InterviewStack.io LogoInterviewStack.io

Attack Analysis and Forensic Thinking Questions

Breaking down an attack to understand its components: initial compromise method, persistence mechanism, lateral movement, data exfiltration. Understanding attacker motivations and typical attack patterns. Recognizing indicators of compromise (IoCs) in logs, network traffic, or system behavior. Thinking like an investigator: what evidence would you look for? What logs would be relevant? What artifacts would prove or disprove your hypothesis?

MediumTechnical
57 practiced
Create a SIEM detection rule (pseudo-SQL or pseudocode) to identify potential DNS tunneling using DNS query logs with fields: timestamp, client_ip, query_name, query_type, response_size, ttl. Include scoring rules (entropy, label length, number of unique subdomains per second), thresholds, and comments on tuning to reduce false positives caused by legitimate services (CDNs, analytics).
EasyTechnical
76 practiced
Write a Python 3 script (standard library only) that reads a CSV file of firewall logs with columns: timestamp, src_ip, dest_ip, dest_port, action. The script should stream the file (not load it entirely into memory), handle header rows and malformed lines gracefully, and print the top 5 external source IPs by number of 'DENY' actions. Include a short explanation of your approach and complexity.
MediumTechnical
61 practiced
Write a Python 3.8+ program (standard library only) that streams a large CSV containing firewall logs with columns: timestamp (ISO8601), src_ip, dest_ip, dest_port, bytes_sent, bytes_received. The program must compute the top 10 internal source IPs by total bytes_sent to external destinations over a rolling 24-hour window, assuming the CSV is time-sorted. Provide the algorithm description, discuss memory complexity, and include code that handles malformed rows and normalized timestamps.
HardTechnical
62 practiced
You inherit an incident where attackers established long-term persistence using living-off-the-land binaries (LOLbins) and logging coverage is incomplete. Draft a prioritized eradication and validation plan that balances rapid containment with evidence preservation. Include hunting queries to find persistence mechanisms, steps to remove persistence at scale, validation checks across endpoints, and architectural hardening to prevent re-establishment.
EasyTechnical
60 practiced
List five practical techniques to reduce false positives when tuning SIEM alerts for suspected data exfiltration (for example: large outbound transfers). For each technique explain how it reduces false positives and identify one potential trade-off or risk introduced by that technique.

Unlock Full Question Bank

Get access to hundreds of Attack Analysis and Forensic Thinking interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.