InterviewStack.io LogoInterviewStack.io

MITRE ATTACK Framework Questions

Comprehensive knowledge of the MITRE ATTACK knowledge base, including the matrix of adversary tactics, techniques, and sub techniques. Candidates should understand the full lifecycle of adversary behavior such as reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. Skills assessed include mapping real world incidents to ATTACK techniques and technique identifiers, profiling adversary types and campaigns, using ATTACK to design realistic penetration tests and red team exercises, and planning purple team and threat hunting activities. Also important is the ability to translate ATTACK mappings into detection hypotheses and telemetry requirements, recommend mitigations and compensating controls, and communicate findings to technical and non technical stakeholders for incident response and security engineering improvements.

HardSystem Design
18 practiced
For an organization adopting Kubernetes and microservices, design an ATT&CK-based detection strategy focused on container escape and lateral movement inside the cluster. Identify required telemetry (container runtime events, kube-audit, node logs, network flows), example detection rules, and network or RBAC controls that limit attacker movement.
MediumTechnical
17 practiced
Design an EDR-based detection for persistence created via WMI Event Subscriptions. Specify the telemetry fields you need to capture (WMI object names, command-lines, creators), a detection algorithm or rule, likely false positives, and investigation/remediation steps after detection.
HardTechnical
22 practiced
Design cross-platform detection strategies for credential dumping: target LSASS memory access on Windows, keychain extraction on macOS, and access to /etc/passwd or /etc/shadow on Linux. For each OS list telemetry sources, detection heuristics, likely evasion techniques, and compensating controls to reduce risk.
MediumTechnical
24 practiced
Given ATT&CK technique 'Bypass User Account Control' (T1548.002) is frequently observed in your environment, propose technical mitigations, compensating controls, and detection strategies to reduce risk. Explain trade-offs and possible operational impacts of your recommendations.
EasyTechnical
20 practiced
List the standard ATT&CK tactic names in the typical adversary lifecycle order, from reconnaissance through impact, and provide one example technique for each tactic. Briefly explain why that technique fits the named tactic.

Unlock Full Question Bank

Get access to hundreds of MITRE ATTACK Framework interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.