Sign up with your email address to be the first to know about new products, VIP offers, blog features & more.

Cyber Security and DFIR Interview Questions

By

Cyber Security is an exotic field, and every next person wants to explore this domain and make a career in it, but the problem is they have no idea how to get in and even if they do, They don’t have any idea on what type of questions they might face in an interview.

Recently @Miss_Malware asked for everyone’s favourites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview.

Note: All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevent sources (Read those I remember) have been mentioned at end of the post. 

GENERAL

  • What is DNS?
  • Differentiate between TCP & UDP?
  • How does HTTP handle state?
  • Does TLS use symmetric or asymmetric encryption?
  • What is “Risk”? What is “Risk Management”?
  • Which leg of the CIA triad is the most Important?
  • As a Pen-tester, is being a 1337 hax0r or doing a good job more important to you?
  • How would you explain to a business user why we are not giving them local admin to their machine?
  • Answer true or false and explain your answer: “Two-factor authentication protects against session hijacking.”
  • Walk me through if you are a threat actor, how would you compromise an organisation in all three domains (Physical, Digital, and Human).
  • Name 3 Internet protocols which use TCP, name 3 which use UDP, Name 2 which use neither and what port they run on.
  • If I am on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC to complete a traceroute to twitter.com?
  • What’s the difference between encoding, encryption, and hashing?
  • Can you describe rainbow tables?
  • If you had to both encrypt and compress data during transmission, which would you do first, and why?
  • In public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
  • What are the advantages offered by bug bounty programs over regular testing practices?
  • Who’s more dangerous to an organisation, insiders or outsiders?
  • Who do you look up to within the field of Information Security? Why?
  • You just stepped on to the elevator with your CEO. They ask you, how secure are we? What do you say?
  • You have an unlimited budget and resources. Please draw the most secure corporate network for my organisation. It must have specific components including but not limited to: the Internet, one user subnet, at least one Active Directory server, one web server (with backend database) on the Internet, one Human Resources server, WiFi for your users, a VPN, etc.

VULNERABILITY ASSESSMENT AND PENETRATION TESTING

  • What is Cross-Site Request Forgery?
  • In what category XXE falls?
  • How can SQL Injection lead to remote code execution?
  • What is a most significant security issue is with microservices and APIs?
  • I have a /24 subnet of hosts on the Internet that I would like you to pen-test. Take me through, in detail, all the steps that you will go through in this assessment.
  • On assessment, you have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to infiltrate Active Directory hashes from the AD servers. How do you accomplish this?
  • What kind of attack is ARP Spoofing considered and how could you leverage it on a penetration test?
  • During the penetration test, you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this?
  • You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials?
  • How would you target a database that you know lies behind a jump server with an unknown IP address?
  • Describe the last program or script that you wrote. What problem did it solve?
  • What kind of attacks are you vulnerable to when you are using weak ciphers?
  • Which department in an organisation is more likely to get attacked first?
  • What is some of the low-hanging fruit you go after as a pen-tester?
  • Describe three of the most common ways an external attacker today might attempt to gain access to a network.
  • On what port does ping run?
  • How would you bypass a network IDS?
  • What are some parts of the HTTP header and why is this important as a security analyst?
  • Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their You do not have credentials for the domain or local machine. You also have your laptop. How would you begin testing?
  • What is the purpose of the same origin policy with relation to the document object model?
  • You are launching a Metasploit reverse https meterpreter payload against a host that is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?)

Digital Forensics and Incident Response

  • What is the primary reason to not upload targeted malware to VT?
  • What DFIR evidence do you gather first, and why?
  • Why is DNS monitoring essential?
  • Assume a user forwards you a suspected phishing email. How do you respond and handle it?
  • Excluding atomic IoCs, provide 3 examples of how you would detect evil in the network.
  • What percentage of malware in the wild do you think AV can detect?
  • Explain to me why you need to consider scope in the “identification” stage of IR.
  • What is the primary problem with bash history as a forensic artefact, and name one way to partially recreate this data during an investigation
  • How will you identify a malicious file without executing it?
  • How will you unpack a malware? Moreover, in how many ways?
  • How will malware try to evade analysis? What are the ways?
  • Given a binary, how would you say it has been packed and how would you figure out which packer was used?
  • Name at least 3 diff vulnerability scanners and patterns to identify them
  • How would you validate a false positive?
  • How would you validate a false negative
  • How would you design and execute an incident response plan?
  • What information would you include in a SOC report?
  • Describe how the TCP handshake works?
  • What’s the difference between an IDS and an IPS? Give examples of each.
  • Name four types of DNS records and what they signify.
  • You get a report that your company’s LAMP website may be being DDoSed. How do you investigate?
  • Let say, we ask you to implement a new SIEM, what will be your approach?
  • Explain the difference between local and network authentication and walk me through the authentication process?
  • What will be your primary data sources for detecting botnet activity?
  • What is a disadvantage of signature-based malware detection?
  • An incident has been reported that an enterprise host was identified communicating with a known malicious external host. The incident responders have already blocked the communication and have requested the disk for forensic investigation. You are the forensic analyst on duty when the disk arrives. How will you begin the investigation?

Malware Analysis, Exploit Writing and Cryptography

  • How would you bypass ASLR?
  • How would you bypass SafeSEH?
  • Explain the behaviour and your analysis methodology of any new APT
  • What is DEP? How can it be bypassed?
  • Explain a PE file.
  • How does keylogging work?
  • What is code injection?
  • What are the APIs used by malware to connect to the server?
  • How can you unpack a malware and in how many ways?
  • In what way malware try to evade analysis?
  • Explain the Anti-Debugging techniques employed by a macro malware.
  • What are different types of breakpoints, what is their use and when to use those breakpoints?
  • Describe what Buffer overflow is and how you would test for it?
  • Describe what SEH is and how you exploit it?
  • Describe how debugger modules and plugins can speed up initial exploit development?
  • How does interrupts work in a debugger? What are the Opcodes for that?
  • How do UAF exploits work?
  • Differentiate between symmetric and asymmetric encryption?
  • In public-key cryptography, which key is used for what function (think the public/private & encryption/signing)?
  • Which of this algorithm is better than others and why – AES-128, AES-196 and AES-256?
  • What is the difference between CBC mode and EBC mode of encryption?
  • What is a Windows Portable Executable?
  • What is the ESP register used for in the Intel x86–32 architecture?
  • During execution of a piece of malware in a segregated virtual lab environment, the sample was observed making an HTTP GET request for a text file. Because the lab is segregated from the Internet, the sample did not receive the text file. What would you do to move the investigation forward?

  Free free to contact me if you have any comments on the questions, or if you have ideas for additions.

Sources: @MissMalware, Himanshu Khokhar, Ravi KiranDaniel Miessler

Spread the love
5 Responses
  • ravi
    December 9, 2017

    sir u r questionnaire is nice, I am a basic lerner of cyber security and where should I found answer for this

    • Charlie
      December 9, 2017

      Well, You can easily find all answer on the internet. I would have written answers as well but I am strictly against spoonfeeding in learning.

  • @non
    February 19, 2018

    good work

  • Charlie
    April 2, 2018

    No, I did not hire anybody, just bought a theme to work out things.

What do you think?

Your email address will not be published. Required fields are marked *

6 − 2 =