Mid-Level IR Engineer Questions Flashcards
How would you detect incoming threats
First, you would identify that suspicious or strange activity has been confirmed via the SIEM or through other sources such as firewall logs or alerts. Once confirmed, you then outline the basic steps of checking logs and documenting your findings as you progress. Specify that the Incident Response Policy document would dictate the proper response, as well as the correct escalation procedures. It is important to show the interviewers that you understand that the role of an incident responder is to act in concert with the team, and not to go off on a solo investigation without informing everybody else about a potential threat.
How do you stay up-to-date with the latest information security developments relating to incident response?
Feel free to share the different sources that you use with the interviewers. Think about the different forensic/information security resources such as blogs, forums, newsletters and social media sources that you lean on when you are researching or learning about new threats. Be sure to put across the fact that you are always looking to learn more and evolve professionally.
What operating systems are you familiar with?
At this level, you should ideally be proficient in Windows and Linux/Unix environments. Some organizations have a mix of different operating systems, and knowledge of how these systems are vulnerable to exploits is really important. Each operating system stores information in different ways, and log files are stored differently as well. Make sure that you are honest about your proficiency (or lack thereof) early on so that there are no false expectations.
How important are system-wide security and vulnerability assessments?
Vulnerability assessments are an ongoing process that never ends, which is why there are usually daily, weekly and monthly checks that need to be done across the different systems within an organization. Most of these checks are done via the SIEM, but some need to be checked manually. Researching issues and staying current with news and updates is essential if you are going to keep up with malware and hacking developments.
How important are documentation and procedural responses?
The interviewers are looking to see if you understand how important the procedures and documentation steps of the organization are. Be sure to mention how procedures need to be updated, and that each document must keep a version number to show when last the document or procedure was updated or revised. Document contributors and authors must also be acknowledged so that the document history is properly managed and understood. Explain that the procedural responses are vital because they determine how each scenario is dealt with.
What are some of the steps that you take after an incident?
This process goes by many different names: postmortem, root cause analysis, learning review, post-incident review and more. You can give a brief outline of the kinds of information that you normally include in such reports, like the services that went down, who they affected, how long the downtime was experienced, who helped with the response and how the issue was eventually fixed.
Preventative actions are also a part of post-incident reports, so be sure to mention that the best way to prevent such things from reoccurring is to show what worked in the response plan and what didn’t. The response plan can then be updated accordingly.
