Cybersecurity analyst (SOC analyst) interview questions and answers
Information is one of the best cybersecurity tools we have. However, to gain usable information, we need to have huge amounts of incoming raw data to parse. This is where analysts come in: They can reduce the incoming noise to figure out what data is important and then figure out what it's telling us.
Security Operations Center (SOC) analysts are among the earliest defenses protecting organizations from harm, and a lot is involved in performing their duties: Making judgment calls on what paths to follow, what threats are real and figuring out where we go from here are only some of the decisions they make daily. Because of this, they need to know about multiple disciplines and what solutions can cover a lot of ground.
Today we'll be going over ten questions that SOC analysts may face during interviews and why these issues are so important.
ChatGPT: Self-paced technical training
ChatGPT: Self-paced technical training
1. How would you monitor hundreds of systems at once?
No matter how fast a person is on a keyboard (and there are some out there that are just blurs), being able to review information coming in from hundreds or thousands of systems at once is extremely difficult to do by hand. Fortunately, we have numerous tools at our disposal for status tracking and preliminary filtering to get us to a known good baseline. This way, we aren't jumping the second a CPU hits 100%, or a ping stops for a minute because it's rebooting for scheduled updates.
Tools such as Spiceworks, Solarwinds, LANSweeper and PRTG, to name just a few, can help us keep track of what is touching our network and keep track of services, hard drive space, website health and so very much more. We can also utilize security information and event management (SIEM) to aggregate logs and other data so that we have a single point of reference to see if something strange is happening. Setting up these tools ahead of time will allow us to react as quickly as possible when things do not go as expected.
2. How long would you wait before deploying a critical update?
There are two schools of thought about critical updates. One is that any update that is considered critical needs to go out immediately to prevent any further damage. The other is that we must wait to ensure that the cure doesn't cause more problems than what it's fixing. In either scenario, we want a test environment to ensure everything works as expected before deploying to production whenever possible.
I say whenever possible because 90% of the time, this is the responsible thing to do — especially if the product we are patching may not have the best track record for updates being all good right out of the gate. Sometimes we have to wait for the update to the update to the update to the hotfix before it actually does what it's supposed to do. However, the other 10% of the time, something in our environment DEMANDS this fix, and we desperately need it right now.
We also need a way to revert out of it, though, if things go utterly sideways.
3. Where would you use an IDS versus an IPS?
We must first remember the basic differences between an intrusion detection system (IDS) and an intrusion prevention system (IPS). An IDS, whether host- or network-based, monitors various baselines or looks for known threats. If something significantly different starts happening, it will throw up an alert. An IPS also uses baselines and signatures, but if it detects something happening, it will attempt to block it.
To look at this differently, picture an IDS as a fire alarm and an IPS as an emergency sprinkler. The IDS will let us know that something bad is happening, so we can take action to resolve it, while the IPS will try to take care of it itself— even though it may also be causing harm.
Both IDS and IPS systems are critical to security, and each excels over the other in certain scenarios. For example, an IDS could be ideal if we don't want to tip off malicious users that we have discovered what they are doing. This allows us to track their movements and potentially give them false information. On the flip side, if we are in a situation where having systems go down is the safer alternative to unauthorized access, an IPS may very well be the better choice.
4. Why do we still want to have admins daily drive a standard user account, even if we already scan every file for threats at the server level?
There are many reasons, but let's look at one possible attack vector—email. We sometimes assume that the file sent by someone is the same file received on the other end nearly instantly. However, like it or not, files can change in flight or be hidden in something else. Every once in a while, we see basic examples of this when users change compressed files such as .zip to .piz to get around firewall rules. The person on the other end changes the file type back and then opens it up to reveal whatever is inside—malicious or not.
This at least requires some form of active modification on the part of the user. Still, if we are dealing with something stealthier such as steganography, things become significantly more difficult to track. For example, we send out a high-resolution logo for review—a relatively large file, but it's still an image. There are techniques for hiding malicious code within images so that when the picture is opened, it starts running the payload. If we are running as a privileged user — that payload suddenly becomes significantly more dangerous than it would be if we were just a regular user.
5. A server has become compromised, and the server owner wants to shut it down to prevent further threats. Why might this be a bad idea?
There are times when malicious activity can be detected only in powered memory. If the system is powered down per standard practice, we may lose the capability to give it a forensic examination. Unplugging it from the network may be enough to prevent further infections, but this judgment call can only come from what is happening at the time.
6. When would we want to use a black hole?
Although it may be tempting sometimes to use a traditional space-based black hole to get rid of the endless cables piling up in the corner, black hole routing enables significant protections against Distributed Denial of Service attacks (DDoS). When activated, all traffic meeting particular criteria, whether malicious or not, will be routed to a null route — a route that doesn't go anywhere — and be dropped. This can be a highly effective tool when under attack, and there is no other way to deal with it. At the same time, however, we could be flushing out good traffic with the bad, so we need to use it sparingly or have it dialed in as best we can. Having historical data can help significantly because we can tell if particular IP addresses typically talk to us or not.
7. A laptop containing potentially sensitive information that has not been used in a long time requires a password that is unavailable to boot. Can this be recovered easily?
Using two different methods, most pre-boot environments can add a password requirement to boot. The first is a full disk encryption password that is required to access any data on the drive. The operating system itself typically handles this, and while some third parties can brute-force this password, as a rule, it is not recoverable.
The second is a standard password required just to continue in the boot cycle. The pre-boot environment typically handles this, whether BIOS or UEFI and the password can be changed quickly if you have access to these environments. If a password is also required to access the interface, however, it will require a different tactic.
Pre-boot environments typically store customizations in a section of the motherboard called complementary metal oxide semiconductor (CMOS) that requires power at all times to retain the settings. These are typically powered by a coin-cell battery similar to those found in a watch. Removing this battery will reset the pre-boot environment to its default settings — permitting access to the operating system. You will have to reinsert the battery if you wish to make further modifications, such as locking down USB ports or removing removable media as a boot source.
8. In a Windows environment, a secured department requires all print jobs to be retained for possible re-printing or verification. How can this be done?
Using one or more print servers can simplify the deployment and queueing of print jobs across an organization. This allows us to share and deploy printers through a group policy; or, if we choose, we can simply have users add whichever printers they want, as long as they are general access.
If they are secured, however, some interesting rules may come into play. For example, if we have departments that need to print checks or other controlled data, we may want to keep those jobs around for multiple reasons. Whether the department just wants to be able to reprint the job because of a problem with the printer or we need them for tracking to make sure that bad checks aren't being printed, job retention can be activated on the print server to be able to immediately re-send the job or see at a glance who sent what and when. Enterprise-level printers may also have variations on this ability built into them, but, as a rule, these areas are not easily user accessible.
9. Phishing attempts that appear at first glance to be from internal employees but are actually coming from the outside are on the rise. Is there an easy way to flag these emails?
External email warnings have risen in both popularity and use. They help users considerably when it comes to seeing at a glance what originates inside the network and what does not. The exact method varies by the provider and software being used. It usually involves automatically adding a rule to any arriving email where the sender is located outside the organization. This can include adding a label to the subject line that it is from an external source or warnings in the email itself to remind users that this is from an outside person — please be careful regarding what information is shared or what links they click on.
10. There has been a request to make sure that visiting employees cannot simply plug into random desk ports. Is there an easy way to accomplish this?
Multiple vendors can lock a particular switch port to a specific device. If this device is swapped out for something else, the port is disabled, preventing the new device from coming online. The benefit is that if the original device is plugged back in, the port remains tripped, thus showing that it was tampered with. Unused ports can also just be simply disabled so that they remain in this tripped state regardless of whether or not a new device is plugged in.
This way, we do not have to worry as much about malicious or even legitimate users just plugging in whatever they want into the network.
What should you learn next?
What should you learn next?
Interviews can be stressful for both the interviewer and the interviewee. The interviewer needs to make sure that the person they are talking to can perform the job asked of them, while the interviewee is trying to remember everything they possibly can just in case it comes up in conversation.
Remember that experiences are among the best tools for answering your questions: it is far easier to remember a story about how you dealt with a particular scenario than trying to memorize a textbook. Plus, it gives the interviewer additional information about how you deal with problems and how your problem-solving style works.
For more career information, from job outlook to salary, visit our SOC analyst hub!
- https://www.cloudflare.com/learning/ddos/glossary/ddos-blackhole-routing/ , Cloudflare
- https://www.hp.com/us-en/shop/tech-takes/what-is-cmos-battery-how-to-remove-and-replace , HP
- https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids/ids-vs-ips/ , Checkpoint