Comprehensive knowledge of cyberattack types, common attack vectors, and the evolving threat landscape across human, application, network, and supply chain layers. Candidates should be able to explain how each attack class operates, typical entry points and vulnerable assets, and real world examples. Core topics include phishing and social engineering; malware families such as ransomware and rootkits; denial of service and distributed denial of service attacks; man in the middle attacks; injection attacks including structured query language injection; cross site scripting; cross site request forgery; broken authentication and session management; insecure direct object references and other entries from the Open Web Application Security Project Top Ten; privilege escalation; brute force attacks; zero day exploits; insider threats; insecure configuration; insecure deserialization; and supply chain attacks. For each class candidates should cover indicators of compromise and detection signals, logging and monitoring strategies, behavioral analysis and anomaly detection methods, and threat hunting approaches. Candidates should also discuss prevention and mitigation controls such as secure coding practices, input validation and parameterized queries, output encoding and content security policy, secure authentication and session management, access controls and network segmentation, rate limiting and traffic filtering, secure configuration and patch management, backup and recovery, and supply chain risk management. They should be able to map these controls to incident response activities including containment, eradication, recovery, and post incident remediation, and demonstrate how to use threat modeling to prioritize defenses based on asset criticality and likely attack paths. Finally, candidates should be prepared to describe trends in the threat landscape, high profile breaches and lessons learned, the difference between active and passive attacks, and how threats and defensive priorities vary by industry and organizational scale.
EasyTechnical
39 practiced
Define insider threats and classify them (malicious, negligent, compromised). For each class, describe behavioral indicators, types of telemetry you would prioritize for detection (e.g., DLP, access logs, UEBA), and one policy or technical control to reduce risk.
Sample Answer
**Definition (brief)** Insider threats are risks posed by employees, contractors, or partners who intentionally or accidentally misuse access to harm confidentiality, integrity, or availability of systems/data.**1) Malicious insider** - Behavioral indicators: unexplained access to sensitive data outside role, data staging to removable media/cloud, odd work hours, disgruntlement or policy violations. - Telemetry to prioritize: DLP alerts, access logs (file shares, databases), UEBA (anomalous read/download patterns), endpoint EDR. - Control: Enforce least privilege + privileged access reviews and just-in-time (JIT) elevation to limit standing access.**2) Negligent insider** - Behavioral indicators: repeated policy violations, clicking phishing links, improper data handling, weak password reuse. - Telemetry to prioritize: email/web proxy logs, DLP policy violations, phishing click telemetry, MFA/credential failures. - Control: Mandatory security awareness + technical DLP enforcement (blocking/fencing exfil attempts) and conditional access.**3) Compromised insider (account takeover)** - Behavioral indicators: impossible travel, IP/geolocation changes, sudden spike in data exfil, atypical application usage. - Telemetry to prioritize: UEBA (session anomalies), authentication logs (MFA failures/successes), network traffic, SIEM correlation. - Control: Enforce MFA, adaptive risk-based conditional access, and rapid account suspension playbooks.I would tune alert thresholds to reduce noise and ensure playbooks map telemetry to response actions (contain, investigate, remediate).
EasyTechnical
35 practiced
Explain phishing and social engineering attacks in a corporate environment. Describe common entry points (email, SMS, phone, compromised websites), typical vulnerable assets and user behaviors, real-world examples (e.g., Business Email Compromise), indicators of compromise (IOCs), logging and detection signals you would expect to see, and at least three monitoring or mitigation controls you would deploy to reduce risk.
Sample Answer
**Overview (brief)** Phishing and social engineering are attacker techniques that manipulate people to disclose credentials, execute malware, or transfer funds. As an Information Security Analyst I focus on detecting entry vectors, identifying compromised assets, and implementing controls to reduce risk.**Common entry points**- Email: malicious links, invoice/credential phishing, Business Email Compromise (BEC) - SMS (SMiShing): short URLs, verification code interception - Phone (vishing): impersonation to extract credentials or authorize transfers - Compromised websites: drive-by downloads, credential harvesting**Vulnerable assets & user behaviors**- Assets: mailboxes, AD accounts, privileged accounts, file shares, MFA-exempt services - Behaviors: reusing passwords, clicking links, bypassing MFA, approving push notifications, enabling macros**Real-world example**- BEC: attacker spoofs CFO email, requests urgent wire transfer; attacker uses stolen credentials or look-alike domain.**Indicators of Compromise (IOCs) / detection signals**- Unusual login patterns: new geolocations, impossible travel, atypical hours - Mail headers: SPF/DKIM/DMARC failures, suspicious Return-Path, display-name mismatch - Email content: links to newly registered or typosquatted domains, attachments with macros or executables - Endpoint signals: new processes, credential dumps, abnormal outbound traffic to C2 IPs**Logging & detection sources**- SIEM: auth logs, mail gateway logs, DNS query logs, web proxy, EDR alerts, MFA logs - Correlation rules: failed SPF + click + web proxy download -> high priority**Monitoring / mitigation controls (at least 3)**1. Email security: advanced ATP with URL rewriting, attachment sandboxing, DMARC enforcement, anti-spoofing policies 2. Identity protection: enforce MFA (phishing-resistant where possible), risk-based conditional access, monitor anomalous auths 3. Endpoint & network detection: EDR with behavioral detection, DNS filtering, web proxy blocking known typosquats 4. (Process) Phishing simulations + targeted user training and rapid reporting channel (one-click report to SOC)I would prioritize logging auth and mail flows into the SIEM, create detection playbooks for BEC, and run regular tabletop exercises.
MediumTechnical
64 practiced
Map controls to incident response phases for a ransomware infection. For each phase—identification, containment, eradication, and recovery—list specific technical and operational controls (e.g., EDR playbooks, network isolation scripts, backups) and describe how those controls change during active incident handling.
Sample Answer
**Identification**- Technical: SIEM correlation rules, EDR alerts with IOC enrichment, file-integrity monitoring, honeypots. - Operational: Triage playbooks, incident hotline, initial stakeholder notification (SOC lead, IT ops). - During active handling: Raise alert severity, enable verbose logging, increase alerting thresholds to reduce noise, lock down access to forensic logs.**Containment**- Technical: Network isolation scripts (NAC, SDN), firewall rules, quarantine via EDR, snapshot VMs, revoke compromised sessions/tokens. - Operational: Activate incident response (IR) team, communication protocols, legal/HR notified. - Change during response: Move from broad to targeted containment (isolate affected segments only), enable out-of-band communications, preserve evidence (disable auto-cleanup).**Eradication**- Technical: EDR remediation playbooks (kill processes, remove persistence, patching), credential resets, malware scanning, rebuild imaging. - Operational: Change control for remediation, coordinate with app owners, forensic validation. - Change during response: Shift from emergency fixes to tested remediation steps; perform staged eradication (test on isolated systems first).**Recovery**- Technical: Restore from immutable/air-gapped backups, integrity verification, rejoin to domain, monitoring baselines reestablished, MFA enforcement. - Operational: Post-incident testing, user notifications, lessons-learned, timeline/reporting to leadership. - Change during response: Gradual restoration (priority systems first), continuous monitoring for re-infection, maintain stricter access controls until clean.I would reference and update EDR/SIEM playbooks throughout and document all actions for forensic and compliance needs.
MediumTechnical
43 practiced
A user submits an unknown binary found running on an endpoint. Outline a step-by-step malware analysis workflow you would perform: immediate containment, static analysis steps, sandboxing/dynamic analysis, network analysis, intelligence enrichment, and final remediation recommendations.
Sample Answer
**Immediate containment**- Isolate the endpoint (network quarantine, disable remote access) and collect live artifacts: memory dump, process list, open handles, autoruns, scheduled tasks, and associated files (hashes).- Preserve chain-of-custody and note timestamps.**Static analysis**- Compute hashes (MD5/SHA256), identify packers (Detect It Easy), examine PE headers, imports/exports, strings, and resources.- Use YARA rules and sigs (ClamAV, VirusTotal) to quickly flag known malware families.- Decompile/inspect with Ghidra or IDA for indicators (C2 domains, hardcoded keys).**Sandboxing / dynamic analysis**- Execute in isolated VM with snapshotting and monitoring (Cuckoo, ThreatGrid).- Observe process behavior, dropped files, registry changes, persistence mechanisms, command-line args, and privilege escalation attempts.- Capture full process traces, API calls (Procmon), and screen/video.**Network analysis**- Monitor DNS, HTTP(S), and unusual outbound connections (Wireshark, Zeek).- Extract and analyze C2 traffic, beacon timing, URIs, and payload exfil patterns; decrypt TLS if possible via proxy.**Intelligence enrichment**- Lookup hashes/domains/IPs in VT, AbuseIPDB, MISP, and vendor intel. Map to TTPs (ATT&CK) and assess IOC reuse and threat actor attribution.- Score severity (impact + confidence).**Final remediation & recommendations**- Remove/purge indicators, reimage if persistence or credential theft confirmed.- Reset credentials, rotate keys, and block IOCs at firewall/IDS and EDR.- Apply patching, hardening, EDR rules, and user awareness; document timeline and lessons learned; recommend monitoring for recurrence.
MediumTechnical
33 practiced
A web application is reported to have 'broken authentication' issues. Propose a design for secure authentication and session management: include password policies, MFA placement, session lifetime and renewal, cookie flags, token revocation, and monitoring for anomalous session activity.
Sample Answer
**Answer (Information Security Analyst perspective)****Approach summary**I’d design auth and session management to minimize credential exposure, limit session lifetime, enable rapid revocation, and detect anomalous use via SIEM/intrusion detection.**Password policy**- Enforce minimum 12 chars, passphrase encouragement, block common/password-spray lists (use Pwned API).- Rate-limit and progressive backoff on attempts; require password history and periodic rotation only on compromise.**MFA placement**- Primary: require MFA after successful credential check for all high-privilege and sensitive actions.- Adaptive: step-up MFA for new device, high-risk geo, anomalous behavior, or transaction > threshold.**Session lifetime & renewal**- Access tokens short-lived (e.g., 15 min); refresh tokens longer (7–30 days) but rotate on use.- Idle timeout 15–30 min; absolute session max 24 hrs. Force re-auth for sensitive actions.**Cookie/token protections**- Cookies: Secure, HttpOnly, SameSite=Strict (or Lax for cross-site flows), set Path and Domain narrowly.- Use signed JWTs with short TTL; validate audience/issuer and check signature server-side.**Token revocation & rotation**- Maintain token revocation store (blacklist + token identifier jti). Implement refresh-token rotation: on each refresh issue new refresh token and revoke previous.- Provide immediate logout/invalidate endpoint and support admin revocation.**Monitoring & detection**- Feed events to SIEM: login success/fail, refresh usage, token anomalies, IP/UA changes.- Alert on impossible travel, velocity, repeated failed MFA, sudden token reuse from different IPs.- Correlate with UEBA to escalate suspected session hijack.**Operational notes**- Regular penetration tests and implement telemetry dashboards. Document incident playbook: revoke tokens, force password/MFA reset, investigate via session logs and threat intel.
Unlock Full Question Bank
Get access to hundreds of Attack Vectors and Threat Landscape interview questions and detailed answers.