SOC - technical q Flashcards
What does OSI stand for and what’s it used for?
Open System Interconnection, a framework that divides and details the steps on network communications
What are the 7 layers of the OSI model?
Application Layer – human-computer interaction layer
Presentation Layer – Ensures that data is in a usable formation and is where data encryption occurs
Session Layer – Maintain connections and is responsible for controlling ports and sessions
Transport Layer – Transmit data using transmission protocols (tcp/udp)
Network Layer – decides the physical path the data will take
Data Link – defines the format of the data on the network
Physical – transmit raw bot stream over the physical medium
What is the “Pyramid of Pain” model?
Ranks the IOCs from the least valuable to the most valuable. Bottom being trivial to the top being most difficult
What are the layers of the Pyramid of Pain?
TTP - Tactics, techniques and procedures
Tools
Network/ Host Artifact
Domain name
IP Addresses
Hash Values
What is NIST and its purpose?
National Institute of Standards and Technology
Designed to help businesses understand, manage and reduce cyber security risks.
What are the steps of NIST?
Identity
Protect
Detect
Respond
Recover
What is Punycode?
Used by attackers to redirect to a malicious domain that looks legitimate. Punycode is a way of converting words that cannot be written in ASCII, into unicode ASCII coding.
What is Any.Run?
Is a sandboxing service that executes samples, that we can review any connections such as http requests, DNS requests or processes communicating with an IP address.
What is Fuzzy hashing?
Allows you to perform similarity analysis to match two files with minor differences based on fuzzy hash.
What is Pass-the-Hash?
Exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.
What is Mitre Attack?
Is a globally accessible knowledge base of adversary tactics and techniques used based on real world observations. The mitre attack knowledge base is now a foundation used to develop models and methodologies in the private sector.
What is a vulnerability?
a flaw or a weakness in some parts of a system security procedure.
What is a threat?
A threat is a potential negative occurrence that can have consequences for a business operation/function/reputation.
What is a risk?
the probability that a particular threat will occur, either intentionally or accidently.
What is the difference between asymmetric and symmetric encryption?
Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption requires a pair of keys using a public key to encrypt and a private key to decrypt the data.
What is the difference between UDP and TCP?
UDP (user datagram protocol) is a connectionless protocol.
TCP, on the other hand, is connection-oriented, best described as requiring a three-way handshake
What is an IPS, and how does it differ from IDS?
IPS (Intrusion Prevention System) can prevent traffic, while IDS (Intrusion Detection System) can only detect traffic.
What is encoding?
Encoding ensures that different systems or programs can correctly interpret data in its proper format
What is encryption?
Encryption ensures the data is secure and that only those with an encryption key have access to the data
What is hashing?
hashing maintains the integrity of the data
What is the CIA triad?
Model of security orders with 3 principles :
Confidentiality
Integrity
Availability
How do you keep updated with information security news?
Twitter and websites like bleepingcomputer.com
Ports to know : FTP
20/21
Ports to know : SMTP
25
Ports to know : HTTP
80
Ports to know : HTTPS
443
Ports to know : POP3
110
Ports to know : Telnet
23
Ports to know : SSH
22
What does a SOC perform?
Monitor and analyse the organisations computer and network, to identify and mitigate threats.
A typical role would be to respond to security alerts and incidents, conduction investigations and implement security controls.
Talk through a TCP handshake?
Syn – the client picks a sequence of numbers, which is sent in the first syn packet
Syn-ack – server responds with a syn-ack flag set
Ack – final step, where the client acknowledges the response of the server and a connection is established
How would you approach a problem you have not seen before?
Google, chatGPT, experienced colleagues and peers.
Next step once resolved would be to document the process and add to KB
Potential malicious binary – what do you do?
Use VirusTotal to see virus hash, so see if someone else has loaded anything similar. Load it up onto the database to see if it’s a known malicious signature.
Can also load it into a contained environment to see if it exhibits malicious activity
Tools like Process explorer could help monitor its activity.
What is EDR tool and give examples?
Fireeye, crowdstrike and eset
What is a true positive?
A true positive is a correct identification of a positive event.
What is a false positive?
A false positive is an identification of a positive event that is not actually happening
What is a false negative?
A false negative is when the system doesn’t identify an issue when there isnt one
Scenario – a colleague has set up a customer facing webserver, how would you secure it?
Ensure its fully patched
Configure FW for only allowed traffic
Implement strong password policies for accounts
ACL’s for users who need access only
Logging and monitoring tools on the server
Perform pentest and regular VA’s
WAF – place a WAF infront of the application
What is data leakage?
This is when data is leaked by unauthorised means due to internal errors
What are the common means of user authentication?
Username and password, PIN, biometrics
Something you know
Something you have
Something you are
What’s the importance of Domain Name System monitoring?
Helps prevent domain based cyberattacks – DNS is a popular target for attackers
DDOS – where multiple requests are sent to crash a server
DNS poisoning - hackers insert false information into your DNS cache and spoof a version of your site
Name the tools you can use to secure a standard network?
FW, IDS, SIEM solution, VPN’s, EDR, WAF’s, VA, PT, policies and procedures, adopting frameworks
Describe the salting process and its application?
Password salting is a techniques to protect passwords by adding a string of 32 characters and then hashing it. Salting prevents hackers from reverse-engineering passwords.
What’s the difference between penetrative testing and software testing?
Sofware testing revolves arounds code review and secure coding practices
Pentesting simulates a full exploitation attack on a system/network
What is a man-in-the-middle attack?
This is a common attack where the attacker ‘listens’ to a two way conversation.
Give examples of MITM attacks?
Rogue access points who can trick nearby devices to join its domain, the traffic can then be manipulated by the attacker.
ARP spoofing is when an attacker poses as another host and tries and respond with its own MAC address, where the attacker can sniff the private traffic between two hosts.
MDNS – multicast is done on a local network using a broadcast like ARP
DNS spoofing – where the attacker attempts to corrupt DNS cache in an attempt to make other hosts access their site
Sniffing – packet capture tools so try and intercept packages
Session hijacking - sniff sensitive traffic to identify session token for a user
What is payload attack?
malicious code that is designed to execute a specific action
How do you prevent a MITM attack?
Strong encryption on AP’s
Strong router login credentials
Using VPN’s
Force HTTPS
How would you secure a wireless access point?
Strong password and encryption
Up to date
FW
Don’t broadcast
VPN
Difference between vlan and subnet
VLAN is software based and Subnets are hardware based.
VLAN’s create logical networks that are independent of the physical network topology.
VLAN’s are based on layer 2 and subnets are done at layer 3
What is the cyber kill chain?
This is a model for identification and cyber intrusion activity. The model identifies what the adversaries must complete in order to achieve their objective.
What are the steps of the cyber kill chain?
Reconnaissance – harvesting email address, conference info etc
Weaponization – coupling exploit with backdoor into deliverable payload
Delivery – delivering weaponised bundle to the victim via email, web, web etc
Exploitation – exploiting a vulnerability to execute code on victims system
Installation – installing malware on asset
Command & control (C2) - command channel for remote manipulation of victim
Actions on objectives – intruder accomplishes their original goal
What is SIEM?
Security Information and Event Management (SIEM), is a security solution that provides the real time logging of events in an environment - example will be sentinel.
What is TCP/IP Model?
Four-layer model that divides network communications into four distinct categories.
What layers does the TCP/IP model have?
Application Layer
Transport Layer
Internet Layer
Network Access Layer
What is ARP?
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the Data Link Layer address, such as a MAC address, associated with a given Network Layer address, typically an IPv4 address.
What is DHCP?
automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.
Explain OWASP Top 10?
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. (OWASP)
What is SQL Injection?
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
What is the difference between static and dynamic malware analysis?
Static Analysis: It is the approach of analyzing malicious software by reverse engineering methods without running them.
Dynamic is the approach that examines the behavior of malicious software on the system by running it
What is ISO27001
ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
A set of security standards for handling major credit cards.