SOC Analysts Prep Interview Questions
Technical Questions
What is the CIA Triad?
Answer: The CIA Triad stands for Confidentiality, Integrity, and Availability – the core principles of cybersecurity.
What is a false positive and false negative in a SOC context?
Answer: A false positive is a benign event flagged as malicious; a false negative is a malicious event not detected.
What is lateral movement in cybersecurity?
Answer: The technique attackers use to navigate through a network after gaining initial access to achieve their objectives.
What is an Indicator of Compromise (IoC)?
Answer: Evidence of a potential security breach, such as malicious file hashes, IP addresses, or unusual behaviour.
Define a zero-day vulnerability.
Answer: A previously unknown vulnerability that is exploited before a patch is available.
What is the difference between IDS and IPS?
Answer:
IDS: Intrusion Detection System monitors and alerts.
IPS: Intrusion Prevention System actively blocks threats.
What is phishing?
Answer: A cyberattack where attackers trick users into divulging sensitive information through fake communications.
Explain the difference between encryption and hashing.
Answer:
Encryption: Converts data into a secure format and can be decrypted.
Hashing: Generates a fixed-length string (hash) and is irreversible.
What is the role of SIEM in a SOC?
Answer: SIEM (Security Information and Event Management) collects, analyses, and correlates logs to detect and respond to security events.
What is the principle of least privilege?
Answer: Restricting user access to only the resources necessary for their role.
What is the role of EDR in a SOC?
Answer: Endpoint Detection and Response tools provide real-time endpoint monitoring, detect advanced threats, and enable remote remediation.
What is a web application firewall (WAF), and how does it work?
Answer: A WAF monitors and filters HTTP/S traffic to protect web applications from common attacks like XSS, SQL injection, and DDoS.
Explain the difference between symmetric and asymmetric encryption.
Answer:
Symmetric Encryption: Uses one key for encryption and decryption.
Asymmetric Encryption: Uses a public key for encryption and a private key for decryption.
What is threat intelligence, and how is it used in a SOC?
Answer: Threat intelligence provides information about current and emerging threats, enabling proactive defences and better detection of IoCs.
How would you use Splunk to detect unusual login patterns?
Answer:
Query login events using SPL (Search Processing Language).
Identify anomalies in login times, geolocations, or failed attempts.
Create dashboards for continuous monitoring.
What is DNS poisoning, and how can it be detected?
Answer: DNS poisoning involves altering DNS records to redirect users to malicious sites. Detect using DNS logs, identifying mismatched records, and monitoring for unauthorised changes.
How do you secure sensitive data in transit?
Answer: Use encryption protocols like TLS/SSL, enforce secure cipher suites, and avoid deprecated protocols like SSLv3.
What is a honeypot, and how is it used in threat detection?
Answer: A honeypot is a decoy system designed to attract attackers, allowing observation and collection of attack methods.
How can you identify malicious PowerShell activity?
Answer: Monitor for:
Obfuscated commands.
Unexpected script executions.
PowerShell network connections to unknown IPs.
What are the components of a secure software development lifecycle (SDLC)?
Answer:
Secure design.
Code reviews.
Static and dynamic analysis.
Regular patching and updates.
What are the key fields to monitor in Windows Event ID 4624?
Answer:
Logon Type: Identifies the method used to log in (e.g., interactive, remote).
Account Name: Shows the user who logged in.
Source Network Address: Indicates the IP address of the logon attempt.
How do you troubleshoot missing logs in a SIEM?
Answer:
Verify if the log source is configured correctly.
Check network connectivity between the log source and SIEM.
Investigate parsing errors or misconfigurations.
What are the common use cases for correlation rules in a SIEM?
Answer:
Brute force detection.
Privilege escalation attempts.
Data exfiltration patterns.
Lateral movement across systems.
What is the difference between a hash collision and a hash mismatch?
Answer:
Hash Collision: Two different inputs produce the same hash value.
Hash Mismatch: A hash value does not match the expected value, indicating data alteration or corruption.
Explain the importance of timestamp normalisation in SIEM logs.
Answer: It ensures logs from different sources align with a standard time format, allowing accurate event correlation.
How do you investigate anomalous outbound traffic detected by a firewall?
Answer:
Check destination IPs against threat intelligence.
Correlate with internal device logs.
Identify processes or users initiating the traffic.
What are the steps to perform static malware analysis?
Answer:
Extract and analyse file metadata.
Check file hashes against known malware databases.
Inspect strings and code without executing the malware.
How would you detect hidden persistence mechanisms on a compromised system?
Answer:
Review startup items, scheduled tasks, and registry keys.
Look for DLL hijacking or unusual services.
Check for unsigned binaries or scripts.
What are IOC enrichment techniques in threat analysis?
Answer:
Using threat intelligence feeds to add context to IoCs.
Correlating with historical logs.
Leveraging tools like VirusTotal for malware hashes.
How do you identify suspicious processes in real-time?
Answer:
Look for processes with unusual names or paths.
Check parent-child relationships.
Monitor processes consuming excessive CPU or memory.
Log Analysis and Monitoring
What are the key Windows Event IDs for monitoring logon activity?
Answer:
4624: Successful logon.
4625: Failed logon.
4776: Credential validation.
4769: Kerberos service ticket request.
How would you identify suspicious command-line activities?
Answer: Look for unusual or rarely used commands, obfuscated scripts, or command execution from unauthorised accounts.
What is the difference between security logs and application logs?
Answer:
Security logs track access, authentication, and unauthorised activities.
Application logs record software-specific events and errors.
How do you analyse suspicious log entries?
Answer: Look for abnormal login times, repeated failed attempts, unauthorised access to critical resources, or patterns like privilege escalation.
What is the importance of time synchronisation in log analysis?
Answer: Ensures all logs across devices have consistent timestamps for accurate correlation and investigation.
What tool would you use to parse large log files, and why?
Answer: Tools like Splunk, ELK stack, or simple grep commands for filtering and pattern matching efficiently.
How can you identify privilege escalation attempts in Windows Event Logs?
Answer: Monitor for events like:
4674: Sensitive privilege use.
4672: Assigning special privileges.
Threat Hunting and Incident Response
How would you detect PowerShell-based attacks?
Answer: Monitor for obfuscated commands, unusual PowerShell execution, or processes running under non-standard accounts.
What is the MITRE ATT&CK framework?
Answer: A knowledge base of adversarial tactics, techniques, and procedures used to understand, detect, and respond to threats.
What methods would you use to hunt for malware on endpoints?
Answer:
Check for unusual processes.
Analyse file hashes using threat intelligence.
Review autorun entries and scheduled tasks.
How do you identify command-and-control (C2) communication?
Answer: Monitor for beacon-like network traffic, connections to suspicious domains, or encrypted traffic on non-standard ports.
What is the difference between a SOC playbook and a runbook?
Answer:
Playbook: High-level procedures for specific incidents.
Runbook: Step-by-step guides for implementing playbook actions.
Network Security and Malware Analysis
What is the purpose of a sandbox environment?
Answer: A secure environment for analysing potentially malicious files or software without risking the production environment.
How do you analyse packet captures for suspicious activity?
Answer: Use tools like Wireshark to inspect network traffic for anomalies such as unusual IPs, ports, or payloads.
What is the purpose of network segmentation in security?
Answer: Minimises the spread of threats and improves monitoring by isolating sensitive systems.
How do you detect malicious traffic in a packet capture (PCAP)?
Answer: Look for unusual protocols, unauthorised IPs, or payloads with malicious content.
What is the role of the NetFlow tool in network security?
Answer: Provides metadata about traffic flows, helping identify anomalies like data exfiltration.
Cloud Security and Tools
What are common threats in cloud environments?
Answer: Misconfigured settings, insecure APIs, insider threats, and data breaches.
How do you use Splunk for threat detection?
Answer: Use SPL queries to analyse logs, create dashboards, and set alerts for anomalous activities.
How do you investigate a misconfigured cloud storage bucket?
Answer:
Identify permissions and access logs.
Check for unauthorised data access.
Correct permissions to least privilege.
What tools would you use for threat detection in the cloud?
Answer: Use tools like AWS GuardDuty, Asure Sentinel, or Google Chronicle for monitoring and alerting.
What are common vulnerabilities in cloud deployments?
Answer:
Misconfigurations.
Insecure APIs.
Lack of visibility.
Explain how SIEM helps with cloud security.
Answer: SIEM collects logs from cloud resources, applies correlation rules, and provides dashboards for monitoring threats.
Incident Response and Automation
What is playbook automation in incident response?
Answer: Automating repetitive tasks, such as IP blocking, using tools like SOAR (Security Orchestration, Automation, and Response).
What are the stages of the incident response lifecycle?
Answer: Preparation, Detection, Containment, Eradication, Recovery, and Lessons Learned.
What is the difference between IOC (Indicator of Compromise) and IOA (Indicator of Attack)?
Answer:
IOC: Evidence of past compromise (e.g., malicious file hash).
IOA: Indicators of active attack tactics or behaviours.
How do you handle obfuscated scripts during analysis?
Answer: Deobfuscate using tools or manually analyse patterns. Check for encoding techniques or hidden payloads.
What is the purpose of using a SOAR platform in a SOC?
Answer: To automate repetitive security tasks, enhance collaboration, and reduce incident response times.
How do you prioritise response actions during an active attack?
Answer: Contain the threat to prevent further damage, followed by identification, eradication, and recovery steps.
How would you use YARA rules in malware analysis?
Answer: CreateAnalyseures to match specific characteristics of known malware, enabling detection across files or memory.
What is a memory dump, and how is it useful?
Answer: A memory dump captures the contents of system RAM, running processes, loaded modules, and malware artifacts.
What are common SIEM queries to detect brute force attacks?
Answer:
Look for repeated failed login attempts.
Correlate login analysis from the same IP in the time frame.
Analyse user account lockout logs.
How would you use Velociraptor in threat hunting?
Answer: Use VQL queries to hunt for malicious processes, analyse file changes, and monitor Windows for suspicious activity.
Scenario-Based Questions
A user reports their system files are disappearing. How would you approach this situation?
Answer: Begin by isolating the system to prevent further potential spread of malware. Then, collect initial logs and evidence, such as task manager outputs, network activity, and recent event logs. Analyse for malware indicators like unexpected processes or unauthorised file access.
What action would you take if you identified unauthorised access to a critical server?
Answer:
Alert relevant stakeholders.
Immediately terminate the session.
Collect evidence, such as event logs.
Determine the method of entry.
Patch vulnerabilities and reset credentials.
Monitor for further attempts.
Describe your response if an employee reports a phishing email.
Answer: Quarantine the email, investigate its source, and check for other users who may have received the organisation, if malicious block associated IOCs on the email security devices. Educate the reporting employee and others about the threat.
You find suspicious outbound traffic from a workstation to an unknown IP. Whatanalyse do?
Answer:
Block the IP in the firewall.
Investigate the workstation for signs of compromise.
Analyse network traffic to identify patterns or associated malicious activity.
How would you handle a ransomware outbreak in the organisation?
Answer:
Isolate affected systems
Identify the ransomware type.
Notify incident response teams.
Use backups for recovery if available.
Conduct a root cause analysis and improve defences.
What do you do if you detect a brute-force attack on a system?
Answer:
Identify the source of the attack.
Block the source IP(s).
Increase account lockout settings.
Notify the account owner and SOC team.
Conduct a vulnerability assessment to prevent future occurrences.
A critical patch is released. How do you prioritise deployment?
Answer:
Identify affected systems.
Assess the severity of the vulnerability.
Prioritise based on exposure and criticality.
Testorganisation’sa sandbox environment.
Deploy in phases to minimise disruption.
What actions would you take if a malicious insider is identified?
Answer: Follow the organisation’s incident response policy:
Gather evidence discreetly.
Notify HR and legal teams.
Revoke access to systems.
Conduct a full audit of activities.
Describe your first steps when investigating a suspected malware infection.
Answer:
Isolate the infected machine.
Review logs for suspicious activities.
Identify indicators of compromise (IoCs).
Analyse file hashes against threat intelligence sources.
Eradicate malware and validate remediation.
How would you handle a report of data exfiltration?
Answer:
Identify the scope of exfiltration.
Contain the breach.
Notify legal and compliance teams.
Investigate the root cause.
Notify impacted parties if required.
An employee clicks on a phishing link and downloads an attachment. What do you do?
Answer:
Isolate the employee’s system immediately.
Scan for malware using endpoint detection tools.
Check logs for lateral movement.
Educate the employee on recognising phishing attempts.
How would you prioritise multiple security alerts in a SOC environment?
Answer: Use a risk-based approach considering factors like the criticality of affected systems, the type of alert, and potential business impact.
What would you do if a security tool flagged false positives repeatedly?
Answer: Tune the tool’s detection rules based on observed patterns, update threat intelligence sources, and document changes for continuous improvement.
A user reports seeing pop-ups and redirects on their browser. What could this indicate?
Answer: Likely adware or browser hijacking. Investigate by checking installed extensions, processes, and web traffic for anomalies.
What would you do if DNS traffic spikes unexpectedly?
Answer: Investigate for signs of DNS tunneling or exfiltration. Analyse DNS logs for unusual domains or patterns.
You detect a large number of failed login attempts from a single IP. What do you do?
Answer:
Block the IP temporarily.
Analyse logs to confirm a brute force attack.
Notify affected users to secure their accounts.
Strengthen access controls.
How would you handle an alert about suspicious file encryption activity?
Answer:
Quarantine the affected system.
Identify the source of encryption processes.
Look for ransomware IoCs and mitigate further spread.
Restore files from backup.
How do you ensure the SOC operates efficiently during a significant incident?
Answer:
Define roles and responsibilities in the incident response plan.
Ensure effective communication channels.
Use automation to reduce repetitive tasks.
A critical vulnerability is identified in software used by your organisation. What next?
Answer: Assess exposure, notify teams, and apply mitigations like virtual patches or configuration changes until an official patch is available.
Describe your response if unauthorised access to an email account is reported.
Answer:
Reset the account credentials.
Investigate login attempts from authorised or suspicious IPs.
Check for potential data leaks.
Enable multi-factor authentication (MFA) if not already in place.
You notice a spike in failed API calls in a cloud environment. What do you do?
Answer:
Identify the source of the calls.
Review logs for unauthorised access attempts.
Check if API keys have been leaked or misused.
Rotate API credentials and apply stricter rate limiting.
A DDoS attack is targeting your web application. How do you respond?
Answer:
Enable DDoS protection via WAF or CDN services.
Analyse traffic to identify patterns or attacker IPs.
Implement rate limiting and block IP ranges if necessary.
Notify stakeholders and continue monitoring.
What actions would you take if a vulnerability scan reveals exposed critical ports?
Answer:
Evaluate if the ports are required for business operations.
Secure or restrict access using firewalls or security groups.
Implement VPN or other access control mechanisms.
How do you handle alerts of suspicious file changes in critical directories?
Answer:
Check file integrity monitoring (FIM) logs for changes.
Correlate with user or process activity.
Investigate the source and mitigate if unauthorised.
An endpoint protection solution quarantines a critical business application. What do you do?
Answer:
Review the quarantine logs and file signatures.
Verify with the vendor if it's a false positive.
Temporarily whitelist the application after due diligence.
How would you handle an employee who repeatedly violates acceptable use policies?
Answer:
Sanitise instances of policy violations.
Educate the employee on the risks.
Escalate to HR if violations persist.
What steps would you take to ensure secure remote access for employees?
Answer:
Enforce MFA.
Use a VPN with encryption.
Restrict access to sensitive resources based on roles.
Describe your approach to mitigating a cross-site scripting (XSS) vulnerability.
Answer:
Sanitise and validate all user inputs.
Apply content security policies (CSPs).
Notify developers to patch application code.
What would you do if an unmanaged device connects to the network?
Answer:
Quarantine the device using NAC policies.
Investigate the user and intent of connection.
Enforce endpoint compliance before granting access.
Describe your actions if malware is found on an external storage device.
Answer:
Disconnect the device from the network.
Analyse the malware using a sandbox.
Scan connected systems for signs of infection.
Behavioural Questions
How do you manage multiple tasks and alerts in a high-pressure SOC environment?
Answer:
Prioritise tasks based on severity and impact.
Use ticketing systems to track progress.
Communicate effectively with the team to delegate tasks.
Describe a time you successfully identified and mitigated a security threat.
Answer: Provide a specific example, explaining the detection method, analysis, and steps taken to resolve the issue.
How do you stay updated with the latest cybersecurity trends and threats?
Answer:
Follow industry blogs and forums.
Participate in webinars and conferences.
Practice hands-on learning in labs and simulations.
How would you handle a disagreement with a team member about an incident response strategy?
Answer:
Discuss differing viewpoints objectively.
Reference documented processes or evidence to support your position.
Escalate to a supervisor if no agreement is reached.
What motivates you to pursue a career in cybersecurity?
Answer: Highlight personal interests in problem-solving, passion for technology, and a desire to protect organisations from evolving threats.
Last updated
