SOC Incident Response Interview Questions 1. “You are a tier 1 SOC analyst, responsible for monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating that they can’t access their personal cloud drive. The VP knows this against company policy, but the VP is adamant that this Is required for legitimate business requirements.” a. Do you process the access request for the VP? b, What is your response to the VP? ©. Who else should you include in the reply email? 2. "You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating, You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same, internal destination IP. address. Some quick Googling shows that UDP port 161 is used for by the Simple Network Management Protocol and the byte count of the traffic is miniscule.” a. Do you think this is data exfiltration? b. Ifthis is not data exfiltration, what legitimate services could cause this alert? ©. What team could provide an explanation for the traffic? 3. What is an investigation methodology? An investigation methodology is a framework or guidelines that gave you instruction or point you a direction at what you should do during an investigation. Describe what | will do, what tool | will use, Example: a. First step ‘+ Determine the severity '* CVSS Common Vulnerability Scoring System. = Assessing What happens? When? How? What did you do? When did you notice? Create the timeline How many people affected? What is the effect / lost / impact? © What's the impact for doing OOXx (Shut down X system)? b. Second step If life & death incident > move all the living away * Look into the logs Collect the logs ‘+ Stop the incident from spreading (contain /isolate / shutdown) ‘+ Impact analysis / damage analysis ©. Third step ‘+ Start investigation + Collect the logs o0000000© Firewalls, IDS/IPS, web app, web server, server logs © Container > docker engine logs, K8s logs ‘* Collect whatever is available Analyze the logs © What will you do? ©. IfSIEM, mention the tools; Splunk, AlienVault, QRadar © Utilize the SIEM, correlate the logs © Create the chain of events © Find answers for Who What When Why How 4, If there is a suspicious network security event found and you are assigned to investigate: a ‘What will you first do? ‘* Depends on the severity of the event, | will either isolate the system or start collecting information | need. ‘What will you need to do? I'l need to notify proper personnel who is in charge, escalate the severity of the event if needed, document every event and the time it happened. ‘What info do you need? ‘+ If possible, I'l try to collect every information that | can get. If not, I'll try to get at least the logs from security devices like IDS or SIEM and make sure they are properly timestamped. ‘What's your plan to investigate? ‘+ [llfollow the incident response procedure that I learnt in CISSP, which is notification, escalation, reporting, system isolation, forensic analysis, evidence handling ‘Who do you need to talk to? © Manager of the security operation team, the manager of the system where the event happened, and legal counsel if required ‘Ask: who do | work for? ‘+ System owners, all the people that are impacted ‘What results should you show? ‘+ Atimeline of when each events happened and how each of them are related, also provide a brief information about what the impact might be if possible ‘+ What action has been taken, how to prevent things from happening again, find root cause to fix the problem How long is an investigation going to take? ‘* Itdepends on the size and the complexity of the event ‘+ Depends on many things and how much resource do | have How do you know if it’s a true incident or not? ‘+ Itwill be evaluated by all the actions made by the attacker along with the all the information we gather, basically it will be determined by experience * [0C/ [0A (Indicator of Compromise / Indicator of Attack) ‘+ Look for indicator / evidence by going through logs and SIEM How do you determine the chain of events happened in an incident? ‘+ By finding some related parts in the information that we gathered, for example, a sane source IP may indicate that two events are done by a same user, ‘+ Find evidence in logs that we gathered ‘What open-source tools will you use to investigate an incident?‘+ I might be using a SIEM which can aggregate logs from different resource and virtualize the information, it will be able to help us find correlation between different log sources ‘+ system internals (for Windows) + Process explorer ‘+ TCP Viewer, see open ports and activities ‘+ Image dump, use sandbox to restore image and investigate m, What scripts will you likely write or have you written to help you investigate an incident? * Iwill be writing some scripts that can identify some malicious activities and notify for me, for example, it may be finding a source IP that had sending requesting more than 10 times in a second. fn, When do you consider the Investigation is done/complete? ‘+ When we find the answer for the reason why we did this investigation, or when the cost of the investigation is exceeding the value of knowing the result of this investigation. When the budget time is up ‘+ If we cannot move further > cannot find any evidence, may close the case or move to 3rd party investigation (©, What do you do when the investigation is complete? ‘+ Document everything and make sure is preserved for reference in the future if similar incidents happen . How do you identify indicators of attack and create effective monitoring and alerting? * Finding the root cause of the attack and see if there's any characteristic that will only appears in this type of attack, after identified the indicators of attack, I'llsee if | can create firewall rules or filters to keep an eye on similar incidents that happens in the future 4, What is Indicator of attacks? Name a few... + Hash of a malware, known malicious source IP, unauthorized access attempts What do you do for post-mortem / lessons learned Report? ‘+ Illsee if there's anything that we can do to help prevent similar incidents from happening again, some examples will be like firewall rules or even policy and guidelines, ‘+ Whatis the root cause Often there will be stress to investigate suspected serious security incident ina tight timeline, if you only have limited info to start with, but you are required to get this analysis done in 2 days, a. What will you plan to do for 2 days? * Iwill try to set out some goals and list the tasks that need to be done then prioritize them and start with the most important tasks. b. What will you plan to deliver in 2 days? ‘+ will be hoping to provide at least a broad picture of the incident and includes some direction of what future works can be done What if you don’t have enough info to start with? * Iwill be seeking for helps from others and see if we can gather information that might be able to provide us a different view that we can start with 4d, What if you can’t get the report done in 2 days? ‘+ | will provide a report of what I've done and what is currently is doing, at the same time kept on working with the investigation e. How often will you provide update before the deadline is up?‘+ will be providing updates when any of the goals are reached or tasks are done f, What resources will you need? ‘+ will need all the logs with timestamps of the systems and devices that are related to the incident, | might also need some help from engineers of the system who have better understand about the system and how incident like that might happens. How do you conduct an in-depth vulnerability assessments and information system auditing of assets (e.g., servers, Workstations, Network Appliances, Storage Devices, and Applications)? a. What is the methodology? b, What info do you need to start the assessment? ©. What tools do you use to conduct a vulnerability assessment? d. What are the key items you need to ask / define before starting a vulnerability assessment? ‘What is considered as a vulnerability in your opinion? fe. Ifyou find a vulnerability and you ate not sure if itis exploitable, what will you do? What is the difference between penetration testing vs Vulnerability Assessment? What should you include in a vulnerability assessment report? f. Example ‘+ Ask questions: What is the scope? ‘+ What do you want me to assess? ‘+ When do you want me to do the test? Date? Time? Is this ive system or testing system? © Is there a backup? ‘+ Black box? Grey box? White box? Rule of engagement? + Cando OOXX attack? & Report example + Executive summary What did I do When I start / end The scope of assess What test Iran What | found The servility of the things | found ‘+ Methodology © How did I doit © What tools | used * Vulnerabilities © Description of the vulnerable what | found How to recreate the issue (include all the steps) Ifyou cannot recreate it, it's not an issue ‘Actual risk / actual impact oo00000 ° °