Technical Interview Flashcards
Vulnerability
Threat
Risk
A weakness on a system, application or network that can be exploited by a threat.
Examples:
Misconfiguration, default settings
Unpatched or outdated software
SMB v1, weak passwords.
How to find vulnerabilities:
Automated scanning software (Nessus, Qualys, Rapid7)
How to mitigate them:
Hardening of system settings
Patch and update
====
Threat:
Any potential negative event that is caused by a vulnerability that can result to harm.
====
Risk:
The likelihood of a vulnerability being exploited by a threat.
Risk is measure by the impact and the likelihood.
How will you manage an incident as an Incident Manager?
Use NIST SP 800-61
- Preparation
- Detection & Analysis
- Containment, Eradication & Recovery.
- Post-Incident Activity
Let’s take a email phishing incident:
1. Verify that the incident is indeed phishing activity and not some phishing simulation test. Detection and analysis.
2. Identify the scope of the incident; how many users are affected and what kind of threats are associated with the phishing attack.
3. Contain by identifying the source and putting blocks in place to stop the flow of traffic.
- Eradicate- password changes and clean all the threats artifacts from inboxes and computers. Maybe take assets offline. Maybe wipe and re-image.
- Recovery, unblock the user, bring assets back online and restore services.
- As always, postmortem to summarize the actions and what we learned - reinvent the wheel with new knowledge.
How will you respond to a suspected data breach?
Using the NIST Computer Security Incident Handling Guide, there would have a prepared incident response plan and a playbook to triage the incident.
- Verify that there is indeed a confirmed incident. Perform analysis to determine what kind incident it is.
- Next I quarantine or stop the breach “containment, eradication and recovery ”—- then verify that the breach was stopped.
- Then address any legal requirements afterwards if we have to notify any HIPPA customers or stakeholders.
- Finally, I conduct a postmortem meeting to discuss lessons learned to now rebake back into our preparation phase.
How would you secure a server?
Use a CIS benchmark to perform a general security hygiene to tackle the low hanging fruits based on the function and criticality of that server and the data on it.
Steps:
Disable unused services
Use a strong password and lockout policy
Unused ports are closed
Implementing RBAC via GPO
Encoding
Encrypting
Hashing
Encoding is the process of converting data from one form to another according to a certain scheme, often for the purposes of standardization, speed, or compression. It’s not primarily meant for security and is easily reversible.
Hashing is the process of converting data into a fixed size of numerical or alpha-numerical value. It’s a one-way function, meaning the original data cannot be easily derived from the hash.
Encryption is a process that converts data into a cipher or encoded text to prevent unauthorized access. It uses a key to transform the data, and the data can be decrypted back to its original form using the appropriate decryption key.
Traceroute
Ping
Traceroute is a network diagnostic tool used to track in real-time the pathway taken by a packet on an IP network from source to destination. It also records the transit delays of packets across the network.
Ping is a computer network diagnostic tool used to test the reachability of a host on an IP network and to measure the round-trip time for packets sent from the source host to the destination. ICMP
Frameworks:
MITREATT$CK
NIST
**MITRE ATT&CK ** is a universally accessible resource that outlines adversary tactics and techniques, based on observed real-world incidents. It’s utilized by the cybersecurity community for creating specific threat models and methodologies.
The NIST (The NIST Framework is a collection of voluntary standards, guidelines, and recommended practices designed to manage cybersecurity-related risks. Its main resource is the Framework for Improving Critical Infrastructure Cybersecurity, also referred to as the Cybersecurity Framework.
SSL
TLS
SSL/TLS Handshake
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. They are most commonly used in applications like web browsing, email, and voice over IP (VoIP).
SSL is the older of the two protocols and is now largely deprecated due to known vulnerabilities.
TLS is the successor to SSL and offers improved security. When you see “HTTPS” in a web address, it signifies that the website is using TLS (or its predecessor SSL) to secure the communication between your browser and the website.
An SSL/TLS handshake is a process that begins communication between a client and server. It ensures that both parties verify each other, agree on a common encryption algorithm, and establish session keys for secure communication.
Anomalies and how to identify them
An anomaly refers to patterns in data that do not conform to a well-defined notion of normal behavior. In the context of cybersecurity, it might refer to any unusual behavior or patterns that could indicate a potential security breach.
Identifying anomalies typically involves building a model of what’s considered “normal” behavior, often through machine learning or statistical analysis. This might involve analyzing system logs, network traffic, or user behavior. Any data points or activities that significantly deviate from this model are flagged as anomalies. This method is often used in Intrusion Detection Systems (IDS).
What would you do first?
Compress and Encrypt
Compress first, then encrypt. Compression algorithms work by removing redundancy, while encryption algorithms aim to remove patterns to make data look random.
If you encrypt first, you might not be able to effectively compress the data later.
Cross-Site Scripting - XSS
Cross-Site Forgery - CSRF
Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications, where malicious scripts are injected into trusted websites. These scripts can steal user data, spread malware, or manipulate web content.
Defending against XSS generally involves:
- Input Validation: Ensure that all user-supplied data is checked and validated to allow only expected inputs.
- Output Encoding: Encode user-supplied data when it’s displayed back on the website, especially in places where user input could be interpreted as code.
- Content Security Policy (CSP): Implement CSP headers to restrict the sources from which scripts can be loaded, helping to prevent the execution of malicious scripts.
- Regularly Update and Patch: Regularly update and patch systems and libraries to fix any known vulnerabilities that might be exploited via XSS.
- Use of Security Headers: Security headers like X-XSS-Protection can help prevent reflected XSS attacks.
- Use secure development frameworks: Some modern web development frameworks like React.js auto-escape HTML inputs, providing a certain level of protection against XSS.
Cross-Site Request Forgery (CSRF) is a type of cyber attack that tricks a victim into making an unwanted action in a web application they’re authenticated in, often leading to data loss, theft, or malicious function execution.
Defense:
- Use Anti-CSRF Tokens: Include unique, unpredictable tokens in each HTTP request to ensure the request is made intentionally by the user.
- SameSite Cookie Attribute: Configure your application’s cookies to use the SameSite attribute, which prevents the browser from sending cookies along with cross-site requests.
- Implement CAPTCHA: CAPTCHAs can ensure a real user is making the request, although they can be cumbersome for the user.
- Check HTTP Referer Headers: Validate that the request came from an authorized page.
- Use a robust web application firewall (WAF): A WAF can help to block CSRF attacks by identifying and filtering out malicious requests.
How can a threat actor maintain persistence?
Registry Keys: Malware can create or modify registry keys to ensure automatic execution during system startup or login.
Startup Folder: Malicious files can be placed in system startup folders, allowing them to run when the user logs in.
Scheduled Tasks: Malware may create scheduled tasks that trigger at specific times or events, ensuring persistence and regular execution.
How do you stay current with threats and vulnerabilities?
I regularly attend industry conferences, participate in webinars, and engage in online forums to learn about the latest developments. I also follow trusted sources such as security blogs, whitepapers, and podcasts.
(US-CERT), National Vulnerability Database, SecurityFocus, SANS Internet Storm Center, Krebs on Security, Malwarebytes Labs, The CyberWire, Dark Reading, ThreatPost, Security Weekly Podcast
Explain how you will prioritize and escalate incidents
- Initial Assessment: Evaluate incident severity based on data sensitivity, system criticality, and potential business impact.
- Classify incidents into predefined levels based on urgency and importance to determine their priority.
- Incident Prioritization: Assign priorities based on potential damage, operational risk, compliance, and customer impact. Address high-priority incidents as a priority.
- Resource Allocation: Allocate personnel, tools, and infrastructure based on incident priorities. Ensure skilled personnel are available to handle critical incidents efficiently.
- Escalation Criteria: Establish clear criteria for incident escalation, considering complexity, potential impact escalation, and lack of resolution progress.
- Escalation Process: Establish a clear, defined process for escalation, including levels, channels, and designated individuals for effective communication.
- Maintain transparent communication with stakeholders, including management, teams, and relevant parties. Provide regular updates on incident status, progress, and resolution efforts.
- Continuous Monitoring: Monitor incident progress, re-evaluate priorities if needed, and adjust resource allocation and escalation as required.
What are TTPS
TTP stands for “Tactics, Techniques, and Procedures” used by threat actors in cybersecurity.
It refers to the knowledge of attack methods, hacker tools, and processes used to compromise systems and networks.
Understanding TTPs is vital for incident response and implementing preventative measures.
Example:
Reconnaissance
Tools: Maltego, Shodan, Recon-ng
Purpose: These tools help threat actors gather information about target systems, networks, and individuals by exploring public data sources, conducting network scanning, and performing OSINT (Open-Source Intelligence) analysis.
Exploitation
Tools: Metasploit Framework, Cobalt Strike, ExploitDB
Purpose: These tools provide pre-built exploits and payloads to identify and exploit vulnerabilities in target systems or applications. They assist threat actors in gaining unauthorized access or control over the compromised systems.
Persistence
Tools: PowerShell Empire, Covenant, Metasploit Post-exploitation modules
Purpose: These tools help threat actors establish persistence in compromised systems. They provide capabilities for maintaining control, creating backdoors, and ensuring persistent access even after initial compromise.
Lateral Movement:
Tools: BloodHound, Mimikatz, Responder
Purpose: These tools assist threat actors in moving laterally through a network by compromising additional systems. They exploit weaknesses like weak credentials, pass-the-hash attacks, or exploiting trust relationships to escalate privileges and gain access to other systems.
Data Exfiltration:
Tools: APT34’s “Poison Frog” tool, HTRAN, WinRAR
Purpose: These tools enable threat actors to steal and extract sensitive data from compromised systems. They may employ encryption, compression, or covert channels to exfiltrate data while evading detection or bypassing security controls.
