Cyber security detection analyst interview questions

lsud00d

As the title says and for those in the industry, what would be some common questions during a cyber security detection analyst interview? The responsibilities revolve around--

• Non-signature based detection of intruders (non-authorized users) and internal employees overstepping duties/permissions
• Detecting cyber security incidents
• Network and log analysis

And desired characteristics involve--

• Penetration testing experience
• Malware analysis experience
• Knowledge of cyber crime threats

Looking forward to great feedback from the TE security guys and gals. TIA!

lsud00d

I found this blog link which has a nice variation of questions...a few choice examples:

20 Questions for an Intrusion Analyst

You are given 500 pieces of straw and told that one piece is a needle which looks like straw. How would you find the needle? What other pieces of information would you like to have?

Describe a method to find an intruder using only network flow data (no content).

Describe the activity detected by the following Snort rule. What could be done to make the rule more effective? alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: “activity alert!”; sid:10000011; content:”MZ”;)

What type of encoding is used in this example: aGVsbG8gd29ybGQNCg==

Others input is still welcome, I'm sure others are curious

YFZblu

A couple non-technical questions:

-Who do you look up to in security?
-Where do you get security-related news?

Bill3rdshift

YFZblu wrote: »

A couple non-technical questions:

-Who do you look up to in security?
-Where do you get security-related news?

I always like this topic... My answer:

I look up to Bruce Schneier & Steve Gibson.

Security related news from SANS, Security Now podcast, FBI's Infragard, Tech Republic, etc.

ChooseLife

YFZblu wrote: »

-Who do you look up to in security?

- cr@zy_m0nkey, rEdHaShTaG, 0xd00d, icmpppping (*)

I wonder how an interviewer would react to this


*) I made these up. Any resemblance to actual persons is purely coincidental.

ChooseLife

lsud00d wrote: »

I found this blog link which has a nice variation of questions...a few choice examples:

20 Questions for an Intrusion Analyst

These are awesome!

Would aneone be interested in taking these and turning them into "Security Analyst Question of the Day" thread? I'd love to bounces ideas around for most of them one at a time

lsud00d

ChooseLife wrote: »

These are awesome!

Would aneone be interested in taking these and turning them into "Security Analyst Question of the Day" thread? I'd love to bounces ideas around for most of them one at a time

What, you mean spread our awesome "Linux Question of the Day" thread to other areas of IT? Never.

FTR there's a Reddit /r/netsec thread on this, maybe we could revive it?

20 Questions for an Intrusion Analyst : netsec

eansdad

"You are given 500 pieces of straw and told that one piece is a needle which looks like straw. How would you find the needle? What other pieces of information would you like to have?"

I see several answers to this. What would an interviewer view as a good answer?

jasong318

Set the straw on fire

YFZblu

ChooseLife wrote: »

These are awesome!

Would aneone be interested in taking these and turning them into "Security Analyst Question of the Day" thread? I'd love to bounces ideas around for most of them one at a time

I like this idea a lot.

dover

Devise a straw capture and sorting device along with a transport network of belt-driven tracks. Implement an inline needle detection system that performs heuristic scanning of straw integrity and consistency based on established metrics. Create a rule to drop identified metallic anomalies into a quarantine compartment for later analysis.

Or leave the pile of straw on the floor and let me walk over it - the needle will, no doubt, instantly shoot two inches into my foot.

Or a magnet.

coffeeluvr

jasong318 wrote: »

set the straw on fire

lmao!!

badrottie

Throw the straw into a pool of water large enough to hold it all. Agitate. The needle will sink to the bottom of the pool. Retrieve.

Corporate version: Hold a meeting with all affected stakeholders and get buy in. Write ISO 9001:2008 compliant procedure. Assign an intern to the project with the vague promise of a permanent job if they find the needle.

Social engineering version: Go to sewing store. Buy a pack of needles. Select one. Use Jedi mind powers and say to the requesting party "This is the needle that you are looking for."

colemic

I would simply figure out the common characteristics of straw (color, weight) and then sort it all to see what stands out.

Danielm7

My first thought was a magnet too, funny.

dover

lsud00d wrote: »

Describe the activity detected by the following Snort rule. What could be done to make the rule more effective? alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: “activity alert!”; sid:10000011; content:”MZ”;)

Ok, this one is bothering me and I'm the first to admit there is a TON of stuff I don't know about....so someone chime in and set me straight if I'm way off.

Describe the activity detected by the following Snort rule.
The signature is set to alert on ICMP traffic that contains the 'Magic Number MZ' which presumably indicates that there is some kind of Microsoft/MSDos type exe file inside the ICMP traffic originated in either direction: outside ($External_net) in ($Home_net) or inside -> out

What could be done to make the rule more effective?
To prevent false positive alerts from ICMP traffic that contains the hex string '4d 5a' just anywhere in the packet add the within: condition to the sig specifying that the magic number hex string must be within in the first 2 bytes of the payload.

So my sig would read:

alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: "Covert ICMP EXE transfer ALERT!"; content:"MZ"; within:2; sid: 10000011; rev:1; )

Does that make sense to ANYONE besides me?

//edited to prevent end of sig from looking like a winkie-face

GarudaMin

The first thought that came was fire. The second though that came was 'let's get more detail'. Do we care about what happens to straw? If so, fire is out. Water will come in. Then the next question is 'how significant is straw? can we get it wet?'. Then magnet or a fan would come in. Then the question became, do we have budget to get magnet/fan? And then the main question comes. What's the significant of trying to find the needle? are you asking to know how I think/analyze things? why do we need to find the needle?....
I think that's probably how my conversation would go if someone ask me that.

YFZblu

dover wrote: »

Ok, this one is bothering me and I'm the first to admit there is a TON of stuff I don't know about....so someone chime in and set me straight if I'm way off.

Describe the activity detected by the following Snort rule.
The signature is set to alert on ICMP traffic that contains the 'Magic Number MZ' which presumably indicates that there is some kind of Microsoft/MSDos type exe file inside the ICMP traffic originated in either direction: outside ($External_net) in ($Home_net) or inside -> out

What could be done to make the rule more effective?
To prevent false positive alerts from ICMP traffic that contains the hex string '4d 5a' just anywhere in the packet add the within: condition to the sig specifying that the magic number hex string must be within in the first 2 bytes of the payload.

So my sig would read:

alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: "Covert ICMP EXE transfer ALERT!"; content:"MZ"; within:2; sid: 10000011; rev:1; )

Does that make sense to ANYONE besides me?

//edited to prevent end of sig from looking like a winkie-face

Suggestion from an infosec noob: add "This program cannot run in DOS mode" to the content piece. I recently read an article from Invincea that showed the Magic Number being altered to ".Z" - an effort to avoid detection when the Snort rule only alerts on the Magic Number matching "MZ".

Other than that, looks good to me. I think changing the description to "Covert....." as you have done is a good idea as well.

dover

YFZblu wrote: »

I recently read an article from Invincea that showed the Magic Number being altered to ".Z" - an effort to avoid detection when the Snort rule only alerts on the Magic Number matching "MZ".

Nice!

Was it this one?

Invicea Link

That's a great article! I didn't see anything about the "This program cannot be run in DOS mode" - maybe I just missed it; I haven't had a chance to read the whole thing yet.

YFZblu

That's the one! Invincea was quite proud of itself for catching that malware, and I do like the writeup.

The DOS message should be in the packet text - Here is the picture from the Invincea article. It also shows the Magic Number alteration:

wes allen

Bumping a bit older thread, but the liquidmatrix podcast had a good section on hiring analysts the last show. One of the tasks he sets out for potential hires is that he has a script that generates a million log entries, which have a few "interesting" logs mixed in. The interviewee has to sort and pull out the interesting data while showing their work. Automatic fail is to try to go through them one at a time.