InterviewStack.io LogoInterviewStack.io

Detection Evasion and Operational Security Questions

Understanding of modern security monitoring and detection mechanisms (EDR, SIEM, IDS/IPS, network monitoring, behavioral analytics), common detection signatures, and techniques to evade detection including obfuscation, polymorphic approaches, living-off-the-land techniques (LOLBins), legitimate tools for malicious purposes (LOLas), timing-based evasion, and encryption. Understanding the cat-and-mouse game between attackers and defenders at advanced level.

EasyTechnical
114 practiced
Explain how encrypted network channels (TLS/HTTPS/SSH) impact detection of C2 and exfiltration. Describe three metadata-based signals (for example JA3/TLS fingerprinting, SNI anomalies, session timing and volume patterns) that can help detect encrypted malicious communication without decrypting payloads, and discuss limitations.
HardTechnical
81 practiced
Write a detection prototype in Splunk SPL or Python pseudocode that correlates ProcessCreate events with outbound network connections to identify stealthy beaconing from unusual parent-child process pairs. Assume event fields: timestamp, host, pid, ppid, process_name, command_line, dest_ip, dest_port. Provide query logic or pseudocode, describe expected outputs, and discuss performance considerations for large datasets.
HardTechnical
64 practiced
During an engagement you discover a novel evasion technique that could be weaponized in the wild. The client asks to postpone patching because of business impact. Describe how you would escalate and document risks, advise leadership on temporary mitigations, balance confidentiality and responsible disclosure, and prioritize remediation across affected systems.
HardTechnical
61 practiced
An attacker is using DNS-over-HTTPS (DoH) and TLS-encrypted channels to hide C2. As blue team lead, design a layered detection and mitigation plan that balances privacy, performance, and legal constraints. Include network controls (proxying, allow-listing DoH servers, blocking), TLS metadata analysis, endpoint correlation, and SOC playbooks for escalation and containment.
HardTechnical
58 practiced
You respond to an incident where the attacker used multiple LOLBins and polymorphic loaders. Draft a full triage and eradication plan. Include steps to collect volatile evidence (memory, process dumps), immediate containment actions, identification of persistence mechanisms, prioritized remediation steps, forensic preservation guidance, and validation tests to confirm the attacker cannot re-establish access.

Unlock Full Question Bank

Get access to hundreds of Detection Evasion and Operational Security interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.