SOC analyst interview | cybersecurity interview questions | cyber security interview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome back to cyber community and in this course what is this course this is related to Sock analyst interview questions or you can say cyber security analyst questions right uh you have to crack the interview how you are going to crack you are a fresher you are a mid-liver mid-level or might be a senior analyst right so let me show you what we have covered in this whole course so the fundamental questions these are very important because if you don't know the fundamentals then definitely uh there is a bad impression on interviewer so we have covered one comma two comma 3. we have covered three fundamentals in this approximately I think we have 72 80 questions and we have discussed it now what type of questions obviously uh fundamentals like what is dspp DNS what is exercise difference between csrf and xss Etc very uh basic or you can say question answers now OSI model here now you might think that OSI model layer is very easy but actually it it is not why I am saying this because that's very simple that if anybody will ask you that how my layers in OSI model layer so you can very easily give the answer that is 7 right we have the seven layers but what if I ask you tell me the vulnerabilities layer wise of OSI model right then that would be a very difficult tool so this thing we have discussed now we have one more question interviewer always ask like this run somewhere question answers what will happen if there is some ransomware attack happen on your organization how you are going to you know prevent it what will be your mitigations right so we discussed these two now the next part is related to okay very fundamental so SI model layer and somewhere next one is miter Tech nowadays it's a it is in trending you can say everybody asked this this question what is for example what is TTP what is ATP what is initial access I mean the tactics right and under this uh they can ask you particular tactic and they can also will tell you that have you remember any type of technique for that particular tactic so this is miterate attack and we have the Cyber kill chain so what is the difference between miterate Tech and cyber queue so you will get this answer in this course now the next one we have the scenario based I will give you as in some scenario some Advanced scenario based questions and you have to answer it I have already discussed it you can go through that that part scenario and advanced scenario based question scenario based and advanced scenario based question answers now at the last we have the rules and responsibilities right we have the goals and responsibilities now if you have already worked in an organization and you don't know that what was your roles and responsibilities then definitely that will be a very tough to answer it these questions because definitely that they will ask you have you ever handled any Trojan have you ever handled any malware in your previous organization or any attacks which you have seen right so these kind of questions they are going to ask you you have handled the QR what whether it's his plan or any type logarithm or site whatever the scene you have you have already used they are definitely going to ask you that what is architecture how actually that that works so these kind of things they are going to ask you and believe me guys 9 out of 10 students they give me a feedback over this that this particular course help them to crack the interview I received on the daily basis from udemy this course is also available on USB so if you want to I have already given the you know uh Link in the description if you want to download the PDF particular you can go through that and you can download from there as well but uh for this particular you can uh check whole series of this particular you can say the sock cyber security interview question answers and you will find that this is one of the best course in your life to track your interview so thank you so much with that let's start the course and if you didn't subscribe the Channel Please Subscribe the channel and share the video hello everyone so in this video we are going to talk about fundamental questions part one basically we have divided this fundamental questions because there are 55 questions and we have divided it in two parts so let me start with what is an IPS and how does it differ from ideas basically this question always ask by the interviewer so let's see what exactly the IPS IPS is nothing but intrusion prevention system and IDs is intrusion detection system now what is the difference between the uh both of them definitely both are the part of the network infrastructure but how it differs so ideas let's talk about the ideas so IDs generally used for the detection of any uh you can say detection of uh traffic right so whatever the traffic is flowing in your environment it is com uh is coming to ideas so once it will detect something it will send to the administrator and whatever the administrator have to do they will do and in intrusion prevention system we can say that there is a you know particular signature on which if there is something suspicious found in the traffic uh related to that signature then IPS is going to block that so this is the basic you know uh difference between these tools apart from that ah the main difference if we talk about so IDs is one of the monetary system or and while IPS is a control system so apart from that you can just read out more information here now second question which is one of the important which is generally asked by the interviewer explain risk one liberty and threat so here is a very you know easy way to learn this a risk vulnerability and threat so let's say thread thread is nothing but you know uh attack or you can say the a bad actor so this is what a thread so usually thread exploiter one lit One Liberty One Liberty means the weakness weakness whatever the weakness of the organization through which a threat can enter so a threat exploits of vulnerability and can damage or destroy an asset valuity refers to a weakness in your Hardware software or procedures and this refers to the potential for loss damage or destroyed assets so threat is nothing but a bad actor vulnerability is the weakness and risk is referred to the whatever the loss already has been occurred in your organization or whatever the damage so this is the basically the difference between risk vulnerability and threat moving to this part what is the difference between a symmetric and symmetric encryption and which one is better so definitely uh we'll talk about some symmetric encryption so symmetric and capture generally use the same key for both encryption and decryption so let's say it's if there is some private and private public both are generally same right so ah they will use for the encryption same key public key and for the decryption they are going to use again publicly whereas in asymmetric we have two keys private and public key now here with the help of public key we are going to encrypt the data whereas with the help of private key we are going to decrypt it right so usually what happens in asymmetric encryption it takes much time because we have to encrypt then we have to decrypt it as well we have to send it right so it is taking much time than the symmetric encryption and that's why semester symmetric encryption is faster whereas the asymmetric encryption is slow but asymmetric encryption is much secure than the symmetric encryption that's why a symmetric uh I'm talking about this answer which one is better so that's why asymmetic encryption is much better now what is xss how will you mitigate it accesses when I hope you have done some bug Bounty or something Etc and you might have heard this exercise right and if you are fresher then definitely I would suggest you again that you can just go on udemy there will be a course of cyber community uh bug Bounty or offensive Hunting course so you can take that course that is a very minimum price maybe I guess uh 360 you can directly contact me on cyber community and will give you a link of 360 rupees now what is access to accesses in the limiter cross side is safety in which originally we use JavaScript on Liberty in web application so the easiest way to explain this is a case when a user enters a script in the client side now here one one main thing to remember is that the interviewer can ask that what exactly the xss attack is so you can tell them that accesses is a client side attack right exercise is a client-side attack right now what we can do to mitigate this generally what we can do we can input the validation we can use uh if we can Implement a CSP that is content security policy we can sanitize the uh input these these three things we can do as a mitigation part now what is the difference between encryption and hashing so generally encryption is a two-way two-way uh and we can say reversible hashing is non-reversible why I am saying this because you know uh once there is a data we are we are encrypting it right and then we are decrypting it that's why it's reversible whereas hashing is not because once the hash you know uh once uh any file we got the hash value for that it is not going to reverse that it is not going to to reverse a whole data of that file right so but hashing can be correct using rainbow tables and collision attacks and encryption what encryptions ensures it ensures confidentiality whereas hashing ensures Integrity integrity means there is no modification of sorry there is no modifica modification of data now what is csrf uh I have also discussed csrf in bug Bounty goes so you can go through that course as well now cross site is kept in a requested for study is a web application vulnerity in which the server does not check whether request came from a trusted client or not so let me give you example right right so uh let's say there is a web application right and you are one of the user I'm another user so what I will do I am changing something on my account on that web application right I'm changing in my profile section now with the help of Brute Force I have taken all those things and I'm sending one of the HTML file and you are directly clicking on that so all changes whatever I have done in my account that is also reflecting in in your account right so this is what a csrf and uh actually the server is uh not knowing that from where exactly it is coming so it is thinking that you are the person who is doing it so that's why uh from my point of view csrf is a server-side attack but some somewhere it is also written as a client-side attack because I generally it is happened due to the mistake of uh client or we can say a victim now difference between xss and crfs we have discussed both of them I hope you understand xss is a much dangerous than csrf because it's a client-side attack right and it can steal your credentials password whatever the uh very important data you can say so this is what the difference and you can read more things with the help of this PDF file now is xss client side okay we have already discussed this one now what is ioc so indicator of compromise right so let's say you have seen hash value IP domain URL user agent now if these are malicious these are suspicious then it means these are the indicator of showing something is malicious something is suspicious so that's why we call it indicator of compromise for generally to know all those things we we see that whether the IEP is malicious or not whether the domain URL user isn't or uh you can say the hash values malicious or not okay now antivirus versus area this is one of the important question uh believe me guys I have uh given lot of interviews and I have take the feedback from my seniors my juniors and everybody tell that uh they always ask this question antivirus versus CDR maybe uh they will ask you about firewall versus antivirus versus ADR so you can also uh gone through my YouTube channel and you will also get the whole video of that now EDR is all definitely we know it's a end point detection response right and it works on real-time monitoring and detection of threads so it's a behavior based right area is behavior waste whereas antivirus is your signature based means there is some predefined signatures and on those basis antivirus is detecting the suspicious traffic also here you can see the malware whereas EDR is the real time monitoring it's a behavior based so there is inbuilt of sandbox and they are going to analyze each and everything that what actually the pattern analysis now that what actually the pattern is happening so that's what basic difference between ADR and antivirus now here is one question do I need both well ADR is also having the signature you know uh there is pre-defined signatures but along with that it is having the uh Behavior Analysis uh you can say right so area is sufficient but you can even keep both EDR and Antivirus but area is sufficient for the organization what is a firewall a firewall is a network security system that monitors and controls incoming and outgoing analog traffic based on the predefined security rules it means there is a particular predefined rules and on those basis uh it it is taking the why you can directly saying uh you can directly say uh it filterings the traffic on the basis of predefined security tools now what is the difference between IPS and firewall so the main difference being that firewall perform section such as blocking and filtering of traffic and while in IPS detects an alert system admission or you can stop prevent the attacks as per the configuration so generally uh if if the interviewer is uh you know he is expecting more answers from you so you can add here more things like firewall generally captures the header IPS captures the payload so viral what what actually firewall captures uh in the header form they they capture uh you know IP addresses right Source IPA destination IP port numbers domain URL these things they capture whereas IPS capture IPS uh check whether there is something uh known malware or something known suspicious thing is there in that payload or not so on those basis if there is something malicious there will detect it and they will block it now question number 13 what is the security mess configuration so security image configuration is a vulnerability when a device or you can say the application network is configured in a way that can be exported by an entire cut to take advantage of it so this can be as simple as leaving the default username password answer so generally this question uh this is very less chances of asking this question by the interview but they can ask this question so you should remember that what actually the other security misconfiguration now what is a black hat Whitehead and gray hat tiger now let me uh complete this in a very beautiful manner so black hat is nothing but uh a hacker who has no no Authority but he is hacking right whereas whiteheader is also known as the uh you can say ethical hiker who have the legal authority to uh you know perform the actions and gray hatiker is just a combination of blackened White headacheco now question 15th how do you keep yourself updated with the information security news so guys this one is very important because definitely they are basically these two questions which I'm marking these questions are two questions are very important because definitely they will ask you that how you keep yourself updated so you can you can start reading the blog such as Trend Micro blocks I can use GB hackers you know and apart from that they can also ask name some recent attack and explain in brief right so if you are reading something you are updating yourself then definitely you should be aware about the latest you know vulnerability recent attack so for example as as far as I'm making this video so the recent attack is you know spring for Shell vulnerability and you can also include the lock 4G multivity so these are the some recent attacks you should focus on these two questions now what is ciaci is nothing but a you know uh Triad you can say confidentially Integrity availability now what is confidentiality keeping the information secret Integrity is nothing but keeping the information unaltered unaltered means there will be there should be no modification availability information is available to the authorized parties at all times now here HIDs versus nids and which one is better and why so guys HIDs is a host intrusion detection system and a dscs network intrusion detection system now the uh difference here is that uh maintaining the HIDs is uh you know very tough because we will get lot of traffic with the from HIDs whereas uh managing the nids is too easy so as for the Enterprise uh nids is preferred as HIDs is difficult to manage right so this is what the basic difference and you can read more things on Google here what is Port scanning Port scanning is the process of sending message in order to gather information gather information means reconnaence for the reconnaens we use port scanning right about the network system and definitely uh which body actually is open so that uh they can they can think about entering from that port number in the organization so this is what the port is scanning now what is the difference between VA and PT there is a sum you know you can say the minor difference so vulnerability assessment is an approach used to find flows in an application Network whereas penetration testing is the practice of finding exploitable one ladies like a real attacker do so VA is like traveling on the support surface whereas PT is digging it for a gold now let's move to question number 21 and this is one of the important question can you name some response codes from a web application well yes see uh you might have seen 201 200 a code right 301 302 error code 404 right so what exactly those things right so if there is some something error is coming or if something as tdb code is starting from one and then XS may be zero one one zero whatever up to 199. then it's a informational responses and uh the code which is starting from two then it means the success uh is starting from three it means redirection starting from four client side error and starting from fifth is server side error right now when do you use Trace address now what exactly that Tracer interested why we are using it actually so let's say if we are not able to Ping any destination then here we can use the trace or Trace root or you can say the Tracer and this will definitely help us to identify where the connection stops or gets broken well right so and it will also help us to know that whether it's a uh it's a firewall whether it's ISP whether it's a router etc etc right so without help of this trace route or Tracer you will get to know where exactly uh the connection is breaking DDOS and its mitigation so DDOS we we know it's a distributed denial of service right so when a network or server application is flooded with the large number of requests which is uh which which is not designed to handle making the server uh unavailable to legitimate requests so let's let's take an example let's uh there is a web server and they it can only take 100 request per minute right now you are a hacker and you just uh you are doing DDOS attack and you are requesting 200 or let's say 101 right let's 101 request per minute then what will happen the your the server is not going to reply to the legitimate person who is asking for the uh something right so this is what the DDOS it means the flooding of uh the uh traffic uh far after you can say uh more than the bandwidth of the server so this can be mitigated you know this can be mitigated with the help of a scrubbing Center in scrubbing Center is nothing but uh you know there is one of the center which generally uh block the traffic of DDOS and it only filters the legitimate it it passes through only legitimate traffic now what is web WAP is nothing but a web application firewall so it is used to protect the application by filtering let's demand traffic from malicious traffic so if there is lot of traffic coming then it will only filter that legitimate traffic and malicious traffic it is going to filter out West can be either a box type or cloud-based how do you handle antivirus alerts this can be asked by the interview so check the policy for the AV and then alert if the alert is for a legitimate file then it can be whitelisted right uh and if it is malicious then definitely we need to quarantine or we we uh we are going to delete it so the hash of the file can be checked for reputation on various websites like virus total manifest Etc so see let's say if there is a file of BitTorrent right and definitely the hash value is going to generate for that so you can directly check the hash whether it's malicious or not you can check for that file uh with whether there is something or not so if it is legitimate legitimate you can whitelist if it is malicious you can delete it blue teaming versus red teaming so array teaming is an attacker and a blue teaming is Defender so being on the red team seems of fun but being in the blue team is difficult as you need to understand the attacks and methodology the red teams May flow so as a blue team you have to defend all those attacks with the help of stools with the help of your knowledge with the help of your investigations next question we have what is a false positive and false negative in case of IDs which one is more acceptable right so when the device generated an alert for an intrusion that I has actually not happened right so what exactly the false what is positive is right so let's say you have set one of the rule right but let's say uh for brute force uh that there is a logic that uh there is 10 failures for a minute right but alert is generating generated for five uh five failures for a minute then definitely it's a false positive because we didn't set up a uh rule for that and it is a false positive now what is that false negative so now if the device has not generated any alert then the intrusion has actually happened then this is the case of false negative well false positives are more acceptable false negatives will led to intrusion happening without getting noticed now let's see the last question what is the data leakage so data leakage or we simply it call it a DLP how will you detect and prevent it well organizations are using uh different types of DLP or many companies are providing it let's say McAfee uh providing the DLP so we can use the DLP software right just to check whether if if there is some person who is sending the confidential or sensitive data outside the organization or not so it it ensures that the data is not leaking so that's it guys and we'll meet in the next video hello everyone in this video we will talk about fundamental questions part two we already have discussed up to 28 and let's start from 29. so open source and license software which one you are going to prefer definitely see here what is happening uh you know the difference between open source and license software is that license software is keep updating right and that's a very easy to track for any organization whereas the open source you don't know uh to whom you are going to contact right and whether that will that will solve your problem or not but in license software what is happening you can easily check those people who can actually help you so that's why license software is much better than open source software but what is DNS so DN is nothing but it's a domain name system turns domain names into IP addresses which browsers use to load internet Pages well let's say example you are writing www.google.com then definitely uh DNS is responsible who there is a domain name and it is converting into the IP address because computer can't understand domain right now how DNS works you can directly go through this youtube.com this Channel and you can go through uh this blog how DNS dot works right so you can go through these two links and that will be uh much better and you will get to know that how actually it works what is TLD so a top level domone domain sorry so it is the the most generic domain in the internet hierarchical or DNS so our TLD is the final component of a domain name let's let's take an example right so if there is something uh you can say google.com right so this.com com right so this com is one of the TLD that is a top level domain and let's say here is an example I have given developer.mozilla.org right so that org is one of the TLD so this is what top level domain what is name server name server server is responsible to convert or you can still translate the domain name into an IP addresses so name server let's say there is a www.google.com right so name server is responsible to convert www.google.com into 8.8.8.8 right so this is what we are we have name server now canonical name so a canonical name or we can say typical C name is a type of domain name system database record that indicates that domain name is the nickname or Allies for another domain name so let's take an example there is a website uh we have example.com right and there is the three sub domains the uh let's say W1 example.com W2 example.com W3 and uh you are a you are a honor of that example.com and you want all these sub domain should show the example.com whenever user go through w1.example.com then uh that should be redirect to example.com right so this is what a canonical name that actually uh you are using some uh some other thing but once you will uh enter into it that is going to somewhere else from the same page so this is what a canonical name which indicates that a domain name is the nickname or we can say allies for another domain name okay now what details you find when you searched IP domain for DNS lookup so you can search any any type of IP right on DNS lookup you can search for that and you will find out that here a double a double a s o a name so you will find more details as well right so now what a exactly it is what is that a a will denote say you know the ipv4 address double a double A will denotes you uh uh it will show you IPv6 addresses Sao a it means uh start of authority right so here you will get the administrator email ID uh when when was the last date uh when that IP was updated or something else right name server definitely you will get uh with the help of this DNS lookup there will be more components as well but you will have to find out you will have to search on that DNS lookup because this question definitely asks many many interviews ask this question now what is DHCP dscp generally we we all know that it is used to uh you know assign the IP addresses to a host basically uh in an organization or wherever right and it uh works on the concept of Dora right Dora means Discovery right firstly you are there is a client and server so client will be discover then uh server is going to offer IP address right and uh you can say uh request R4 request again client is going to request it then server is acknowledging it to the client that's work that's how it works on concept of Dora what is CV which authority generates cvcv is nothing but you know Common vulnerabilities and exposes Whenever there is some some unique vulnerabilities or something validities happen and there is no numbers of CV then uh definitely there is the authority which we call CV number Authority that is CNA they assign one one of the Unix CV to a particular vulnerability now what is a loopback address loopback address is nothing but it's uh you know uh your default routers you know you have the router having the ip127.0.0.1 which is called a loopback address generally we use uh these pack these things uh to check our tcpip protocols whether it's working or not so packets sent to this address never reach the network but are Loop through the network interface card only now uh difference between thread and process so a process is a program under execution right uh that is an active program a thread is a lightweight process that can manage independently by a scheduler so process definitely process requires more time for contact switching as they are more heavy why they are heavy because there are multiple threats uh in a process there can be a multiple threads but a thread is definitely a very single one so definitely it will take less time because it's very lightweighted now what is the difference between thread and services so service is a component of Android which performs long running operation in background okay I think we also have seen uh service in Windows as well right so you can search for that as well now thread is a OS level feature that allows you to do some operation in the background is a computer network Authentication Protocol that works on the basis of tickets to allow nodes combinating over a non-secured network to prove their identity to one another in a secure manner so let's let's take an example here uh you know uh you might have heard or you might have seen SSO single sign-on right so what was the logic behind that who is working behind that SSO so Kerberos is uh is behind that SSO and he uh kerbos is working it because uh kerbos is responsible to authenticate for the third party that yeah he is the right person who is accessing the single sign-on uh you might have seen what is 0x18 okay 0x12 as well in curves authentication so now what exactly it is so 0 access to x 12 client's credential have been reworked it means account disabled expired may be logged out or maybe login hours and what about the failure code 0x18 it means that account was already disabled or logged out when the client attempted to authenticate what is Kernel so kernel is the essential Center or you can say the uh the heart of the uh OS you can say so computer operating system it is the core that provide the basic services for all other parts of the OS so it is the main layer between the OS and hardware and it helps with the process of and many memory management file system device control networking ldap ldap generally works on port number 389 and it is a tool for extracting the editing data stored in active directory and other compatible direct directory service providers and each user account in NAD has several attributes such as the you know the user full name and email address etc etc sorry so now what is salted hash now why we are using salt is assaulted hash we already have the hash well hash can be correct with the help of you know rainbow maybe the with the help of collisions so that's why we are adding some extra uh you can say extra data okay again so the extra character uh in the hashes so that it can be secure now what is Brute Force attack how you will mitigate it so it tries various combination maybe there will be a list of user and password and it will repeatedly uh use it until and unless it is getting right so this repetitive direction is like an army A kid attacking a fort so mitigation what is the mitigation you can limit the login attempts right you can enable two for two Vector authentication you can use captchas and you can also block the amrelacious IP what are encoding hashing and encryption so encoding is nothing but it converts the data into the desired format required for Action between the different system let's say for example base64 hashing so hashing is nothing but it means the Integrity of a message that we have already talked about this and we also talked about the encryption that it ensures the data is secure and one need is a digital verification code for image in order to open it or access it so it it shows the confidentiality it shows the integrity what are the TCP header flux and what they do so sin as he gave push rst and fin so sin means synchronize right origin means there is a any urgent packets you can directly call it acknowledge it shows that that yeah the packet has been reached push we can push the packet reset reset means uh the connection has been reset and fin means the connection has been terminated what is three-way TCP handshaking there so that's basically a very easy one if there is a client server so client is sending sin uh for the Eastern means it initiating the communication right and server is sending syn plus it's initiation of communication plus it has account knowledge that your client has sent the initiation request and then client is saying yeah I got it and he's sending the countless packet and the communication is established now what is VLAN virtual land means what what is the difference between VPN and VLAN so VPN it is related to remote access to a network with the secured and encrypted tunnel basically there is a encryption encrypted tunnel through which we communicate uh from one one PC to the server maybe to the second PC that is very secure and is it saves the data from applying I while in transit and no one on the net can capture the packets VLAN helps to group Focus station that are not within the same location into the same broadcast domain logically segregates Network without physical segregation with switches so it does not involve any encryption so here the data you know so basically it's always in the local so it is not going to uh having the encryption uh now be difference between proxy and VPN so there is a minor difference you know VPN uh use the encryption where is proxy is just VPN is also hiding your IP a proxy is also adding your IP but VPN uses using a encrypted tunnel through which your communication is happened whereas the proxy not so this is what the basic difference between these two uh difference between reverse proxy and forward proxy so the main difference between the two is that forward proxy is used by the client right so let's say you are you are the client and server is not knowing your IP address right and reverse Pro proxy is just uh reverse of that such that uh server server having a particular IP and he is using the proxy uh but the client can't able to know where from which server he is actually uh getting the data so that's what reverse proxy now SSL versus TLS how SSL Works which one is better well you can say TLS is the elder brother of SSL because TLS is more secure right SSL is a secured socket layer and TLS is you can see okay let's firstly uh check it SSL so it is a protocol that enables safe conversation between two or more patients it is designed to identify and verify that the person you are talking to on the other end is who they save say they are right for example let's say https right that uses the SSL and a tlse is one are transport layer security which is also one of the cryptographic protocol and that provides authentication data encryption between uh you can say server machines and application SSL is the predecessor to TLS and they can be used together so this is the whole process of SSL handshake process you can just read out these these things I'm not going to discuss in these things because I have already written here uh definitely TLS is more better than SSL now what is the difference between virus warms and Trojan malware so now let me clear it in a very short form now virus can affect a particular system and it can uh you know uh it can make a replica of a tone whereas the worm can can have the tendency of varus but it can affect the whole network as well now pros and Trojan is one of the thing in which uh there is legitimate things is going uh I mean there is there will be some malware which is looks like a legitimate but it is not legitimate and for that for a frozen victim have to click somewhere Vector you have to click then only the torsion is going to install then it is going to work so for Frozen we need a victim you can say the victim should have click on that okay so there will be no self-replicity replicating definitely now what is the chain of custody so for legal cases uh the data device uh needs to be integrated hence any access need to be undocumented who what when and why compromise in this process can cause legal issues for the parties involved so generally if let's say if there is some something happened in your office and if there is some data then they can take that laptop in the chain of custom they will investigate all those things so this is what we call chain of custody so that's it guys uh in this I we have covered the whole fundamental questions which we which I have seen in many interviews which I have talked to my junior and my senior and they have helped me in that to making this uh course making this uh you know a whole 55 questions of related to fundamental questions so that's it in this video and we'll meet in next video with the OSI model air questions bye hello everyone in this lecture we will discuss about some fundamentals three interview questions and answers so let me start the first answer uh what is an IP address we all know IP address who manages the IP address so this type of question uh generally they ask to freshers and sometimes a very senior level because it's always a very difficult to remember the basic concepts so what is it or what it is IP stands for Internet Protocol we all know right so wow what exactly the IP address is so it's nothing but a address having information about how to reach a destination or you can say how to reach a specific host especially if we talk about the outside the LAN so IP addresses containing 32-bit of unique address and uh 232 addresses spaces and generally they have the two notations number one the decimal notation and number second we have hexadecimal notation now who manage this IP address so it's there is a form or you can say the authority that is called i a and a that is internet assigned numbers Authority so this is the authority this is one of the standard organization who assigned the IPS to every even though or you can say the organizations now what are the different classes of IP addresses and what are the range of each classes so basically there are five classes a b c d and d and if you talk about the ranges uh this this is all in front of you if you talk about the Class A right so this is 1 to 126 and Class B 128 okay now there is something missing right 126 and 128 so where is 127 so 127 series used by Ina just for the loopback testing purpose right so they can also ask you that what is loopback testing or what is loopback address so keep remember this whole series is known as the loopback look back is generally if I can say uh it's nothing but whenever there will some communication TCP IP or whatever that is going to you know uh will we look back that that is not going to outside that IP so that what exactly the loopback uh address now uh Class C we have 192 to over 223 class D which is reserve for multi-cla casting we will talk about the IP multicasting as well and Class E we have for the experimental purpose now this is the particular link uh tutorials point you can go to that and you can learn more about ipv addresses now what is subnet mask so subnet mask is a 32-bit number that is used to identify the subnet of an IP address now exactly why it is 32-bit so because every octet have 8 bit now there is four uh you can say there is four things so we have multiply 8 into 4 that is 32 right and obviously uh we can't understand in the form of ones and zeros but computer can understand once and zero so they have the combination of ones and zeros we all know about the binary one right so let me show you just an example so these eight octets right that is 255 again eight octets uh uh 255 uh sorry 8 Bits my bad and again there is eight bits right so it's totally like this one 255 dot this is in there a decimal form and this one is the in the binary one you can say and this is the purpose oh sorry this is the link where you can directly jump and you can check all these related Concepts what exactly the subnet marks a mask and how actually it works right now what is default gateway so uh checking the default gateway is very actually very simple you can just go for the you know uh just open the command prompt and just enter ipconfig and you will get your default gateway but what it is exactly so it's nothing but you know it generally connects the internal Network to the outside Network so this is what a default gateway uh it sometimes it also you know act as a proxy server and a firewall so what protocol is used by the ping ping Command right uh so it's nothing but a icmp which is not which is internet control message protocol and that protocol is used by ping so now name the ports used by FTP so particularly there are two ports of FTP 21 and 20. now 21 is used for the control connection uh whereas the 20 port number 20 used for the data connection now what is the difference between them so control connection is basically for sending the control information let's say identification or maybe the password maybe something command to change the remote directory uh if you want to send any some store files these are the some things which is used by the control connection and whereas the data connection this is for sending the actual file now what is Mac address we all know every devices who have the internet they have some mac addresses right so Mac addresses are unique and they have the 48-bit hardware numbers of computers which are embedded into a network card now they can also ask you question that where that Mac address is embedded in your laptop so your answer should be uh it might be in an IC or maybe in the uh you can say the motherboard or just directly you can say uh that will be in a and I see that is network interface card generally that's why we we called it sometimes an IC now the MAC address is also known as the physical address of a network device and what is IP multicast we were talking about that right so multicasting is nothing but uh one sender sending uh I mean uh transfing of data or maybe there's some traffic from one senders right someone send us to more recipients or maybe one right or more senders to one or more recipients so and vice versa this is how exactly it works now in multicasting trafficlines between the boundaries of unicast and broadcast so it servers direct single copies of data streams and that are then simulated and routed to host that requested you can uh this is a very good concept actually in IPO multicast so you can Google it more because as this is not a full course only for the IP multicast otherwise I definitely I will tell you how exactly it's a it's a very good concept you can directly Google and you will get to know each and everything so difference between public and private IP at SS we all know private IP right there has particular class ABC there is some private IPS apart from that uh there is some public IPS mainly public IPS right so private IB is used with the local network and public IP is used for the outside the network so here is some differences private IPS for the local a public is for the global and private IP address to community within the network right for example 10 dot something something right and public IP address is to communicate outside the network for example uh let's say one 197.65.2 something like that right private IP address differ in uniform manner public IP address differs in varying range so you can you can check all this uh differences right and private IB address are free of cost whereas public IP address comes with a cost and who assigned it I a and a right I hope you remember this name i a n name now can you explain what subnetting so yeah so when a bigger network is divided into a smaller networks in order to maintain security and that is known as the subnetting means you are breaking the subnets you are breaking the subnets into uh some smaller networks you can say uh this thing so that will be very easy you know to maintain the networks because maintaining the smaller networks is far easier than maintaining the bigger Network now can you know what is the who Network address translation that is the net I hope you have uh you know already about this one but if you don't know then let me tell you that once you will start working in the organization uh every time you will face this IP nated IP why what exactly it is so it's a network address translation and it is a process in which one or more local iPad is right uh it may be 1 or it may be multiple is transferred into one or more Global IP address why they are transferring because in order to access the internet that's why we we need the needed IPS so it may be the vice versa not not only for the local IP address to Global IP address again right so it it uh it may be the vice versa like this one now explain the difference between static and dynamic IP static IB definitely is not going to change anytime okay uh head is not add not change and it uh at any time right this one should not be there okay uh which means it's a static IP address and is provided then it can be changed or modified whereas the dynamic is always changing right for example if you see uh somewhere if you like like IBM there is a IBM exposed right whenever you are going to search any of the public IP let's say the to our IP it's going to be a dynamic one and let's say you have the static IP something like which is exactly assigned to some organization then it's a static IP because they are not going to change their IP now how will my computer get its IP address actually how I can see the IP address that should be the right question so directly we need to start the program so we need to open the command prompt and we need to just enter ipconfig once you will uh write the ipconfig and enter it you will you will get all all your details from the default gateway to subnet marks for to your IP address each and everything now IPv6 Backward Compatible with ipv4 uh no ipvc is not competitive compatible uh is it possible to have an iPhone ipv4 and IPv6 at the simultaneously yes it may be happen it can be happen yes it is possible and what is Ina we already told you it's a it assigned the eyepiece so it's one of the authority which assign the IPS what is ipconfig ipconfig is nothing but uh Internet Protocol configuration and this is usually a command line application that displays all current tcpip network configuration and DNS etc etc what are the differences between Mac address and IP addresses so it's very simple mac address systems for media Access Control IP address systems for Internet Protocol Mac address having sex byte or hexadecimal ipv I there is ipv4 and IPv6 so ipv4 having 4 byte and IPv6 having 8 bytes and the device attached with Mac address can retrieve by erpa protocol and a device settings with iPad is connected by rap protocol so there is an IC card manufacturer provided by the MAC address and here is internet service provider Mac address is used to ensure physical address of the computer whereas the IP address is for The Logical address of the computer now what is 127 it's a loopback address we already talked about it what is the difference between ipconfig and if config commands so IP is ifconfig is interface configuration generally we use for the in Linux and ipconfig is Internet Protocol configuration that one we used in Windows so that's it guys I will meet in the next lecture in this video we will see that our interview which type of questions they ask regarding OSI model a questions so let's see I mean uh definitely they are going to ask you that what is OSI model layer what protocols on every layer they can ask you uh how many there are layers and what what is the function of those right and one important question is that for OSI layer that they can ask that what uh what different vulnerability is related to different different uh OSI layer means layer wise they are asking you the vulnerabilities so these type of questions we are going to see uh in this video so firstly what is OSI model layer it is open system interconnection we know is a reference model for how application communicate over a network generally there are there is seven layers and how actually the communication is happening that is what a OSI model layer now second question we have can you tell OSI layer's name and at least one protocol for each layer so generally we have seven layers in OSI layer the first one we have physical layer right on which uh where the actually the bits started where actually the uh bits you know converted into uh for the next layer that is uh if you can see send data onto the physical wire right and if we talk about the protocols if you can see here Hops and ICS cables these are the some protocols second we have data link layer right where uh the data framing is happening right and here we will get to get the physical address and protocol like switches so here so this is the layer second switches right and network layered on this we have protocol routers and layer 3 switches now what is the difference between that layer 3 switches and layer 2. so on layer 3 there is routing and switches both work right and here only switches now we have the fourth layer transport layers where there is end-to-end connections and liability and the protocol like TCP and UDP session layer we have uh we used it for generally for the establish and and connections between two host so for example uh protocols like net bias pptp presently presentation layer we have https SSL jpg these are some protocol and at the last application layer here we have SMTP telnet HTTP FTP so whenever any any interview asks you on which layer HTTP works right so it is application layer they can ask some simple terms like on which layer https works so it's presentation layer so this type of questions also can be made next question we have do you know attack on every uh well sorry every OSI layer this is what I was talking about so on application layer if you can see here uh these are a text xql injection cross side scripting okay so if you remember we we were talking about client side uh you know client-side attack about cross-site scripting so what is client side that is obviously application right so that is what application layer and parameter tampering can be happened slow risk attacks which is generally used for DDOS on presently our presentation layer we have a text like SSL hijacking uh decryption attacks and coding attacks on session layer we have again session hijacking attack man in the middle which is important they can ask on which layer men in the middle attack or generally works so it's session layer now uh SSH sniffing can also be dead transport layer on transport layer TCB sequence prediction can be happens in flood and udb based amplification attacks can be happened on network layer IPS spoofing and jamming definitely uh here we got the actually IP right uh we have already seen here if let me show you again yeah generally we got the logical logical address let that is IP address okay so we were on the network layer so IP spoofing and jamming can be happen here uh black hole attacks a civil attack packet streaming can be happened data link here layer here uh Erp spring can be open because you know uh there generally we got the MAC address right so ARP is moving can be happen back cloning you can read about ARP that what actually the address resolution protocol so this is nothing but just it is used for the mapping of uh you know Mac Mac address and IP address so how actually is spoofing work you can you can read out Google I gave you just a introduction that what actually the Erp now spanning tree attack VLAN hoping dscp attacks can be happening happen here physical layer there uh at the last layer definitely physical damage can be happen and it has been seen uh many times that there is always a physical damage on physical layer apart from that data sniffing can be happen unauthorized access also okay so uh on which layer s3b protocol work that is application layer what is mitm how can you prevent men in the middle attack right so MIT was working where it was working on the session layer if you can see here let me show you again on session layer it was working man in the middle track right okay so mldm attack happens when a communication between two parties is included or intercepted by an outside so let's say there is a uh you know A and B right and you are the third party or you just lied in in the center part A is sending something to B so you are sitting in the middle so you are taking something some data from a and sending to B by modification but B is thinking that data is coming from a so it's vice versa so this is what mitm attack so what we can do to mitigate it so we can use the encryption right between both parties whatever the data is transfing we can avoid using open Wi-Fi networks and we can use https forced TLS or VPN so we why we are using VPN because uh it it gives it gives you the option of encrypted Turtle you can say the with the help of encrypted tunnel we can communicate securely now what is sniffing so and do you know uh do you any tool okay there is something error do you know any tool for sniffing obviously y shark is one of the sniffing tool a sniper attack corresponds to the theft or interception of data by capturing the network traffic using a sniffer I hope you have already used the Wireshark right so this is what the sniffing is so that's it in this video and we'll talk in the next video that how actually you can prevent uh your organization from ransomware in this video we will discuss that how a interviewer can ask you questions related to ransomware so they can ask that on which port number one acry ransomware generally attacks so we have seen from the past you know uh that Wonder cry and server was came in the year 2017 and then after it was started attacking on port number four four five and mainly on netball sport number so that uh they can also ask you that what is the port number of net bias right so it has 130 137 138 and 139 these three ports generally and for the naming resolution we are using 137 port number for UDP that is connection plus we are using 138 and connection oriented uh we are using 139 that is for TCP now next question we have how you can prevent your organization from a ransomware attack so this is a very important question they will definitely ask you so uh there are two techniques generally the number one we have Network segregation and second one we have Network segmentation so what we can do in network segregation that we can split the large networks let's say uh we have you know uh we have a large Network and we can split those networks in two parts one Parts is critical data and another part is lesser critical data now what we can we can do here we can use VLAN we can use firewall at each uh for for both uh you know splitting Network I mean the critical part and the Lesser critical bar both side both side there should be a firewall and VLAN so this what will happen once the attacker uh once the Run software will attack on the you know uh that lesser critical part then definitely it is not going to affect the critical data so that's how that Network segregation and network segmentation you can say you know Network segmentation uh where splitting the big Network into small small parts in a small small parts and at every small Network you will have to uh you know configure firewalls and wheel uh why why we are configuring this definitely to filter out all that all those traffic that will will be very helpful for us so what will happen here on a very small network if there is some ransomware attack is happening then it is not going to affect the other parts of the network so this is what two techniques we can use Network segmentation and network segregation these two parts so that's it I hope this is one of the best techniques by which we can at least prevent our organization from ransomware attacks in the next video we'll talk about the miter attack and cyber kill chain so most times it happens in an interview that interview always asks the question related to miter Tech or maybe the Cyber kill chain so they can be ask you the difference between the miter attack and cyber kill chain because you know uh we'll we'll talk about it right we'll talk about the difference in the upcoming videos so not issue so let me start with the what is exactly the miter Tech so if you search on Google you will get it the uh this attack right so actually this is not attack it's a Double T and CK it means adversarial tactics techniques and common knowledge right so this is what attack and it is one of the framework which is a curated knowledge base and model for a cybered adversary Behavior reflecting the various phases of an adversaries attack life cycle and the platform they are known to Target now what is TTP in that if you already have a tactics techniques and the procedures right so these gdps are nothing but the tactics techniques and procedures and these are behaviors methods of patterns of activity used by thread actor or a group of threat actor so now our next question we have can you explain uh tactics and technique so now what is tactics so tactics are movement with difficulty statism cunning action to achieve something right uh in a short form or in a simple language if I try to explain this tactics is is actually your goal let's say uh initial access right so getting some access is this your goal right for what you are actually everything is doing now what is technique uh a technique is a way to find your goal right to find your tactics so let's say uh spare phishing is fair fishing through spare fishing you are uh you are trying to take a initial access in the organization so this is what tactics and techniques difference actually so technique is a skill and knowledge of a given art or occupation correct now next question we have which one you will prefer more TTP or IO season Y obviously we we can see our ttps are behavioral right uh whatever the Bad actors are against the right actor is going to uh launch the attack uh ttbs depends directly on those things that how actually uh on which phase what is actually happening right and ioc is nothing but uh you can collect the indicators uh whatever the compromises is going to happen through that network uh through that at sorry through that attack so if I talk about ttb's Behavior right behavioral base and ioc is a static ways so definitely if both are preferable but more preferable is TTP have you remember all tactics in miterate attack so yes 14 there are 14 tactics and you can check all those four inductors on Google and you can learn all those things that are actually it's working right so they can ask you so now what is defensive reason so defensive version is one of the adversary which is trying to avoid being detected and for that they use different different of you know techniques let's say uninstalling disabling security software encrypting data and the six chips so different different there is different different things you can directly go then on that miter attack you know website now what is position in miter and can you name some path where it maintains their football so mainly it uh the path is mainly on Startup folders maybe on the Registries in the Registries there will be a you know there we may be a uh definitely uh in the startup folders maybe on the different different phases and now what is the uh position actually so adversy is trying to maintain their foothold right so once you gain all the previous escalation so you have to maintain your access so for that we use persistence and there are some techniques like boot or logon auto start execution there is also more you can you can directly I am I'm saying from the last one made that you can directly go on that miter attack uh website what is lateral movement the adversary is trying to move through your environment now here is the actual difference uh we'll talk about this difference okay uh because uh for that we need a cyber kill chain we need to understand then only we can get to know all these difference so we'll talk about this in the next video cyber kill chain is one of the most important question which is asked in the interview so let me discuss about that what is the difference between a cyber kill chain and miter attack but before that let's see what actually the Cyber kill chain and what are the phases we have so in cyber kill chain we have uh near about seven phases exactly uh the number one we have recurrence weaponization delivery exploitation installation command and control and then action and objectives right so these are the seven stages so here are seven tactics you can say and in minor attack there was 14. now ah okay one question generally asked by always the by the interviewer that can you please elaborate your worked incident case in the form of cyber kill chain so basically what what actually the interview is uh asking to you that if you have done any any type of uh you know investigation on malware or you have done any incident uh in your previous organization then are you able to explore or are you able to uh tell those investigation in the form of cyber kill chain process let's say if I let me take it or give you an example let's say I worked on emoted malware right so what I will do as a recurrence what attacker will do with the motor so as a recurrence definitely we need one of the you know email ID of the user right so of the organization so that is what requirements weaponization is I am creating the mail developed in delivery is that I am sending the mail to that user exploitation the user is clicking on that attachment installation once it will click on that it is going to install and it will after that it will communicate for the command control and then action objectives means whatever I want why if I want to steal the data I can do so this is how actually it works so these two questions are very important apart from that the difference between cyber kill chain and miter attack so now see here both both are similar what what their aim is uh they have to get in right and they don't want to cut and they want to get out uh you know definitely they want to steal the data these three things they have the similarity but the difference is that cyber kill chain is the step-by-step process whereas miter attack is not if there is some initial access is happening after a person let's privilege escalation after principle escalation it is not mandated that there they will go for the persistent they they can go for the lateral lateral movement so the techniques I mean uh that is not a sequence wise and whereas a cyber kill is sequence or sequence wise so this is what the basic difference between cyber kill chain and miter attack scenario based questions plays a very vital role during the interview because our interview always asks some questions related to scenario based questions now here a very important thing is that how you reply All Those Questions let's say we have just an example or definitely these type of questions they always ask that if there is some DDOS attack then how you can mitigate how what will be your plan right so you can read out these things that we can document our DDOS residence plan recognize indidos attack activity and uh we cannot assume that only Raj scale volumetric attacks are the problems right and we can't even rely on the traffic monitoring treasure also and we even IPS or firewall and definitely there is a very uh special thing is that we can we have to engage a mitigation provider and pay a time to mitigation with such a successful attack protection so apart from that guys uh we can uh we can make one of the scrubbing Center to mitigate the DDOS attack so now what is that scrubbing Center so scrubbing server we can say is one of the dedicated machine that receives all Network traffic and it filters all the network traffic in the form of good traffic and bad so generally it passes only the good traffic which is not malicious a in respective to this DDOS pack packets okay now number second we have suppose the server is compromised with the malware what is the steps will you take to secure a server well these are the protections you can take right these are the production you can take just after before the uh compromisation of the server right and even after the compromisation of the server but along with that you will have to uh you know uh isolate that machine that server machine you will have to accelerate that server machine I forgot to mention here those points here you have to isolate it and you have to investigate whether there is something malicious or not if there is something malicious found you will have to you know uh clear all those things and you will have to check other parts of the network which machines were connected to This Server right and you have to clear all those things so once you you get to know all those things then you have to secure uh again uh make a secure password you can uh make new user that you use to manage the system you can remove remove the remote access from default you can configure fire rules for remote access these are the things you can do and after doing these things you can uh take that or server in the in your network uh one more so this scenario based questions we have Suppose there is a no use case for BitTorrent right there is no electric uh we have made any use cases a 4-bit torrent then how we can analyze that traffic so that is quite very simple we see uh BitTorrent or you can say peer-to-peer uh these software generally works on port number 68812 6889 and sometimes it's six triple nine so now what you can do you can check the Sim locks right directly and you can filter out the port numbers with the helper port number obviously and you can also check the firewall locks and there also you will you will have to keep the filter with the help of port number and then you will get to know uh in the in the Raw data or you can say the payload that uh the IP address the URL and the port number these things you will get and with the help of these that will be very easy to know that whether it's a torrent or not because once you will search on the Google you will get to know that yeah this IP is deleted through some to something appear to be a connection now let's say our data breach on the network so what is the first thing you do when the attack occurs on the network right so this one is very important one basically they they are just ask this question just to know that what action you can take so what was the incident response plan in place or uh organization right so investigate the incident that is the first part if the bridge is valid then we have to inform the management that's quite very simple and then identify the suspected you know you know the root cause of the incident right so this one I we have to find out and then if we get to know how something is there malicious and something is affected then we need to isolate that effective system and eradicate the cause of the breach then Implement policy processor procedures whatever the things they is there perform period technology audit address assessment combined with network penetration testing to identify weakness in the system so that's what PT team uh comes in the role now how do you keep devices secure or if they are on Public Hotel Wi-Fi so well uh the first prescription for this is you just should you use their own mobile hotspot if they can't use it then just tell to the user that yeah they should connect it with the VPN because once they will connect with VPN every data is going to be encrypt through a uh and it will communicate through a tunnel so through that the combination will be secure so that's it guys and we'll meet in the next video with the roles and responsibilities and same questions which is very important this part is very important hello everyone in this lecture we will discuss about Advanced scenario based interview question so why this is the advance this is because in this interview totally check your investigation part from your investigation part to your skills each and everything and they will get to know that whether you have worked on it or not so let me start I will give you some example but before that let me show you that what actually exactly the scenario is and for this particular lecture so the interview will give you a scenario and in in between they will stop you and they will change the scenario interviewer will try to check your skill and he will get to know whether you have worked earlier on it or not for this type of question you should have proper knowledge definitely and then only you can answer these these type of questions and for example we have taken uh maybe I think four questions just to show you that just the demo that how they can actually ask this type of question let me start with the number one question so let's say I'm the interviewer and you are one of the candidate so you you received one of the phishing email in your organization then how you will investigate manually now what will be your answer definitely uh you will you will have to elaborate this answer uh you will say you will do URL analysis domain analysis attachments right and you will check whether the email is spoofed or not you will check the sender domain these kind of things you will check whether it's malicious or not right and once you will cite all these investigation you will set all these steps they will interrupt you this is the what the barrier question now interview stopped you definitely now the scenario is changed guys so let's say uh everything is clean even the URL even the attachments even uh even the email is not spoofed the sender domain is also uh you know showing the perfectly clean now but still the email is a phishing one now question is that how you will confirm it so here is the answer see it might be happen guys that URL attachment everything is clean but somehow that URL is redirecting to some other pages right and it might be a happen that that URL is asking for the uh sending you uh one on one of the page in which they are asking for the credential so this type of emails this this type of phishing email generally used for the credential harvesting so this this could be your answer now again uh there is a very question let's suppose you entered the credential right it is given a giving an error then what will be your next step well the see it can happen that you are just giving your credential and it is reloading again and again so at least three times this is the uh you can try at least three and more times if it is showing the same error then or you should check the uh the redirected URL of that URL actually then check for the reputation of those things and on those basis you will have to take the action uh you will have to consider whether it's a phishing email or not right now uh just say it's a note so here interviewer can ask more questions right definitely so you should have the whole investigation you should have the knowledge of whole investigation for phishing emails now we have the question second you might have seen the organization use miter attack framework in their organization but why do they use it though we have a antivirus EDR uh Sim and other tools are there to secure uh from suspects suspices activities right so what is the need of that meta attack in your organization so let's see the answer okay so these type of tools let's say antivirus CDR SIM can detect the suspicious activities there is no doubt but organization use attack frameware framework just to map out the characteristics and specific tools used in attack across the miter attack framels and it helps the sock team assesses the current effectiveness of the existing security measures and the impact of the attack so basically whatever the security we have in our organization it actually checks all those measures uh whether this kind of let's say if there is some some technique different technique in the my direct attack so whether our sock team or you can say the security measures are enough to face those issues or not right whether we uh we are blocking we are just denying those traffic or not so this is what just a framework framework just to check the uh you can say the existing security measures and the uh that how it can be impact on us now attack allows Defenders to assess whether they can defend against uh specific ATP or you can say apt right and common behaviors across multiple threat actors question third we have uh when you move the Nic cards from one PC to another PC does the MAC address get transferred as well definitely because the MAC address is in the NIC card actually so it is going to change but why it is going to check and change as I said because we are changing the NIC card and Mac address is already encoded in the NIC card that's that's the reason now last question we have very important one mainly this is the most asked questions uh basically for the scenario based question so the question is have you ever worked on any malware cases in your previous organization so definitely you might we have bugged so in my case I worked on it I worked on many of the like like emote at ICD IDI icdid many ransomware's as well a lot of phishing emails as of now I think maybe uh more than six or seven thousands emails I have already investigated okay now barrier question is that tell us how emoted work so you have to tell each and everything that how actually that malware or maybe it depends on you that on which uh case you have worked right so you have to elaborate it now the next question will be can you explain this malware in the form of cyber kill chain now uh here what does what does it mean it means what actually the interviewer wants you to just elaborate or you can say explain the text of uh in the seven stages of cyber kill chain and which stages like say uh that how how it will be first part like reconence second part weaponization delivery exploitation installation command and control and then action on objectives so you have to just correlate your uh malware or whatever the attacks you have worked correlate with these seven stages of cyber kill chain for example like emoted emoted generally comes through phishing email right so in the recordings definitely I am going to gather the information of the ah you know recipient means the user where I have to send the email correct now weaponization is that I will attach the file I will do each and everything uh whatever I have to you know attach in the email body definitely delivery is that I will send that email to the user and exploitation is that once the user is going to click on that attachment that is directly going to install once it will install install I will get the command and control and after that I can uh you know is to seal the data I can still each and everything still the password is still the confidential data is different different things even uh you know I can drop others malwest too so this is how I correlate these things right I hope this these four questions are enough to just to tell you that how actually uh these Advanced uh you can say scenario based question asked in the during the interview bye bye take care in this video we will talk about roles and responsibilities and same questions so whenever you are going for an interview then definitely the interview interview is going to ask the questions related to your rules and responsibilities and this is hundred percent chances right so it's very rare case is that the interviewer is not going to ask roles and responsibilities and same questions well whatever whatever I have seen and whatever uh my seniors my juniors I have seen and collected all those at these data and I have seen the roles and responsibilities was the main uh you can say main question that was included in all those 50 samples so let's meet let me start with the what is Sim so you uh you already you are already working on that Sim right so what exactly it is security information and in event management we can see uh this is uh this is you this is using for the real-time analysis right and security alert generated by application network network Hardware so that's what's same and with Sim you were using in your organization this is one of the question and what was the sources from where Sim collection the logs so sources what what actually uh the interviewer is asking here that from where your sim were getting the locks so definitely it was an idea such ideas maybe the routers virtual machines servers different different places so but you should know your organization architecture that exactly from where uh your sim was collecting the uh sorry collecting the locks right now what is Q red R is Splunk okay both are same uh you can search on more on these things uh what is the architecture okay these architecture curator and spring definitely they will ask about these things so you can directly go these two links I have shared you can go and you can read these things what are the components of kirodar is plugged so whatever the data I don't know whether you are using QR or Splunk right so if you are using QR maybe let's say example even data flow data so just go for that components what actually the lock and Analysis dashboard there are a lot of things components in a curator and Splunk for a Splunk let's say example search had for forwarder indexer uh you can go through this link and you will get lot of data now brief us about your career so your carrier so from where you have started so you have to start from your academics right right from the academics and uh and including your graduation then after your first job second job and then what you have to do you have done apart from your roles and responsibilities you can also mention these things uh in your carrier please explain your roles and responsibility at your previous organization so directly is asking about the roles and responsibilities you can tell what what was the uh roles and responsibilities and what are the other parts you are doing uh apart from that rules and responsibilities so you can mention those it will give a good uh you can say impression on the interviewer so have you handle end and the uh sorry handle any big incident phishing email case in your career so let's say you if you have investigated on an email where if you investigated on any big phishing email so you can mention those things here right so let's say example candidate handle emote malware campaign site so we will explain each and everything that how I get for a detected uh how he investigated step by step and now and how he mitigated it right uh next question we have explained this inside in the form of cyber kill chain okay we already have discussed this one correct and in the Cyber kill Chain video we have already discussed it what are the stages of Incident Management process so that is very simple you are doing this process in your daily routine that is incident identification logging and categorization incident notification and escalation investigation resolution and recovery and then incident incident closer next question how you handle any alert so is directly talking about that the alert you are getting from SIM so please explain the process so you have to explain whole process that how actually you handle and how actually you were working on those incidents what is the event code for success and failure login so it's four six two four four login and four six two five is uh successful login for four six two four four six two five four fairly long so you can you can check all all those event codes uh maybe they will they will ask you different different codes regarding such as audit policy right these are the things they can ask which certification you have done let's say if you have done the CH certification right so you should know about the Cs what exactly in that because they can ask any question let's say uh they can ask directly about the Wireshark they can ask about nmap or different different tools okay so what is nmap so nmap stands for Network maker mapper and uh we generally used it to scan a system and understand what weakness exist that a hacker could have potentially exploit uh through the NSE engine if you remember we have used nmap right so as the program is open source and free it is one of the most more common tool used for scanning Network for open ports and other weakness 95th question what is the difference between ioc and IO we have discussed it let's again discuss it so iocs are static but iOS are dynamic ioa means indicator of attack so IO uh I can directly say is for ADR and iocs are generally for the malware whatever we are getting on daily routines right the known signatures you can say what is spare phishing so targeting a single person targeting a single person in any organization or any anything else and sending sending one of the phishing emails doing the social engineering on it that is called spare fishing how you will do the analysis of phishing emails so take this course this is the free course right and you can learn phishing email investigation from here this is totally free as of this video I'm making this video so as of now it's free header analysis you can also learn from there can you name support number so you should remember the important port number such as Port 25389 Port number lap 443 port number 80 right so these are the some Basics but uh whatever that very on the daily basis whatever the your port number you are working on you should know those port numbers what is DLP we already have discussed it right so I'm not discussing it okay dmag SPF and dkm well uh you can go through that free course you will get it but let me tell you some some of the demo that what actually there's some small difference in these three so dmac is domain based of message authentication reporting and Confirmation is the email authentication policy and Reporting protocol uh basically demarc under dmac we have SPF and Dr dkm so spfa uh you know SPF shows that the IP address whatever the domain uh the IP address is ah related to that domain so it authenticated those things and dkim having some domain Keys identified mail it means uh it gives you can say uh it gives the integrity means that the content of the body is not changed so this is done by giving the email a digital signature this so this is what dkim do SPF means Center policy framework for more details you can directly go jump to this free course and you can see there all those things how you will decide that on which alert you have to work first if there is 100 obviously if if there is some some 100 alerts there will be some uh some priorities like a high critical medium low so obviously I will choose the critical one which is very critical for my network so I will choose that one and I will work on it firstly why you want to leave your company that's a very you know very big question always you will get this question always so uh you can tell I mean you can think your answer your your answer could be different from mine one but uh what I what I uh just tell that I've learned a lot of things in my previous conversation I explored as much as I can so now I feel that I should move for a challenging and for a new responsibility so that I can grow more and uh you can add more things right so that should so that it can give you a give the good impression to the interviewer what motivated you to come in this organization so you can say you have learned uh heard more things about that organization and there is a learning there is challenges and there is new responsibilities and that matches your profile so that's why uh these things motivated to come in that organization you can tell these things do you have any questions to us okay this is the last question well uh you can ask if you have any any such good question then you must go with that but if you don't have then I should suggest you don't ask any question if you don't have right so that's it guys uh now we have this roles and responsibility that was a very uh you know the the interview always asks these type of questions related to uh roles and responsibilities so these 105 question is going to be a very uh is going to be very helpful for you as per our sample we have taken 50 interview sample and these were the repeated questions we were getting

Info

Channel: Cybrainium

Views: 58,566

Rating: undefined out of 5

Keywords: soc analyst interview, soc analyst interview questions, soc interview, soc analyst interview questions and answers, cybersecurity interview questions, soc, soc experts, soc analyst, interview questions and answers, soc interview questions, interview, blue team interview, cyber security interview tips, cybersecurity interview questions and answers, cyber security interview, interview questions for soc analyst, soc team, prepare for cybersecurity interviews, interview tips

Id: BOixsDLyVG4

Channel Id: undefined

Length: 105min 6sec (6306 seconds)

Published: Sat Sep 24 2022