Scribd
Upload
436 views5 pages

SOC Interview Questions

The document contains 20 interview questions about security operations centers (SOC). A SOC is responsible for monitoring systems for malicious activity, detecting incidents, analyzing them, responding to and resolving incidents. Key SOC services include real-time analysis, incident analysis and response, artifact analysis, scanning and assessment, and threat hunting. A SOC's performance can be measured by its ability to detect, analyze, and respond to all stages of the cyber kill chain.

Uploaded by

phishing lta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
436 views5 pages

SOC Interview Questions

The document contains 20 interview questions about security operations centers (SOC). A SOC is responsible for monitoring systems for malicious activity, detecting incidents, analyzing them, responding to and resolving incidents. Key SOC services include real-time analysis, incident analysis and response, artifact analysis, scanning and assessment, and threat hunting. A SOC's performance can be measured by its ability to detect, analyze, and respond to all stages of the cyber kill chain.

Uploaded by

phishing lta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

SOC Interview Questions

___________________________________________________________________________________

Q1: What does SOC mean?

A1: it is stand for Security Operation Center and they are responsible for monitoring,
detection, analysis, response, and restoration activities.

___________________________________________________________________________________

Q2: When we can say we have a SCO department?

A2: SOC is a set of services, if we provide them, we can say we have SOC. The services are:
• Real-Time Analysis
• Incident Analysis and Response
• Artifact Analysis (malware, and memory analysis..etc)
• Scanning and Assessment
• Threat hunting

Hint: There are many services, but I have mentioned the most important ones.

___________________________________________________________________________________

Q3: How we can measure the SOC performance? or when we can say we have a solid SOC?

A3: if they can detect, analyze, and respond to any malicious activity in all the stages of cyber kill
chain.

___________________________________________________________________________________

Q4: What the Cyber Kill Chain?


A4:

___________________________________________________________________________________
Q5: What is Incident response life cycle or phases?

A5:
• Preparation: means prepare the infrastructure to handle incidents by placing all security
controls (ips, ids, firewall) and create process and procedures to handle incidents.
• Detection & Analysis: analyze the incidents and make sure it is not a false positive. What are
the signs of incidents and sources of indicators(alert,logs,pepole), and incident documentation.
• Containment &Recovery: contain the incidents from spreading or increasing damage. An
essential part of containment is decision-making (e.g., shut down a system, disconnect it from a
network, disable certain functions).
• Post-Incident Activity: learning and improving phase. To learn about the incident and modify
our security controls (ips, ids, firewall) to prevent it in future.

___________________________________________________________________________________

Q6: What is the last incident assigned to you and how you handle it?

A6: Should not ask due to the lake of experience, but if did you could talk about labs you did
or the eCIR exam.

___________________________________________________________________________________

Q7: What is SIEM solution?

A7: SIEM software works by collecting log and event data generated by an organizations
application, security devices and host systems and bringing it together into a single centralized
platform to search in them. For example, Splunk and Qradar.

___________________________________________________________________________________

Q8: what is the difference between signature based or behavioural based detection?

A8: signature based will compare the signature to a list of signatures and if there is a match it will
be blocked, also it's called static analysis.
Behavioural based will run the code or program in isolated environment and monitor the
behavior for suspicious behavior (ex. The chrome browser will try to access the CMD). Also it's
called dynamic analysis or sandboxing.

___________________________________________________________________________________

Q9: How you can open and view windows and Linux logs?

A9: Windows logs through Event Viewer (type in the search event viewer).
Linux logs stored in the path /var/log

___________________________________________________________________________________
Q10: What are the types of windows logs?

A10: All windows logs stored as events. By default, there are three types of events:
• Application events (ex. any running application)
• System events (ex. Load a driver)
• Security events (ex. Failed and success login)
Also, there are Sysmon and PowerShell logs we can enable them.

___________________________________________________________________________________

Q11: How DNS works? If we typed a website name in the browser and hit enter what will happen in
the background? What is the process?

A11:
1. The pc will check for the website in the hosts file.
2. If it’s not existed in hosts file. It will check the browser cache.
3. If it's not existed in the browser cache. It will query the DNS server.
4. If it's not existed in the DNS server. The DNS server will query the parent DNS server
(ex. Stc DNS) and so on.

Hint: DNS use port 53

___________________________________________________________________________________

Q12: What is the difference between DNS over TCP and DNS over UDP?

A12: all user query (open any website) will use UDP and it's normal behavior.
The zones transfers (exchanging records between two DNS servers) will use TCP because the
records is too big and UDP can't handle it (UDP packet smaller than TCP) also for reliability.
Hint: DNS over TCP is a suspicious thing and it should happen only between DNS servers.
However, there are suspicious UDP queries. (Qustion#18)

___________________________________________________________________________________

Q13: What is buffer overflow and SQL injection? And how to protect against them?

A13: buffer overflow occurs when a program or process attempts to write more data to a fixed buffer,
than the buffer can handle. SQL injections send sql command directly to the database and
Retrieve hidden data. We can address buffer overflow and SQL injection by input validating or
input sanitization.

___________________________________________________________________________________
Q14: what is the SMTP protocol port and it works in which layer?

A14: Port 25 and it works on application layer.

Hint: all the protocols that have a specific port as shown below they work on application
layer.
ARP protocol doesn't have a port so, it works on network layer.

___________________________________________________________________________________

Q15: How to check failed and success login in windows?

A15: success login through event ID 4624 and failed login through 4625

___________________________________________________________________________________

Q16: How to check network connections on a specific server?

A16: through Sysmon logs event id 3.

___________________________________________________________________________________

Q17: what are the most important Sysmon logs?

A17:
• Event id 1→for process creation
• Event id 3→for network connection
• Event id 7→image loaded
• Event id 11→file creation

___________________________________________________________________________________

Q18: As an analyst how you can you identify suspicious DNS traffic over UDP (normal DNS
Queries)?

A18: the normal DNS query will go to known domain or website, If the query going to IP address,
then it is suspicious. And we can check that through DNS record. For example, if the DNS
record is A it means IPv4 address or AAAA it means IPv6 address.
Hint: https://ns1.com/resources/dns-types-records-servers-and-queries

___________________________________________________________________________________
Q19: Mention five activities that indicates malicious behavior?

A19:
• RDP or SSH sessions during non-working hours.
• Remote login with admin & root accounts. (they should login remotely by normal account
then they switch to admin or root accounts if needed)
• DNS queries to IP addresses.
• Process creation (Sysmon event id 1)
• Scheduled tasks (event id 4698 in windows & crontabs in Linux)

___________________________________________________________________________________

Q20: What do you think about local login in domain environment?

A20:
• When a user authenticates on a Windows endpoint an Account Logon event is recorded. Note
that account logon events will be recorded in the Security event log of the system responsible
for authentication the user.
• When an account is accessing a resource a Logon event is recorded. Note that logon events
will be recorded in the Security event log of the system being accessed.
• As you can imagine, if you spot account logon events on a machine other the Domain
Controller, this is a sign local user account usage.
• Local user account usage is abnormal on domain environments and can indicate a
compromise.

___________________________________________________________________________________

You might also like