Focuses on the practical judgment, processes, and technical actions used to respond to active security incidents, contain attacker activity, eradicate threats, remediate affected systems, preserve evidentiary integrity, and restore services with minimal business impact. Coverage includes containment strategies from immediate short term isolation and network segmentation to longer term monitored observation and selective blocking of attacker infrastructure; trade offs between rapid containment that reduces blast radius and slower approaches that preserve forensic visibility to determine attacker objectives and scope; and prioritization of remediation steps such as removing attacker access, eradicating malware, applying patches, closing exploited vulnerabilities, resetting compromised credentials, rebuilding or hardening systems, and validating fixes through testing and monitoring. Also includes recovery procedures such as phased restoration, rollback to known good images, and integration with business continuity plans. Operational topics include defining decision boundaries and escalation paths for analyst actions versus management or change control approvals, assessing business impact and continuity trade offs, coordinating with system administrators, database teams, application owners, legal and business stakeholders, preserving evidence and maintaining chain of custody for forensic analysis, communicating status to stakeholders, and conducting post incident activities including root cause analysis, lessons learned, and updates to runbooks and controls.
HardSystem Design
39 practiced
Design a prioritized remediation pipeline for limited operations teams, including scheduling, safe deployment, rollback procedures, and verification. Provide a sample SLA-driven schedule for high/medium/low priority remediation tasks across a 30-day horizon for a medium-sized enterprise.
Sample Answer
**Clarify requirements & constraints**- Remediation types: OS patches, app vuln fixes, config changes. - Team: 2 ops engineers, 1 security analyst; maintenance windows 02:00–05:00; business SLA: High (24h), Medium (7 days), Low (30 days). - Risk tolerance: staggered rollout, can tolerate brief service restart.**High-level pipeline**1. Triage & prioritize (CVSS + asset criticality → Priority tag). 2. Scheduling engine (calendar + ticketing + runbook attach). 3. Pre-deploy checks (inventory, dependency map, backup snapshot). 4. Staged deployment: Canary → Pilot → Fleet. 5. Verification: automated health checks + security scans. 6. Rollback: automated playbooks to restore snapshot or config, automated alerting. 7. Post-mortem & SLA reporting.**Safe deployment & rollback**- Use immutable images or IaC for reproducible deploys. - Pre-deploy: snapshot VMs, DB backups, config backup. - Rollback triggers: failed health checks, error rate > X%, security regression. - Rollback playbook: execute automated steps within 15 minutes; notify stakeholders; open incident.**Verification**- Functional smoke tests, canary security scans, telemetry (SRE + SIEM), rollback if anomalies.**30-day SLA-driven schedule (medium enterprise)**- High (24h): patch within 0–1 day; immediate canary, full rollout within 24h if pass. - Medium (7 days): schedule within next maintenance window ≤7 days; canary day 2, fleet by day 4–6. - Low (30 days): batch noncritical fixes weekly; complete by day 30 with weekly verification.**Metrics & automation**- MTTR target: <2 hrs for rollback. - Compliance dashboard: % remediated by SLA, failure rates, rollback count. - Trade-offs: faster rollouts increase risk; automation reduces human load but requires robust tests.I would implement this with automation (Ansible/ Terraform/CI), integrate with SIEM/CMDB, and maintain runbooks for each remediation class.
EasyBehavioral
44 practiced
Behavioral: Tell me about a time you participated in containing a security incident. Use the STAR format (Situation, Task, Action, Result). Focus on the containment decisions you made, trade-offs you considered (e.g., downtime vs evidence preservation), how you coordinated with other teams, and what you learned that changed your approach to containment afterward.
Sample Answer
**Situation:** While monitoring our SIEM I noticed unusual outbound traffic from a critical application server to an unfamiliar IP range during off-hours. Indicators suggested a possible data exfiltration and a running backdoor.**Task:** Contain the incident quickly to stop exfiltration while preserving forensic evidence for root-cause analysis and regulatory reporting.**Action:**- I immediately gathered context (processes, network connections, recent changes) and elevated to the SOC lead.- Decided to perform a staged containment: first apply host-level network quarantine (block outbound at firewall and switch ACL) rather than full power-off. This stopped data flow with minimal app downtime and preserved volatile memory.- Took rapid forensic actions: memory snapshot, disk image, and collected relevant logs before any reboots; documented timestamps and chain-of-custody.- Coordinated with IT to schedule a brief maintenance window for deeper isolation and patching, legal/compliance for data breach thresholds, and communications for stakeholders.- Traded off a slightly longer containment window for evidence integrity—avoiding immediate hard shutdown preserved artifacts needed to attribute the compromise.**Result:** Exfiltration halted within 20 minutes. Forensics identified a vulnerable third-party component and the attacker pivot path; we applied patches, blocked C2 domains, and rotated credentials. Post-incident, I led an update to our containment playbook adding pre-approved host quarantine steps, automated memory snapshot scripts, and clearer escalation paths—reducing future containment time and improving evidence preservation.
HardTechnical
42 practiced
You are responsible for a sensitive data exfiltration incident where customer data was transferred to an external S3 bucket. Given GDPR and possible PCI implications, outline containment steps that preserve evidence, comply with breach-notification requirements, and enable forensic investigation. Address cross-border data transfer concerns and roles (legal, data-protection officer, PR).
Sample Answer
Situation and immediate goals- Rapidly stop exfiltration, preserve evidence, meet GDPR/PCI timelines, avoid further cross-border exposure, and coordinate legal/PR.Containment (first 1–4 hours)- Isolate the compromised identity/credentials: revoke compromised AWS keys, rotate IAM credentials, disable affected user/service accounts, and block offending IPs in firewall/WAF.- Freeze the external S3 destination: request AWS takedown or change bucket ACLs (make it private), collect bucket metadata (owner, region, ACLs) but avoid destructive actions.- Snapshot affected systems: take forensic images of hosts, IDS/Firewalls, and the SIEM logs with timestamps.Evidence preservation (chain of custody)- Document every action (who/when/why). Hash and store copies of logs, images, cloud object metadata, and S3 object listings in a secure evidence repository (WORM if available).- Preserve application logs, database logs, CloudTrail, VPC Flow Logs, and S3 access logs. Export CloudTrail and S3 object versions with cryptographic hashes.Forensic investigation actions- Reconstruct timeline: correlate CloudTrail, VPC Flow, SIEM alerts, and application logs to identify ingress, lateral movement, and exfil method.- Capture artifacts: memory dumps, process lists, and network captures from affected hosts.- Engage third-party forensic experts if needed for deeper analysis or litigation support.Compliance and notifications- GDPR: Notify DPO immediately. Assess likelihood of risk to data subjects. If high risk, prepare Article 33 notification to supervisory authority within 72 hours—include nature, categories, number of records, mitigation, and contact.- Data subject notification (Article 34): Prepare communication plan if likely high risk to individuals.- PCI: Notify QSA and Card Brands per contract; preserve evidence for PCI forensic investigator; follow PCI DSS incident response requirements.Cross-border data transfer considerations- Identify origin of customer data and destination jurisdiction. If S3 bucket in different legal domain, document transfer lawfulness and whether SCCs or other safeguards apply.- Engage legal to evaluate mutual legal assistance, data export restrictions, and whether to coordinate with foreign regulators or cloud provider for lawful takedown.Roles and coordination- My role: lead technical containment, evidence collection, and timeline reconstruction; provide actionable findings to stakeholders.- DPO/Legal: advise on notification obligations, regulator engagement, and preserve privilege where needed.- PR/Communications: craft external messaging aligned with legal guidance to control reputational impact.- Exec/CISO: approve resource allocation and third-party engagement.Post-containment- Remediate vulnerabilities, rotate all affected credentials, tighten IAM policies, implement least privilege, enable S3 encryption and object lock, enforce MFA, and improve monitoring (anomaly detection, CloudTrail alerts).- Run lessons-learned, update IR playbook, and document remediation for regulators and PCI stakeholders.Key evidence-first principle: contain without destroying forensic artifacts; coordinate with legal/DPO before public disclosures; meet GDPR 72‑hour window and PCI contractual obligations.
HardSystem Design
42 practiced
Devise a testing framework to validate containment runbooks and playbooks. Include types of tests (tabletop, red/blue/purple exercises, simulated incidents), success/failure metrics (e.g., MTTC, MTTD, false-positive rate), how to run tests safely against production-like environments, and how to integrate results into CI/CD or change management for continuous improvement.
Sample Answer
**Clarify scope & goals**- Validate that containment runbooks/playbooks reliably detect, contain and eradicate threats with measurable SLAs (MTTD, MTTC), low false positives, and clear escalation.**High-level framework**1. Test types - Tabletop: stakeholder walkthroughs of playbooks to validate decision points and comms. - Simulated incidents: scripted threat scenarios injected into a test org using replayed telemetry or red-team tools. - Red/Blue/Purple exercises: red team attempts realistic TTPs; blue uses runbooks; purple observes gaps and tunes detection. - Chaos/simulated failure: environment/service failures to verify containment under degraded conditions.2. Test harness & environment safety - Use production-like staging with synthetic data, isolated VPCs/VLANs, and identity/credential safe-guards. - Telemetry replay: feed sanitized historical logs to SIEM/EDR to validate detection without touching prod. - Canary & feature flags: progressive rollout of new playbooks; kill-switch in SOAR to abort automations. - Use scoped service accounts, network segmentation, and rate limits to avoid collateral damage.3. Success/failure metrics - MTTD (mean time to detect): time from TTP start to alert. - MTTC (mean time to contain): time from detection to containment action success. - False-positive rate and false-negative rate for detections. - Playbook execution success %, manual escalation rate, time-to-remediation. - Business impact metrics: systems affected, data exfil volume (simulated), downtime.4. Integration into CI/CD & change management - Treat playbooks as code in VCS; PRs trigger automated unit tests (linting, policy checks) and simulated incident runs in CI. - Pipeline stages: static validation -> telemetry replay tests -> gated purple-team acceptance -> deployment to staging -> canary in prod. - Failing metrics block merge; CI artifacts include telemetry, timelines, and metrics snapshots. - Automate ticket creation on failed runs, feed results to change advisory board with risk assessment.5. Continuous improvement loop - Post-exercise after-action review with measured metrics, root-cause, and prioritized remediation backlog. - Versioned playbooks, runbook run-history, and automated regression tests added to CI for each fix. - Weekly purple-team sprints to convert findings into detection rules and playbook improvements.As an analyst I’d implement the telemetry replay/SOAR kill-switch first, instrument MTTD/MTTC dashboards, and fold automated simulated incident runs into CI to ensure repeatable, safe validation before production rollout.
EasyTechnical
52 practiced
Describe the chain-of-custody steps you must follow when preserving forensic evidence from a compromised server. Include: how to create and verify disk images, how to capture volatile memory, how to record metadata, and how to store evidence to maintain admissibility and integrity for internal investigations or external legal/regulatory review.
Sample Answer
**Overview / Goal**I would follow strict chain-of-custody steps to preserve integrity and admissibility: document, collect volatile data, image storage media, verify, and securely store with full logging.**1) Prepare & document**- Record incident time, system owner, location, case ID, and observer names.- Photograph system state (screens, connections, labels) and note running processes and network connections.**2) Capture volatile memory first**- Use validated tools (e.g., Magnet RAM Capture, LiME) on a trusted media; record tool name/version, command-line, and timestamps.- Compute hashes on the acquired RAM image (SHA-256) immediately.**3) Create disk images**- Isolate system; prefer live response only if required. When possible, remove drive and image via write-blocker.- Use forensically sound tools (FTK Imager, Guymager, dc3dd) to create bit-for-bit images.- Generate multiple hash algorithms (SHA-256 and MD5) for the original and copied images.**4) Verify and document**- Verify source-to-image hashes match; log hash values, tool versions, operator, date/time, and host creating/verifying.- Maintain tamper-evident seals and serial numbers for drives and media.**5) Evidence storage & access**- Store items in labeled, sealed, tamper-evident bags/cases in secured evidence room with restricted access, surveillance, and WORM or hashed digital storage.- Maintain a signed chain-of-custody log for every transfer (who, why, when, condition).**6) Legal & best practices**- Synchronize clocks (NTP) for accurate timestamps, retain originals offline, work from copies, and follow organizational/legal retention policies. Preserve logs and network captures separately.This sequence preserves integrity, provides reproducible verification (hashes), and documents custody for internal review or legal/regulatory use.
Unlock Full Question Bank
Get access to hundreds of Incident Containment and Remediation interview questions and detailed answers.