SOC - technical q

Question 1

What does OSI stand for and what’s it used for?

Answer 1

Open System Interconnection, a framework that divides and details the steps on network communications

Question 2

What are the 7 layers of the OSI model?

Answer 2

Application Layer – human-computer interaction layer

Presentation Layer – Ensures that data is in a usable formation and is where data encryption occurs

Session Layer – Maintain connections and is responsible for controlling ports and sessions

Transport Layer – Transmit data using transmission protocols (tcp/udp)

Network Layer – decides the physical path the data will take

Data Link – defines the format of the data on the network

Physical – transmit raw bot stream over the physical medium

Question 3

What is the “Pyramid of Pain” model?

Answer 3

Ranks the IOCs from the least valuable to the most valuable. Bottom being trivial to the top being most difficult

Question 4

What are the layers of the Pyramid of Pain?

Answer 4

TTP - Tactics, techniques and procedures

Tools

Network/ Host Artifact

Domain name

IP Addresses

Hash Values

Question 5

What is NIST and its purpose?

Answer 5

National Institute of Standards and Technology
Designed to help businesses understand, manage and reduce cyber security risks.

Question 6

What are the steps of NIST?

Answer 6

Identity

Protect

Detect

Respond

Recover

Question 7

What is Punycode?

Answer 7

Used by attackers to redirect to a malicious domain that looks legitimate. Punycode is a way of converting words that cannot be written in ASCII, into unicode ASCII coding.

Question 8

What is Any.Run?

Answer 8

Is a sandboxing service that executes samples, that we can review any connections such as http requests, DNS requests or processes communicating with an IP address.

Question 9

What is Fuzzy hashing?

Answer 9

Allows you to perform similarity analysis to match two files with minor differences based on fuzzy hash.

Question 10

What is Pass-the-Hash?

Answer 10

Exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.

Question 11

What is Mitre Attack?

Answer 11

Is a globally accessible knowledge base of adversary tactics and techniques used based on real world observations. The mitre attack knowledge base is now a foundation used to develop models and methodologies in the private sector.

Question 12

What is a vulnerability?

Answer 12

a flaw or a weakness in some parts of a system security procedure.

Question 13

What is a threat?

Answer 13

A threat is a potential negative occurrence that can have consequences for a business operation/function/reputation.

Question 14

What is a risk?

Answer 14

the probability that a particular threat will occur, either intentionally or accidently.

Question 15

What is the difference between asymmetric and symmetric encryption?

Answer 15

Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption requires a pair of keys using a public key to encrypt and a private key to decrypt the data.

Question 16

What is the difference between UDP and TCP?

Answer 16

UDP (user datagram protocol) is a connectionless protocol.

TCP, on the other hand, is connection-oriented, best described as requiring a three-way handshake

Question 17

What is an IPS, and how does it differ from IDS?

Answer 17

IPS (Intrusion Prevention System) can prevent traffic, while IDS (Intrusion Detection System) can only detect traffic.

Question 18

What is encoding?

Answer 18

Encoding ensures that different systems or programs can correctly interpret data in its proper format

Question 19

What is encryption?

Answer 19

Encryption ensures the data is secure and that only those with an encryption key have access to the data

Question 20

What is hashing?

Answer 20

hashing maintains the integrity of the data

Question 21

What is the CIA triad?

Answer 21

Model of security orders with 3 principles :

Confidentiality 
Integrity 
Availability 

Question 22

How do you keep updated with information security news?

Answer 22

Twitter and websites like bleepingcomputer.com

Question 23

Ports to know : FTP

Answer 23

20/21

Question 24

Ports to know : SMTP

Answer 24

25

Question 25

Ports to know : HTTP

Answer 25

80

Question 26

Ports to know : HTTPS

Answer 26

443

Question 27

Ports to know : POP3

Answer 27

110

Question 28

Ports to know : Telnet

Answer 28

23

Question 29

Ports to know : SSH

Answer 29

22

Question 30

What does a SOC perform?

Answer 30

Monitor and analyse the organisations computer and network, to identify and mitigate threats.
A typical role would be to respond to security alerts and incidents, conduction investigations and implement security controls.

Question 31

Talk through a TCP handshake?

Answer 31

Syn – the client picks a sequence of numbers, which is sent in the first syn packet
Syn-ack – server responds with a syn-ack flag set
Ack – final step, where the client acknowledges the response of the server and a connection is established

Question 32

How would you approach a problem you have not seen before?

Answer 32

Google, chatGPT, experienced colleagues and peers.
Next step once resolved would be to document the process and add to KB

Question 33

Potential malicious binary – what do you do?

Answer 33

Use VirusTotal to see virus hash, so see if someone else has loaded anything similar. Load it up onto the database to see if it’s a known malicious signature.
Can also load it into a contained environment to see if it exhibits malicious activity
Tools like Process explorer could help monitor its activity.

Question 34

What is EDR tool and give examples?

Answer 34

Fireeye, crowdstrike and eset

Question 35

What is a true positive?

Answer 35

A true positive is a correct identification of a positive event.

Question 36

What is a false positive?

Answer 36

A false positive is an identification of a positive event that is not actually happening

Question 37

What is a false negative?

Answer 37

A false negative is when the system doesn’t identify an issue when there isnt one

Question 38

Scenario – a colleague has set up a customer facing webserver, how would you secure it?

Answer 38

Ensure its fully patched
Configure FW for only allowed traffic
Implement strong password policies for accounts
ACL’s for users who need access only
Logging and monitoring tools on the server
Perform pentest and regular VA’s
WAF – place a WAF infront of the application

Question 39

What is data leakage?

Answer 39

This is when data is leaked by unauthorised means due to internal errors

Question 40

What are the common means of user authentication?

Answer 40

Username and password, PIN, biometrics

Something you know
Something you have
Something you are

Question 41

What’s the importance of Domain Name System monitoring?

Answer 41

Helps prevent domain based cyberattacks – DNS is a popular target for attackers

DDOS – where multiple requests are sent to crash a server

DNS poisoning - hackers insert false information into your DNS cache and spoof a version of your site

Question 42

Name the tools you can use to secure a standard network?

Answer 42

FW, IDS, SIEM solution, VPN’s, EDR, WAF’s, VA, PT, policies and procedures, adopting frameworks

Question 43

Describe the salting process and its application?

Answer 43

Password salting is a techniques to protect passwords by adding a string of 32 characters and then hashing it. Salting prevents hackers from reverse-engineering passwords.

Question 44

What’s the difference between penetrative testing and software testing?

Answer 44

Sofware testing revolves arounds code review and secure coding practices

Pentesting simulates a full exploitation attack on a system/network

Question 45

What is a man-in-the-middle attack?

Answer 45

This is a common attack where the attacker ‘listens’ to a two way conversation.

Question 46

Give examples of MITM attacks?

Answer 46

Rogue access points who can trick nearby devices to join its domain, the traffic can then be manipulated by the attacker.

ARP spoofing is when an attacker poses as another host and tries and respond with its own MAC address, where the attacker can sniff the private traffic between two hosts.

MDNS – multicast is done on a local network using a broadcast like ARP

DNS spoofing – where the attacker attempts to corrupt DNS cache in an attempt to make other hosts access their site

Sniffing – packet capture tools so try and intercept packages

Session hijacking - sniff sensitive traffic to identify session token for a user

Question 47

What is payload attack?

Answer 47

malicious code that is designed to execute a specific action

Question 48

How do you prevent a MITM attack?

Answer 48

Strong encryption on AP’s
Strong router login credentials
Using VPN’s
Force HTTPS

Question 49

How would you secure a wireless access point?

Answer 49

Strong password and encryption
Up to date
FW
Don’t broadcast
VPN

Question 50

Difference between vlan and subnet

Answer 50

VLAN is software based and Subnets are hardware based.

VLAN’s create logical networks that are independent of the physical network topology.

VLAN’s are based on layer 2 and subnets are done at layer 3

Question 51

What is the cyber kill chain?

Answer 51

This is a model for identification and cyber intrusion activity. The model identifies what the adversaries must complete in order to achieve their objective.

Question 52

What are the steps of the cyber kill chain?

Answer 52

Reconnaissance – harvesting email address, conference info etc

Weaponization – coupling exploit with backdoor into deliverable payload

Delivery – delivering weaponised bundle to the victim via email, web, web etc

Exploitation – exploiting a vulnerability to execute code on victims system

Installation – installing malware on asset

Command & control (C2) - command channel for remote manipulation of victim

Actions on objectives – intruder accomplishes their original goal

Question 53

What is SIEM?

Answer 53

Security Information and Event Management (SIEM), is a security solution that provides the real time logging of events in an environment - example will be sentinel.

Question 54

What is TCP/IP Model?

Answer 54

Four-layer model that divides network communications into four distinct categories.

Question 55

What layers does the TCP/IP model have?

Answer 55

Application Layer
Transport Layer
Internet Layer
Network Access Layer

Question 56

What is ARP?

Answer 56

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the Data Link Layer address, such as a MAC address, associated with a given Network Layer address, typically an IPv4 address.

Question 57

What is DHCP?

Answer 57

automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

Question 58

Explain OWASP Top 10?

Answer 58

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. (OWASP)

Question 59

What is SQL Injection?

Answer 59

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

Question 60

What is the difference between static and dynamic malware analysis?

Answer 60

Static Analysis: It is the approach of analyzing malicious software by reverse engineering methods without running them.

Dynamic is the approach that examines the behavior of malicious software on the system by running it

Question 61

What is ISO27001

Answer 61

ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes

Question 62

What does PCI DSS stand for?

Answer 62

Payment Card Industry Data Security Standard

A set of security standards for handling major credit cards.