What is the primary goal of a SOC?
To monitor, detect, investigate, and respond to cybersecurity threats in real-time to protect an organization's information assets.
Explain the difference between IDS and IPS.
An IDS (Intrusion Detection System) monitors and alerts on suspicious activity. An IPS (Intrusion Prevention System) actively blocks and prevents the detected threats.
What is the Cyber Kill Chain?
A model developed by Lockheed Martin that outlines the stages of a cyberattack, from reconnaissance to actions on objectives. It helps understand and prevent attacks at various stages.
What does SIEM stand for and what is its purpose?
Security Information and Event Management. It aggregates and correlates log data from various sources (servers, network devices, etc.) to provide real-time analysis for security alerts.
What are the key components of a SIEM?
Log collection, normalization, correlation, alerting, and dashboards for visualization.
What is the difference between an Incident and an Event?
An Event is any observable occurrence in a system. An Incident is an event that has a negative impact on confidentiality, integrity, or availability.
How would you investigate a potential malware infection?
Isolate the host, analyze running processes, check network connections, review SIEM and EDR logs, and identify the initial attack vector.
What is the difference between Threat, Vulnerability, and Risk?
Threat: A potential cause of an unwanted incident. Vulnerability: A weakness that can be exploited. Risk: The potential for loss or damage when a threat exploits a vulnerability.
What is a False Positive and a False Negative?
False Positive: A benign activity flagged as malicious. False Negative: A malicious activity that is not detected.
What is DNS and why is it important for security monitoring?
Domain Name System, which translates domain names to IP addresses. It's critical to monitor for DNS queries to malicious domains, which is a common indicator of compromise.
What are the steps in the Incident Response lifecycle?
Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity.
What is the role of an EDR tool?
Endpoint Detection and Response (EDR) tools provide advanced monitoring, detection, and response capabilities on endpoints (like laptops and servers), beyond traditional antivirus.
What is Two-Factor Authentication (2FA) and why is it important?
An authentication method requiring two different forms of verification. It's crucial for preventing unauthorized access even if a password is compromised.
What is a Proxy Server and what does its log contain?
A server that acts as an intermediary for client requests. Its logs contain details about user web traffic: URLs visited, timestamps, and source IPs.
What is Phishing and how can you identify a phishing email?
A social engineering attack to steal sensitive data. Red flags: generic greetings, suspicious sender addresses, urgent language, and misspelled URLs.
You see an alert for multiple failed logins from a single user, followed by a success. What do you do?
Immediately investigate the source IP (is it unusual?), lock the user account, and contact the user to determine if it was them. Treat it as a potential credential compromise.
How do you prioritize a large number of security alerts?
Prioritize based on severity (CVSS score), asset criticality (is it a public-facing server?), and confidence level of the detection to focus on real threats first.
A user reports their laptop is running slowly. What are your first steps?
Check the EDR console for the device, look for unusual process activity, high CPU/memory usage, and recent network connections to identify potential malware.
What is your process for handling a phishing email reported by a user?
Analyze the email headers and links (without clicking), check against threat intelligence, search SIEM for other recipients, and if malicious, block the sender/URL and alert other users.
How do you stay current with the latest cybersecurity threats?
By following security blogs (Krebs on Security, The Hacker News), attending webinars, participating in CTF (Capture The Flag) challenges, and reading threat intelligence reports.
Bonus: What is a CVE?
Common Vulnerabilities and Exposures. It is a publicly listed catalog of known security vulnerabilities with a unique identification number.
