Cybersecurity Interview Series: Scenarios
This is the second part of the Cybersecurity Interview Series. We’ll be going over Scenario Interviews.
Scenario based questions will test more in depth knowledge as well as your thought process vs knowing the answer to a specific question.
Some example scenarios
When it comes to a Security solution for your team, when would you consider build vs buying?
You have a Vulnerability Management report with 10 valid High Severity vulnerabilities. How would you prioritize these?
The Classic Question: What happens when you type “website.com” into your browser and press enter?
All these are simply to get you thinking of scenarios you can be asked to walk through in a Cybersecurity Interview (Blue Team focused).
Keep in mind, you will be expected to walk through these, not just give an answer and move on.
Take the following scenario: You have been handed a laptop whose user believes there is malware on it since it has been running slow, what do you do? Where do you look to prove/disprove this theory?
Some of the first things you can do is narrow the scope down to a specific time range, and determine if you want to disconnect the machine from the network.
From here, the process will look differently depending on which OS to investigate.
Windows
On a Windows machine places to look for suspicious activity can be any of the following:
C:\ProgramData directory
AppData local directory
Scheduled tasks & Startup
For Startup programs, you could do the following.
Open the Run dialog and type msconfig.
Navigate to the "Startup" tab.
This could look something like this
You could also check Task Manager and then Startup Tab, to see which programs are running at Startup.
Scheduled tasks and Startup Programs are often used by malware to execute at specific intervals or upon startup.
MacOS
For a MacOS this can be any of the following:
Login Items
/Library/Application Support/
/Library/LaunchDaemons OR /Library/LaunchAgents
One of the biggest things with Mac Malware is persistence. Malware for Macs might not always be as detrimental to a system as Windows exploits but they generally opt for stealth and persistence.
Login Items, LaunchDaemons, and LaunchDaemons are prime locations for these to appear in.
Linux
On a Linux system this can be any of the following:
Cron jobs
Packages Installed (Through apt, dpkg, yum, etc.)
Run built-in tools to scan
For Cron jobs, this could look like running crontab -l or looking into /var/spool/cron/crontabs/username for user specific crontabs.
For packages installed this would vary depending on which Linux distro you’re using.
For the third bullet point here, one built-in tool you can use is ClamAV.
You could run the following to get started scanning your filesystem for malware.
sudo apt install clamavAfter the install, run the following.
clamscan -r /home/user/DownloadsIf you get any hits, that could be the culprit.
Keep in mind, there may be a legitimate reason why the laptop is running slow. This can include a networking issue, running low on disk space, or simply running way too many resource intensive programs at once.
Although there are many avenues you can go down to discover if this is a case of malware or not, these are some ideas that will get you in the right direction.
As always, in interviews you want to give supporting detail to any answer you give and be able to have a conversation about it.
Another Scenario
Another scenario question could be:
Tell me about an incident you worked on or led, how did you get to mitigation and resolution?
This would apply more for DART, or IR roles.
A Red Team oriented scenario question could be
How would you attack <the company you’re interviewing for>, going through each phase of the attack cycle?
Wrapping Up
In the end, the interviewer wants to see how you think, and how you navigate a scenario that you might face on the job.
Your thought process is more important than any particular succinct answer.
In a future post, we'll discuss interviews that consist of Technical Exercises or Practicals.
If you enjoyed this issue, consider referring to a friend.