SOC Analyst Screening Questions
The questions below are some basic questions that most SOC analysts with some experience should be able to answer or easily find the answer to. Some Notes:
The effort to complete the questions shows the candidates interest in the position and also to be the best they can be in the cyber security field.
Look for understanding the concept of an answer rather than a specific answer.
Thoroughness of answers also highlights candidates' attention to detail.
For questions related to command line strings many people will not know the command on the spot but will quickly be able to research and find the command.
Watch for candidates who just answer the questions with tools like chatGPT
Instructions: Answer the following questions to the best of your knowledge. Some questions may have more than one answer. Feel free to document your thought process when answering the questions. Do not use chatgpt to answer the questions.
Basic SOC Concepts
What are the most common ways hackers hack into networks?
Name the steps of the SANS Incident response framework:
What is the name of the framework from MITRE that maps hackers to techniques?
What is the process called where you run a file through a one-way mathematical function, and it produces a unique value for that file?
What is the MITRE ATTACK technique for clearing windows event logs?
In the 'Pyramid of Pain' model name what is the most trivial thing to detect but also easiest for hackers to change?
How would you check to see if a hash matches malware?
What is the term to describe when hackers do not use malware but use system administration tools to conduct their hacks?
What is the name of the tool SOCs use for collecting and monitoring event logs? List some SIEMs you have experience with?
Basic Windows Analysis
What is the Windows Event ID for logon failure?
What is Event ID if a windows event log was cleared?
What is the Windows tool that can be used to schedule tasks?
What command would I run on a windows machine to see what ports the system is listening to?
Use the command findstr filter netstat output to only show TLS connections to the system:
What is the PowerShell file extension?
What is the PowerShell command to find the local user?
What port does RDP use?
Using the Windows cmd prompt how would you disable a Windows firewall?
How does PowerShell connect to remote systems?
What is the proper parent process of svchost.exe?
Basic Linux Analysis
You are user msmith. What is the SSH command to logon to host 192.168.9.10?
Name some commands to tell a Linux Kernel version?
Name a command to tell the current Linux user?
What is the Linux tool that is used to schedule tasks?
Name some tools that can be used to make a web connection from a Linux command line?
Write a regular expression to match any number on a line?
Basic Networking Concepts
Name a DNS record type to look up an IPv4 IP address?
Name a DNS record type used for SPF and DKIM?
What are the strings below referred to as?
a. Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
b. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
What type of encoding is the below string?
a. VGhlIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgd2hpdGUgZmVuY2U=
Programming and Scripting
In a Python script what code line would need to be needed to use the system (sys) module?
In Python declare a variable called PW Length and make it’s a value of 12?
Vulnerability & Compliance Management
Name a commercial tool for running vulnerability scans? If you have experience using vulnerability scanning tools, which ones have you used?
What is a name of a standard for system hardening?
Leadership
Do you feel comfortable providing supervision to other people?
Can you provide examples of when you supervised other people?
What motivates you every day working in the technical and cyber security field?
Name the top 3 leadership traits you look for in strong leadership?
Answers
Below lists some common answers
Basic SOC Concepts
What are the most common ways hackers hack into networks?
Phishing
Exploitable Public-Facing Services (open ports, vulnerability exploitation, etc)
Authenticating via Public-Facing Services (i.e., VPN/RDP/VDI)
Inserting Rogue Devices / “drop boxes” (onto LAN or WiFi)
Name the steps of the SANS Incident response framework:
SANS Incident response framework is based on PICERL model
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
What is the name of the framework from MITRE that maps hackers to techniques?
Mitre ATTACK
What is the process called where you run a file through a one-way mathematical function, and it produces a unique value for that file?
Hashing
What is the MITRE ATTACK technique for clearing windows event logs?
{T1070.001}, this is a defense evasion technique. wevtutil.exe is common system administration tool that can be utilized to conduct this technique.
In the 'Pyramid of Pain' model name what is the most trivial thing to detect but also easiest for hackers to change?
The Pyramid of Pain consists of 6 levels. The most trivial is hash values, as these values can be used to identify files. But it is also easy for hackers to change file hashes. In summary, the Pyramid of Pain illustrates that detecting lower-level indicators is easier for attackers to evade, while detecting higher-level indicators makes it increasingly challenging (and painful) for them. Increasing attacker pain is advantageous as it may deter, slow down, or force them to change tactics.
At the pyramid's base is hash value detection. Detecting an attacker’s hash values is a minor inconvenience, as they can easily alter a hash by modifying the code, as we did in last week’s lab by adding assembly instructions. Moving up, IP addresses and domain names are more challenging to change, requiring attackers to switch to new domains or IPs for command-and-control. Next are network and host artifacts, and higher still, tools and tactics, techniques, and procedures (TTPs), such as persistence via registry keys. Detecting these is increasingly inconvenient for attackers, often requiring them to rewrite and redeploy their code, which introduces further detection opportunities.
The higher up the pyramid defenders can detect, the more disruption is caused for attackers, increasing the chances of thwarting malicious activity.
How would you check to see if a hash matches malware?
Use a threat intel platforms like VirusTotal. There are many other tools like Sophos Malware lookup, Cisco Talos etc are also available
What is the term to describe when hackers do not use malware but use system administration tools to conduct their hacks?
Living off the Land (LOL)
What is the name of the tool SOCs use for collecting and monitoring event logs? List some SIEMs you have experience with?
SIEM is the tool that SOCs use to collect and monitor event logs. SIEM stands for 'Security Information and Event Management.'
Basic Windows Analysis
7) What is the Windows Event ID for logon failure?
4625 is the Windows Event ID that is generated upon logon failure.
What is Event ID if a windows event log was cleared?
104 is the Event ID that is generated in System logs and 1102 in Security logs.
What is the Windows tool that can be used to schedule tasks?
{Task Scheduler} is used to schedule tasks in Windows. Older Windows systems also has scheduled tasks created with the 'at' command.
What command would I run on a windows machine to see what ports the system is listening to?
{netstat -an}, netstat is a command used to find and display network information.
Use the command findstr filter netstat output to only show TLS connections to the system:
{netstat -an | findstr “TLS”}
What is the PowerShell file extension?
The PowerShell file extension is .psl
What is the PowerShell command to find the local user?
Get-LocalUser is the command to find the local user in the PowerShell
What port does RDP use?
The default RDP port is 3389.
Using the Windows cmd prompt how would you disable a Windows firewall?
'netsh advfirewall set allprofiles state off' is the command to disable Windows firewall. “help” can be used to find the constraints of the specific command.
How does PowerShell connect to remote systems?
There are a various ways to connect. These are a couple of ways: {SSH, WMI, InvokeCommand}
What is the proper parent process of svchost.exe?
services.exe
Basic Linux Analysis
You are user msmith. What is the SSH command to logon to host 192.168.9.10?
ssh msmith@192.168.9.10
Name some commands to tell a Linux Kernel version?
uname -r
uname -a
cat /proc/version
Name a command to tell the current Linux user?
whoami
What is the Linux tool that is used to schedule tasks?
cron
Name some tools that can be used to make a web connection from a Linux command line?
cURL
wget
Write a regular expression to match any number on a line?
\d+
Basic Networking Concepts
Name a DNS record type to look up an IPv4 IP address?
A record
Name a DNS record type used for SPF and DKIM?
TXT record
What are the strings below referred to as?
a. Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
b. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
User Agent strings
What type of encoding is the below string?
a. VGhlIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgd2hpdGUgZmVuY2U=
Base64 encoding
Programming and Scripting
In a Python script what code line would need to be needed to use the system (sys) module?
import sys
In Python declare a variable called PW Length and make it’s a value of 12?
PW_Length = 12
Vulnerability & Compliance Management
Name a commercial tool for running vulnerability scans? If you have experience using vulnerability scanning tools, which ones have you used?
Nessus
Qualys
Rapid7
What is a name of a standard for system hardening?
CIS benchmarks
Leadership
Do you feel comfortable providing supervision to other people?
Can you provide examples of when you supervised other people?
What motivates you every day working in the technical and cyber security field?
Name the top 3 leadership traits you look for in strong leadership?
In Person Interview Technique
Bring something to the Interview
Ask the candidate to bring two copies of something related to cyber security to the interview. Be specific, like ask them to bring a Cyber Threat Intelligence report.
The primary purpose of this test is to assess the candidate's ability to follow instructions, a skill that consistently correlates with successful job performance. In my experience, employees who effectively follow instructions perform better over time. For instance, newly hired employees would complete several weeks of book, CBT, and training before beginning on-the-job tasks. I provided carefully selected PDFs, videos, and other resources to help them understand the relevant technologies, instructing them to review these materials.
When I followed up, some candidates had not reviewed the materials or admitted they were studying unrelated topics instead. This behavior predicted future poor performance. Employees who neglected the assigned resources, even if they pursued other technical learning, generally prioritized their own interests over following directions, or demonstrated poor attention to instruction, or will not respectful of advise and knowledge that can be provided by teammates, all of which can negatively impact team performance. By contrast, top, performing employees would review the provided materials and then supplement their learning with additional research, showing both diligence and a drive to excel. Just as a coach outlines the steps an athlete needs to succeed in their position, following the instructions of supervisors and coworkers who have performed a job and know what needs to be done to be successful is necessary for the employee to be sucessful.
Whiteboarding
White board a network setup and ask questions as you go through the setup. After you're done, erase the diagram and ask the candidate to re-create the diagram. This will help you understand the candidate's memory recall. This is a common technique used to analyze athletes. A play is diagramed, analyzed and discussed and the athlete is then asked to recreate it.
A twist to determine how the candidate handles disagreement is to tell them something that the re-diagramed correctly was incorrect and not how it was originally diagrammed.
Treating people well
One of the things that toxic workers and leaders do is treat people they feel are beneath them in the hierarchy differently than people above them. These are some of the most toxic people to work with and you want to avoid them like the plague.
Ownership
As you go through the candidates resume look for projects where the candidates took ownership of projects or tasks. Many candidates will say they have experience with specific systems and technologies, but on the backed someone else did all the leg work to make that system work and they were merely following basic instructions so they will likely not have the skill and/or initiative to help your organization implement and improve systems.
.
Comments