Cybersecurity Interviews: Scenario Exercises
Cybersecurity Interview Series: Scenario
This is the second part of the Cybersecurity Interview Series.
An interview process that could include the following
Recruiter Screen
Hiring Manager Screen
Technical Round
On-site (This varies)
Scenario Exercises
Security Domain Knowledge
This time, we’ll be going over Scenario Exercises.
Scenario based questions will test more in depth knowledge as well as your thought process vs knowing the answer to a specific question.
Some example scenarios
When it comes to a Security solution for your team, when would you consider build vs buying?
You have a Vulnerability Management report with 10 valid High Severity vulnerabilities. How would you prioritize these?
The Classic Question: What happens when you type “website.com” into your browser and press enter?
For a deep dive on this question see this. This gives you an idea of just how deep you can go with these questions.
All these are simply to get you thinking of scenarios you can be asked to walk through in a Cybersecurity Interview (Blue Team focused).
Keep in mind, you will be expected to walk through these and to any followup questions as well, not just give an answer and move on.
Take the following scenario: You have been handed a laptop whose user believes there is malware on it since it has been running slow, what do you do? Where do you look to prove/disprove this theory?
Keep in mind, there may be a legitimate reason why a laptop is running slow (for any OS). This can include a networking issue, running low on disk space, or simply running way too many resource intensive programs at once. But to prove/disprove malware on the system we can do any of the following.
One of the first things you can do is narrow the scope down to a specific time range. Let’s say a few days or ideally a shorter time range.
From here, the process will look differently depending on which OS to investigate.
Windows
On a Windows machine, some places to look for suspicious activity can be any of the following:
C:\ProgramData directory
AppData local directory
%Temp%
Scheduled tasks & Startup
For Startup programs, you could do the following.
Open the Run dialog and type msconfig.
Navigate to the "Startup" tab.
This could look something like this
You could also check Task Manager and then Startup Tab, to see which programs are running at Startup.
Scheduled tasks and Startup Programs are often used by malware to execute at specific schedules or upon startup.
Linux
On a Linux system this would look like any of the following:
Cron jobs
Packages Installed (Through apt, dpkg, yum, etc.)
Run built-in tools to scan
For Cron jobs, this would be running crontab -l or looking into /var/spool/cron/crontabs/username directory for user specific crontabs. Looking for unexpected scheduled jobs.
For packages installed this would vary depending on which Linux distro you’re using.
For the third bullet point here, one built-in tool you can use is ClamAV.
You could run the following to get started scanning your filesystem for malware.
sudo apt install clamavAfter the install, run the following.
clamscan -r /home/user/DownloadsIf you get any hits, that could be the culprit. This would catch any low-hanging fruit, but it is a start to get you thinking on how to respond in a Linux based investigation.
MacOS
For a macOS this can be any of the following:
Login Items
/Library/Application Support/
/Library/LaunchDaemons OR /Library/LaunchAgents
One of the most common things with Mac Malware is persistence. This malware might not always be as detrimental to a system as Windows exploits but they generally opt for stealth and persistence mechanisms.
Login Items, LaunchDaemons, and LaunchDaemons are prime locations for these to appear in.
However, there have been cases of Ransomware targeting macOS.
For more ideas on what TTP’s you can look for, check out XProtect.yara over at /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources on your mac. These YARA rules will give more insight as to how malware tends to work.
Another Scenario
Another scenario question could be:
Tell me about an incident you worked on or led, how did you get to mitigation and resolution?
This would apply for DART, or IR roles. What would be expected here is to talk through an incident or an alert you led though the phases of the response lifecycle until getting to resolution.
A Red Team oriented question could be
How would you attack <the company you’re interviewing for>, going through each phase of the attack cycle?
Here, you would walk through the steps an attacker would take given the context of the company and the tactics you would utilize.
This is an inverse of the above previous question.
Wrapping Up
In the end, the interviewer wants to see how you think, and how you navigate a scenario that you might face on the job.
As always, in interviews you want to give supporting detail to any answer you give and be able to have a conversation about it.
Your thought process is more important than any particular answer.
In a future post, we'll discuss interviews that consist of Technical Exercises.