SOC Interview Questions and Answers

Question 1

1. What is the CIA triad?

Answer 1

The CIA triad stands for confidentiality, integrity, and availability
Confidentiality makes sure the only those authorized have access
Integrity verifies the data has not been altered or compromised and is accurate, the availability means the data is accessible when needed

Question 2

2. What is a SIEM? What are some of its uses?

Answer 2

Security Information and Event Management
It is a solution the is used to store log events and alerts and manage those network events

Question 3

3. What are the differences between symmetric and asymmetric encryption?

Answer 3

Symmetric encryption uses a single secret key for both encryption and decryption.

Asymmetric encryption uses a public key for encryption and a private key for decryption. Data encrypted with the public key can only be decrypted with the corresponding private key.

Question 4

4. What is Worse, a false positive or a false negative?

Answer 4

False negative is worse because it would be detecting no threat when there is an actual threat

Question 5

5. What is the difference between IDS and IPS?

Answer 5

IDS will only alert about a potential incident but an IPS will block the attempt

Question 6

6. What are the different layers of the OSI model?

Answer 6

Physical, Data Link, Network, Transport, Sessions, Presentation Application

Question 7

7. What is IP and MAC Addresses?

Answer 7

IP is an Internet address and the MAC is a unique physical address. A network packet needs both to get to its destination

Question 8

8. What are risk, vulnerability, and threat, and how do they relate to each other?

Answer 8

A Vulnerability is a weakness or flaw
A Threat is a malicious or negative event that takes advantage of a vulnerability.
A Risk is the probability of a potential for loss and damage when the threat does occur.
All affect CIA
Risk = threat X vulnerabilty

Question 9

9. Explain the XSS attack. How to prevent it?

Answer 9

Cross-site scripting is a web security vulnerability that allows an attacker to compromise a users interaction with applications.

It can occur by injecting malicious javascript code

Encode data on output and Validate input on arrival

Question 10

10. What is data protection in transit vs. data protection at rest?

Answer 10

Data at rest is inactive data not moving between networks. (stored data)
Data in transit is moving data. It is being transferred between locations over private network or Internet
For data in transit you can protect with encryption methods like HTTPS, SSL and TLS
Data at rest you can monitor and audit data

Question 11

What is CSRF?

Answer 11

Cross Site Request Forgery
A web application vulnerability in which the server does not check whether the request came from a trusted client.

Question 12

12. Is Encryption Different From Hashing

Answer 12

Encryption is a two way function that requires a key and hashing is a one way function that can be used to verify that the data has not been altered
encryption can be reversed hashing cannot

Question 13

15. What Is the Difference Between Black Box Testing and White Box Testing?

Answer 13

The Black Box Test is a test that only considers the external behavior of the system; the internal workings of the software is not taken into account.

The White Box Test is a method used to test a software taking into consideration its internal functioning.

Question 14

16. What Is ARP Poisoning? Can You Explain With an Example?

Answer 14

ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack that involves sending (false) malicious ARP packets to a default gateway in order to change the pairings in its IP to MAC address table.

It’s a Man in the Middle (MitM) attack that allows attackers to intercep

Question 15

17. What is the difference between signature-base detection and anomaly-base detection?

Answer 15

Signature-based detections only generate alerts when they identify an exact match of a known indicators and can detect malware

Anomaly-based system can generate alerts when activity is outside an accepted range.

Question 16

19. What is ARP?

Answer 16

Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access Control (MAC) address, and vice versa.

Question 17

What is SOC?

Answer 17

Security Operations Center centralized location where an organization’s security professionals monitor and analyze the organization’s computer systems and networks to identify and mitigate potential security threats.

Question 18

What does a SOC analyst do?

Answer 18

Actively monitoring network activity, responding to security alerts, and conducting investigations into potential security breaches.

Question 19

Do you have any experience in scripting or programming? If yes - what languages?

Answer 19

I have basic knowledge of powershell and am currently learning python

Question 20

Can you describe the difference between UDP and TCP?

Answer 20

UDP is connectionless and will not retransmit loss packets
TCP is connection oriented and retransmits lost packets.

Question 21

What is the TCP handshake?

Answer 21

First step in the TCP handshake
SYN packet
Syn-Ack client request SYN + ACK flags set.
Ack last step client acknowledges the response

Question 22

How much command line (CLI) experience do you have (on any OS)?

Answer 22

I have been using command line in Kali Linux, Ubuntu and Windows to complete labs. I have not mastered all the commands but I do know how to rely on my resources to find the commands needed

Question 23

What is the standard cyber incident response process or steps?

Answer 23

Preparation - have a plan in palce
Detection - determine if an incident occcured
Containment and Eridication Recovery - halt effects, find cause and retore services
Post-Incident Activity - Lessons learned

Question 24

How would you approach a problem you’ve never seen before?

Answer 24

Google, ask a colleague research the issue. Most likely someone has seen this before

Question 25

Once you’ve solved the problem not previously seen, is there anything you could do?

Answer 25

Document, document document. If needed do a KBA or SOP or see i some existing procedures need to be changed

Question 26

You are presented with a potentially malicious Windows binary, what are some steps you could take for basic analysis?

Answer 26

I would first search VirusTotal for the malware hash to see if anyone else has uploaded the same binary file. If not upload it and see if it matches known threats

Question 27

Have you utilized any SIEM tooling? If so, which one?

Answer 27

I have only had experience in my CIT course labs. We practiced pfsense, snort

Question 28

Have you used any EDR/XDR tools?endpoint detection and response (EDR)

Answer 28

I have not used but know that they are tools used to give visibility of endpoints and assist in forensic investigations if the system is compromised

Question 29

Can you explain the difference between true positive, false positive, and false negative?

Answer 29

True positive identifies and actual threat
false positive identifies a positive event that is not actually happening
A false negative doesn’t identify an event but there really is one

Question 30

How do you keep yourself updated with information security?

Answer 30

HackRead,

Question 31

What are black hat, white hat and gray hat?

Answer 31

Black-Hat Hackers are those hackers who enter the system without taking owners’ per White-Hat Hackers are also known as Ethical Hackers. Good hackers
Gray hat- mix of both blacks\ and white. they don’t have any malicious intent

Question 32

What is MITRE ATT&CK Framework?

Answer 32

Knowledge database of attacks. It is a framework of known adversary tactics, techniques and common knowledge (A. T. T. C. K.), a kind of periodic table that lists and organizes malicious actor behavior in an accessible, user-friendly format.

Question 33

With which security Event ID can the Successfully RDP connection be detected?

Answer 33

4624

Question 34

With which event id can failed logons be detected?

Answer 34

4625

Question 35

What is a playbook?

Answer 35

Guidelines to handle incidents or alerts and let the analyst know what actions should be taken

Question 36

What is Splunk?

Answer 36

• SIEM tool used for searching, visualizing, monitoring and=d
  reporting data
• Offers real time insight into the data

Question 37

What is DLP?

Answer 37

• Process of looking at data, classifying, prioritizing and
  understanding its risk
• Whether the data is at rest or in transit
• Monitoring and encryption

Question 38

What is residual risk?

Answer 38

The risk that remains after you implement some type of security control

Question 39

What is a firewall?

Answer 39

• Device on the network that allows/blocks traffic based on a set of
  firewall rules
• Host based or appliance based
• White listing / black listing
• Short fall is that know malicious actors are going to target known
  ports like 443 HTTP SSL

Question 40

What is a security policy and why is it important?

Answer 40

A policy that defines the organizations approach to information security
- - It defines a companies security policies guidelines, rules and procedures measures for handling security events

Question 41

What is Two-Factor Authentication?

Answer 41

• Security concept that requires to forms of authentication before granting access to a system or account
• Acts as a extra layer of security
• Something you know (name/password), something you have (mobile device, security token, smart card), something you are (biometric)