 3

A threat is any entity—internal or external—that has the capability and intention to exploit vulnerabilities. Examples include hackers, malware, disgruntled employees, or nation-state actors.

Question 4

What is a vulnerability?

Answer 4

A vulnerability is a flaw or weakness in hardware, software, or procedures that could be exploited by a threat actor. Think of it like a crack in a wall that weakens its defense.

Question 5

What is an exploit?

Answer 5

An exploit is the method or tool used to take advantage of a vulnerability. Exploits often include malicious code designed to achieve unauthorized access or control.

Question 6

What is risk in cybersecurity?

Answer 6

Risk refers to the likelihood that a threat will successfully exploit a vulnerability. It helps organizations prioritize their security measures by considering potential impact.

Question 7

What is an anomaly?

Answer 7

An anomaly is an unusual event or behavior in a system that could indicate a threat, such as large data transfers or access at odd hours.

Question 8

What is a security incident?

Answer 8

A security incident is any violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Question 9

What does a Tier-1 SOC Analyst do?

Answer 9

Tier-1 analysts, or triage specialists, monitor and review security alerts. They filter out false positives and escalate unresolved alerts to Tier-2 analysts.

Question 10

What does a Tier-2 SOC Analyst do?

Answer 10

Tier-2 analysts investigate more critical alerts, use threat intelligence (like IOCs), and confirm incidents. They escalate high-impact threats to Tier-3 if necessary.

Question 11

What does a Tier-3 SOC Analyst do?

Answer 11

Tier-3 analysts or threat hunters handle major incidents and advanced threats. They also conduct or supervise penetration testing and vulnerability assessments.

Question 12

What are the six NSM components?

Answer 12

Sensor, Parser, Integrator, Detector, Inspector, Actuator. Each component plays a role from data collection to action.

Question 13

What does a Sensor do in NSM?

Answer 13

Collects data such as logs or packets from network traffic or host systems. It initiates the monitoring process.

Question 14

What does a Parser do in NSM?

Answer 14

Processes and formats the raw data collected by sensors into a readable structure for analysis.

Question 15

What does an Integrator do in NSM?

Answer 15

Combines various parsed data streams into a unified dataset for comprehensive monitoring.

Question 16

What does a Detector do in NSM?

Answer 16

Analyzes integrated data to detect suspicious patterns or known threats.

Question 17

What does an Inspector do in NSM?

Answer 17

Performs detailed forensic analysis of detected threats or anomalies to understand root causes.

Question 18

What does an Actuator do in NSM?

Answer 18

Takes automated or manual action in response to incidents, such as isolating a device or alerting admins.

Question 19

Name a tool used for detection in NSM.

Answer 19

Snort or Suricata – both are intrusion detection/prevention systems used to identify malicious activity.

Question 20

Name a tool used for analysis in NSM.

Answer 20

Splunk – used for analyzing logs, visualizing data, and correlating events for threat detection.

Question 21

What is a SIEM?

Answer 21

A Security Information and Event Management system collects, aggregates, and analyzes log data to detect threats and support compliance.

Question 22

What is the push method in log collection?

Answer 22

The device or application sends log data directly to the SIEM.

Question 23

What is the pull method in log collection?

Answer 23

The SIEM retrieves log data from the device or application.

Question 24

What is Splunk used for?

Answer 24

It indexes and analyzes machine-generated data. Used for monitoring, searching logs, alerting, and compliance.

Question 25

How do users interact with Splunk?

Answer 25

Through a web interface where they can create searches, dashboards, and alerts.

Question 26

What are the phases of the threat intelligence lifecycle?

Answer 26

Requirements, Planning, Collection, Processing, Analysis, Dissemination, Feedback – a continuous process.

Question 27

What happens in the 'Defining Requirements' phase?

Answer 27

Identify what needs to be learned (e.g., threat actor profiles, targeted sectors). Drives all other stages.

Question 28

What is done in the Planning phase?

Answer 28

Determine how to meet the requirements, assign responsibilities, and allocate resources.

Question 29

What is the Collection phase?

Answer 29

Gather relevant data from internal systems, OSINT, dark web, commercial threat feeds.

Question 30

What happens in the Processing phase?

Answer 30

Convert raw data into a usable format by cleaning, normalizing, and deduplicating.

Question 31

What is done in the Analysis phase?

Answer 31

Draw insights, correlate threat activity, identify patterns, and assess risks.

Question 32

What is Dissemination in threat intelligence?

Answer 32

Deliver tailored intelligence to decision-makers or technical teams.

Question 33

Why is Feedback important?

Answer 33

Refines intelligence efforts, ensures relevance, and improves future outputs.

Question 34

What is abuse.ch?

Answer 34

A platform offering free threat intelligence on malware, botnets, and C&C infrastructure.

Question 35

What is malware?

Answer 35

Malicious software like viruses, worms, trojans, or spyware designed to harm systems or steal data.

Question 36

What is a backdoor?

Answer 36

Malware that allows attackers to bypass normal authentication to gain remote access.

Question 37

What is a botnet?

Answer 37

A network of infected devices controlled by a central attacker, often used for DDoS or spam.

Question 38

What is static analysis?

Answer 38

Examination of malware code or file properties without executing it (e.g., strings, headers).

Question 39

What is dynamic analysis?

Answer 39

Running malware in a sandbox or VM to observe its behavior.

Question 40

What is a sandbox?

Answer 40

An isolated virtual environment for safely analyzing potentially malicious software.

Question 41

Name a sandbox evasion technique.

Answer 41

Delaying execution (e.g., sleep calls), checking for VM artifacts, or requiring user interaction.

Question 42

What are the phases of the Vulnerability Management Life Cycle?

Answer 42

Asset Inventory, Information Management, Risk Assessment, Vulnerability Assessment, Reporting & Remediation, Respond.

Question 43

What is a CVE?

Answer 43

Common Vulnerabilities and Exposures – public list of known security flaws.

Question 44

What is CVSS?

Answer 44

Common Vulnerability Scoring System – provides a score (0–10) to rate vulnerability severity.

Question 45

What is CCE?

Answer 45

Common Configuration Enumeration – catalog of known insecure system configurations.

Question 46

What is CPE?

Answer 46

Common Platform Enumeration – standard naming of platforms like OS and software for vulnerability tracking.

Question 47

What are the NIST Incident Response phases?

Answer 47

Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity.

Question 48

What is the goal of the Preparation phase?

Answer 48

To reduce incident likelihood by training teams and setting up preventive controls.

Question 49

What happens in Detection and Analysis?

Answer 49

Identifying potential incidents through monitoring and verifying if they are real threats.

Question 50

What is done in Containment/Eradication/Recovery?

Answer 50

Limit the spread of threats, remove them, and restore systems to a secure state.

Question 51

What is Post-Incident Activity?

Answer 51

Review what happened, document lessons learned, and improve future response plans.

Question 52

What is the incident flow in a SOC?

Answer 52

Tier-1 triages the alert → Tier-2 investigates deeper → Tier-3 or IR team handles serious threats.

Question 53

What is the Cyber Kill Chain?

Answer 53

A framework describing the steps an attacker takes: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives.

Question 54

What is MITRE ATT&CK?

Answer 54

A knowledge base of adversary TTPs used by security teams to improve detection, response, and threat emulation.

Question 55

What is EDR?

Answer 55

Endpoint Detection and Response – security tech that monitors endpoints and automatically responds to threats.

Question 56

What is cyber threat hunting?

Answer 56

The proactive practice of searching for undetected threats in a system using hypotheses and telemetry.

Question 57

How does threat hunting differ from incident response?

Answer 57

Threat hunting is proactive and hypothesis-driven, while incident response is reactive and alert-driven.

Question 58

When is threat hunting typically adopted?

Answer 58

When organizations want to detect stealthy threats that bypass traditional tools like SIEM and EDR.