Soc analyst tier 1 interview

Rylee1246

I have a phone interview coming up for a soc analyst tier 1 position. Any tips on what to be prepared for would be appreciated. If this goes well, then the in person interview is next. This interview will be with 2 or 3 people with 1 being the soc manager.

fabostrong

I just landed my first security job and it's a tier 1 security analyst as well.

My first interview was a technical interview in person with 3 people. They asked questions about Linux commands, attacks like cross site scripting, SQL injection, password attacks, IDS/IPS, and gave some scenario questions. Whenever I didn't know anything I told them I didn't know and wrote it down on a notepad I brought with me. Its a lot better to say you don't know than to look dumb trying to make something up. And writing it down I think makes a good impression also.

The second interview was with two managers and it was just general questions about what kind of person I was and where i wanna go. Kind of a cultural interview to see if you'd be a good fit.

Rylee1246

Linux is definitely a weak point of mine. I am not very familiar with it still, but it is on my list of topics I need to learn more about


for cross site scripting, from what I understand, the attacker can place a malware onto the site for other viewers to then be infected by it. It is generally placed onto the site through data inputs on the site that were not properly reviewed for validation. The way you could identify it would be by reviewing logs and seeing anomalous entries into form fields that look like code rather than actual entry information. To have a tool identify it automatically, it would also review the log entry and look for specific code strings.

SQLi is similar to cross site scripting, in that the attacker tries to input SQL commands into data entry fields in an attempt to fool the site/system into "running" the command that was input into an otherwise benign data entry field. I believe validation for proper inputs is also how to prevent this type of attack. Identifying it would be the same way, by reviewing logs and recognizing invalid data input that looks more like SQL commands. A Tool could be set to pull logs that appear to show specific SQL commands in improper places (like in the password field)

Password attacks come in two main varieties with dictionary attacks and brute force attacks. Dictionary tries common words and number combinations to try to guess a password, while brute force would just go through every possible combination until it found the correct one. These attacks could be made improbable (not impossible) by enforcing strong passwords, requiring password changes on a regular basis, and placing a limit on the amount of times an account can receive a wrong password before it locks out until a responsible person unlocks the account. Logs will show repeated password failures within a short amount of time. You could have the tool alert to this if done within a certain amount of time, and/or a certain amount of attempts.

IDS are Intrusion Detection Systems. IPS are Intrusion Protection Systems. IDS will detect potential anomalies and report them, but it does not try to stop them. IPS will also detect and report the anomalies, but also attempt to prevent the supposed malicious attack from doing anything more.





If anyone who read my answers there wants to correct me on something I got wrong or modify what I said to make it "more right" please let me know! I am also up for any other topics/questions that might be needed so I can gauge my preparedness!​

CyberCop123

Rylee1246 wrote: »

Linux is definitely a weak point of mine. I am not very familiar with it still, but it is on my list of topics I need to learn more about

Advice: Dual boot to Linux, I'd recommend Ubuntu myself but there's others like Mint and things out there which are good. STOP using Windows Desktop, and start using Linux and rely solely on command line:

Do things like:

-- Create directory from command line, move files into it, copy them out
-- Create a file from command line (touch myfile.txt)
-- Get used to outputting files (cat myfile.txt) and how to scroll through (cat myfile.txt | more)
-- Install software and remove it - this is really easy on ubuntu using the apt-get install and apt-cache search commands
-- Set up a LAMP - full on web server with mysql and php enabled
-- View log files (usually in /var/log)
-- Execute commands as root (sudo my_app)
-- Create users, create groups, delete users, etc....

Just do things like that. You can't learn linux from within Windows (in my opinion), just embrace it and start using it. You'll pick it up really quickly and in my view it makes MUCH MUCH more sense than Windows

Rylee1246 wrote: »

for cross site scripting, from what I understand, the attacker can place a malware onto the site for other viewers to then be infected by it. It is generally placed onto the site through data inputs on the site that were not properly reviewed for validation. The way you could identify it would be by reviewing logs and seeing anomalous entries into form fields that look like code rather than actual entry information. To have a tool identify it automatically, it would also review the log entry and look for specific code strings.

I think that's good enough knowledge, it's just an understanding you need. As you said the main thing is that it's unsantisied input, things which aren't checked. As a result it ends up in the database, or is actually executed by the server. There's obviously much more to this area but just a general understanding is enough I think.

Rylee1246 wrote: »

SQLi is similar to cross site scripting, in that the attacker tries to input SQL commands into data entry fields in an attempt to fool the site/system into "running" the command that was input into an otherwise benign data entry field. I believe validation for proper inputs is also how to prevent this type of attack. Identifying it would be the same way, by reviewing logs and recognizing invalid data input that looks more like SQL commands. A Tool could be set to pull logs that appear to show specific SQL commands in improper places (like in the password field)

The SQL doesn't have to go into entry fields, you can manipulate the URL too, by adding characters on the end, by altering the web address in a way which makes the server do things it wasn't designed to.

******

Have a VERY good read through the OWASP top 10 threat list. That's really really important and if you mention in your interview you have a good understanding of it, then I think it would show you in a good light.

One bit of advice I got recently was, interviewing people like knowledge (obviously).... but what they REALLY like to see is a passion. As simple as saying "I have a lab at home", and going on to say that you test things out, you're involved in projects, you're in GitHub, you code, you playabout, you've done some ethical hacking yourself etc... it can go a long way.

Good luck!

ramrunner800

Like CyberCop said, definitely start using Linux in your daily use, because you need to know it well in security. I would recommend using Virtual Machines over dual booting though. Dual booting is unnecessary, and working with virtual machines is also a required set of skills in security. For a beginner, I'd recommend Oracle's VirtualBox, as it is fully featured and free. When you get more serious, buy a VMWare Workstation license. Avoid VMWare's free options, as they lack critical features.

technogoat

What certs are relevant for tier 1 SOC or entry level security?

I'm planning on getting:
CCNA Security
Security+

currently have:
CCNA R/S
A+
ITIL

any other entry level certs?

ramrunner800

technogoat wrote: »

What certs are relevant for tier 1 SOC or entry level security?

I'm planning on getting:
CCNA Security
Security+

currently have:
CCNA R/S
A+
ITIL

any other entry level certs?

CCNA Security isn't really relevant to any SOC work I've ever been involved in. SOCs at large agencies/companies work with support teams who will handle configuration of the actual security devices like the IDSs/Firewalls; CCNA:S would prepare you for a role like that. Networking beyond N+/CCENT is more than is required at entry level in the SOCs I've worked in. It's not bad knowledge to have, but it's not going to help you with your job on the day to day. I have only worked in environments of 100K+ hosts, so take my input with a grain of salt. It is almost certainly different in smaller shops. YMMV.

SOC work focuses more hands on with attackers. You need to build skills around things like packet and log analysis, malware analysis, and attacker TTP's. The best way to do this is to set up a lab with vulnerable machines and attack them. Use Security Onion or a similar system to monitor the network, and then play with the logs/PCAPs generated. You should also familiarize yourself with basic phishing killchains, and probably play with a few different kinds of phishes.

Good certs for entry level SOC work are Security+, C|EH(for HR), OSCP, GCIA, GPEN. The eLearnSecurity courses are also great, but the certs don't hold much value.

technogoat

ramrunner800 wrote: »

...................................
Good certs for entry level SOC work are Security+, C|EH(for HR), OSCP, GCIA, GPEN. The eLearnSecurity courses are also great, but the certs don't hold much value.

thanks, I'll note that

Did CCNA security related courses in school so I was thinking of just grabbing it

I have basic helpdesk and deskside so looking to get my foot in the door for a IT security

Rylee1246

I do have my own virtual network with pf sense , kali linux , Ubuntu, metasploitable, server 08 and 12, as well as windows 7. However, I can't run them all at once. I also don't have a lot of time to mess with them right now since I focus on school work. I don't have security onion yet but don't think my computer can handle running it plus the kali plus a target.

I was interested in the ejpt course but if it's not recognized I'm not sure I should pay for it. I heard it's good training and good prep for their cppt which is good prep for oscp, but not in the habit of wasting money if it's not worth it.

I've got an intro penetration testing book, hacker playbook 2, art of exploitation and "hack like a pornstar" (free download with Amazon prime) to read once I have time.