| Title | Author | Created | Published | Tags | | ----------------------------------- | ---------- | ------------------ | ------------------ | ---------------------------------------------------------------------------- | | Best Cybersecurity Questions - SOC | Jon Marien | September 08, 2025 | September 08, 2025 | [[#jobs\|#jobs]], [[#interviews\|#interviews]], [[#arcticwolf\|#arcticwolf]] | # Best Cybersecurity Questions - SOC *** **1. What is a Security Operations Center (SOC)?** - A centralized team/location that monitors, detects, analyzes, and responds to cybersecurity incidents within an organization, keeping systems safe and online 24/7. **2. What is an IDS and an IPS? What’s the difference?** - IDS (Intrusion Detection System) identifies suspicious activity and raises alerts, while IPS (Intrusion Prevention System) can also block or prevent threats. Both are tools commonly monitored in a SOC. **3. Explain the CIA Triad.** - SOC analysts must protect the Confidentiality, Integrity, and Availability of systems—core goals of all security monitoring and response. **4. What is a Security Incident?** - Any event that indicates systems or data may have been compromised, such as malware infections or unauthorized access—exactly the kind of activity that SOC teams investigate and manage. **5. What is Incident Response?** - (Not a literal question from the list, but closely related: “What is a Security Incident?” and “What is a Security Audit?”) SOCs use established processes known as incident response for handling and containing security incidents. **6. What is Vulnerability Assessment and Penetration Testing and how are they different?** - SOCs often monitor for vulnerabilities and may escalate findings for assessment or further testing. **7. What is Network Sniffing?** - Capturing and analyzing network traffic to spot threats or anomalies, a skill used in SOC investigations. **8. What are Response Codes from a Web Application and how do you interpret them?** - Knowing HTTP status codes helps a SOC analyst spot potential misconfigurations or evidence of attacks (e.g., lots of 404 errors or 500 errors). **9. What is a Firewall and why is it used?** - SOCs routinely examine firewall logs to spot blocked connections or unusual activity. **10. What is Port Scanning?** - Detecting when attackers look for open ports/services, which shows up as suspicious activity in SOC alerts. **11. What is a Security Audit?** - Assessing the security posture of a system or network, often driven by findings discovered in the SOC. **12. What is a Honeypot?** - Sometimes used in SOC environments to lure attackers and observe attack patterns. **13. What is Patch Management?** - Ensuring vulnerabilities don’t linger—SOC analysts may verify if a compromised system was unpatched. **14. What is a Zero-Day Vulnerability?** - A new, unpatched flaw—SOC analysts must recognize and respond quickly if one is exploited in their environment. **15. What is Brute Force Attack?** - A common type of attack SOCs detect, especially against login systems. **16. What is DDoS?** - Distributed Denial of Service attacks, which a SOC analyst must detect and respond to in real time. **17. What is a Proxy Server?** - Sometimes used to hide attacker activity, so SOCs monitor proxy logs for suspicious traffic. **18. What is a Man-in-the-Middle attack?** - Analysts watch for signs of such attacks in network traffic. **19. What is Data Leakage?** - Preventing, detecting, and responding to data leakage events can be part of daily SOC responsibility. **20. What is Multi-Factor Authentication (MFA)?** - SOCs often recommend and monitor for its use to secure systems and accounts. **21. What is Social Engineering?** - SOCs may detect or respond to incidents that began through phishing or other social attacks. **22. What is Red Team and Blue Team exercise?** - Blue Team duties often overlap with SOC analyst duties—defending, detecting, and responding to threats simulated by Red Teams. *** # More SOC Questions: *** **What are indicators of compromise?** *Natural language:* These are the signs or pieces of evidence that suggest your computer or network has been broken into. It could be weird programs running, files you didn’t create, a sudden drop in performance, or security alerts. *Quick/simple:* Clues that hackers might be in your system. *** **What is a SIEM?** *Natural language:* SIEM stands for Security Information and Event Management. It’s like a giant security control center where logs and alerts from different systems all come together to be analyzed. It helps security teams spot problems quickly by showing everything in one place. *Quick/simple:* A dashboard that gathers and shows security info from everywhere at once. *** **Describe an incident response process.** *Natural language:* When a security problem happens, there’s a step-by-step plan for how to react. First, you find out something’s wrong. Then, you check how serious it is and figure out what’s happening. Next, you work to contain and fix the problem. Finally, you review what happened and see how to do better next time. *Quick/simple:* A checklist for handling a security emergency: notice → check → fix → learn. *** **What stakeholders are important to include during an incident? Why are they important?** *Natural language:* Besides the security team, you need to involve IT staff, business leaders, legal advisors, communications/PR, and sometimes outside experts. Each brings unique knowledge—like fixing tech, making big decisions, handling rules, or talking to the public. *Quick/simple:* People from tech, leadership, legal, and communications—all have a job keeping things running and safe. *** **After an incident, why is it important to do a lessons learned?** *Natural language:* Looking back helps figure out what worked, what didn’t, and how to prevent the same problem from happening again. It makes everyone better prepared and the organization stronger. *Quick/simple:* So you don’t make the same mistakes next time. *** **What's the purpose of tier 1 analysts?** *Natural language:* They’re the first people who see alerts and potential problems. They sort out what’s serious, what’s a mistake, and what needs more investigation, passing on big stuff to more experienced teammates. *Quick/simple:* The “front line”—first to spot and sort out possible threats. *** **What are some common detection tools that may report security issues and how do they work?** *Natural language:* Tools like antivirus programs, firewalls, and special monitors for network traffic watch for suspicious activity. If they see something strange, they create alerts. These tools work in the background to catch anything out of the ordinary and raise a flag. *Quick/simple:* Programs that watch for trouble and tell you when something’s weird. *** **What is network segmentation and how is it helpful?** *Natural language:* It’s like dividing your house into rooms and locking the doors between them. If one part gets “broken into,” the rest stay safe. It keeps damage from spreading all over. *Quick/simple:* Breaking a network into parts so one problem doesn’t affect everything. *** **What are some common network protocols and why are they important?** *Natural language:* Protocols are like “languages” that computers use to send data: - HTTP/HTTPS for websites - SMTP for email - FTP for moving files - DNS for finding addresses They keep all the devices communicating smoothly and safely. *Quick/simple:* Standard “rules” computers use to talk—making sure everything connects and works right. *** **What is the difference between a security event and a security incident?** *Natural language:* A security event is anything notable or unusual—a login, a blocked connection, or a file downloaded. A security incident is something bad that actually needs action, like a real attack or a confirmed breach. *Quick/simple:* An event is a flag; an incident is an actual problem. *** **How do cloud applications affect the security of the customer environment?** *Natural language:* They can make things easier but also add extra risks. Data is stored somewhere else and managed differently, so you need new ways to control access and protect information—especially since bad actors can target weaknesses in the cloud, too. *Quick/simple:* You get convenience, but must trust (and secure) systems you don’t fully control. *** **What is the difference between a risk, a vulnerability, and a threat?** *Natural language:* - A risk is the chance something bad might happen. - A vulnerability is a weak spot that could be attacked. - A threat is something that could exploit the weakness, such as hackers or malware. *Quick/simple:* Risk = possibility, Vulnerability = weak spot, Threat = the “bad guy” or danger. *** **What is the CIA triad?** *Natural language:* It’s the core of security: - Confidentiality: Only the right people see info - Integrity: Info stays accurate and unaltered - Availability: Info is always there when needed *Quick/simple:* Keep info secret, unchanged, and available. *** **How is authentication different from authorization?** *Natural language:* Authentication is checking who you are (like showing your ID). Authorization is checking what you’re allowed to do (like if your ID gets you backstage). *Quick/simple:* AuthenTIcation = identify, AuthorIZation = permission. *** **What is an advanced persistent threat and how might you identify one?** *Natural language:* This is a very sneaky and patient attacker, often a group, who slowly and quietly tries to get into a network and stay hidden as long as possible. Signs might include recurring unusual activity, odd logins, or data slowly leaking out. *Quick/simple:* A determined, hard-to-spot hacker group that hangs around and sneaks info out. *** **What are some methods or tools you might use to identify a worm on the network?** *Natural language:* Look for a big burst of network traffic, odd connections between devices, or identical files popping up everywhere. Tools like traffic monitors (network sniffers), antivirus, and special scanners help spot or block worms. *Quick/simple:* Watch for weird file sharing and strange traffic—use security tools to sniff them out. *** **What is the ATT&CK framework?** *Natural language:* It’s a big library made by MITRE that lists out all the ways attackers can break in and what steps they usually take. It helps teams understand what to watch for and how to defend against real-world attacks. *Quick/simple:* A big guidebook of hacker tricks used to defend your systems. *** **What is the CVE database and how is it helpful?** *Natural language:* It’s a huge list of publicly known computer vulnerabilities. Each problem is given a unique ID and description, so people can share and find fixes quickly. It’s a go-to reference for security teams everywhere. *Quick/simple:* The “yellow pages” of computer bugs and security holes. ***