Cyberpr

oof:
Business
Sensitiv
Interview Questions: e
Informa
Basic Network Questions: tion
-> Main difference between TCP and UDP

-> Which protocol DNS uses?

-> What is two factor Authentication

-> What is three-way Handshake process

-> 3-way handshake process is happening on UDP protocol, true/false? Why?

-> On which OSI layer Formatting, compression and encapsulation happens? - presentation layer

-> On which OSI layer sets up and maintains the connection between two devices - transport layer

-> Which port is used for SSL FTP connection? 21

-> Which protocol is used to manage network? SNMP

-> Which protocol is used to ping? on which port? 0

-> What is SSL?

-> What is Data exfiltration?

-> Difference between Malware and Virus/worm/spyware?

-> Difference between risk and threat and vulnerability?

-> difference between APT and zero-day attack.

-> Difference between Encryption and encoding and hashing.

->If you want to do encryption from one system to another which one we choose and why?

->which method is best to do data transfer (SSL/TLS/HTTPS.)

->How directory traversal attack works

FTP 20, 21

Telnet 23 DHCP 67,68

SMTP 25 TFTP 69

DNS 53 NTP 123

HTTP 80 SNMP 161

POP 110 RDP 3389

NNTP 119 SSH 22

HTTPS 443
 Cyberpr
oof:
Business
Sensitiv
Threats: e
Informa
-> What is SQL Injection and how it works? tion
-> What is client-side cross site scripting and how it works?

-> What is DNS poisoning?

-> How do you identify backdoor activity is happening in a system?

-> How DDOS attack works?

-> What changes that you see once the malware is infected in the system?

-> There are emerging threats every day, How you update yourself as a Security Analyst?

>How to mitigate dos, ddos, malware ( virus,

worm,logicbomb,trojanhorse,botnet,rootkit,keylogger,ransomware,spyware,adware,dll,backdoor)

>How do you analyze malware (sandboxing)

>Specter, meltdown, wcry, petya Ransomware.

>Recent attacks

>what is DLL (data link library)

>What is sandboxing

>How do you analyze zero-day exploit, malware

ArcSight:.

-> Why do we need SIEM in an organization?

-> Event Life Cycle in ArcSight SIEM

-> Differences between smart connector and flex connector

-> Default size of a connector cache? -> 5 GB

-> Default time window of an active channel? -> (now -2hrs)

_> Difference between Active list and session list

-> can we export logs for HPE from the console? how?

-> on which port console/web console/command center and Manager connects? And on which
protocol?

-> what are the data sources we can use to generate a report/trend?

-> what is the main purpose of Logger/ connector appliance?

-> What are the criteria priority evaluation happens in the ArcSight? -> Model Confidence, relevance,
severity, asset criticality.
 Cyberpr
oof:
Business
Sensitiv
-> Using which interface you manage CORR Engine? e
Informa
-> What are the types of storage retentions in ArcSight
tion CORRE engine -> (Time based, and Space based)
-> What is the default retention period in CORRE? -> (30 to 90 days)

-> Many scenario-based questions

Qradar:

-> Event Life Cycle in Qradar

-> Difference between DSM and UDSM

-> What are the different flows types you see in Network activity tab?

-> What information you see on Asset Tab.

-> If you see some offenses in qradar which are already informed by client as pen testing alerts what you
do-

-> Using which option in qradar local and remote IP’s are differentiated

-> What are the services running in Qradar

-> Difference between Domain and tenant management

-> Difference between rules and building blocks

-> what are the criteria considered for event/offense magnitude

-> why do we see 0.0.0.0 is any events in Qradar (http://www-01.ibm.com/support/docview.wss?

uid=swg21620281)

-> what is QID? During normalization DSM will add map the qid so that low level category high level
category is assigned to that event

-> If you set any offense in pending, the same events triggered new offense?

>why aql services get stopped

>when we use historical correlation

>what are pre-requisites for adding any log source

Which three core functions are provided in a typical SIEM product?

A. The ability to monitor and stop threats

B. The ability to alert on real-time exploits

E. The ability to assists with forensic investigation

>what is meant by multiline syslog

>what is syslog, TLS syslog, TCP multiline syslog

 Cyberpr
oof:
Business
Sensitiv
>Top 5 use cases (regular used) e
Informa
>Top Log source troubleshooting scenarios tion

>How can we manage retention bucket sequence

>What is Flow Retention & Event Retention Buckets?

>Reference set, Reference map, Reference map of set, Reference map of maps

>scaserver

>Will the event retention get change when you do qradar upgrade

>LMS where it is exists?

>database integration in qradar

>variety of log source integration and types of logs from them

>difference between stored and unknown events

https://www.ibm.com/developerworks/community/forums/html/topic?id=269b4eff-81ad-4ac5-9f2b-
cdeab14a2500

>what kind of use cases you can think of after integrating firewall.

>Diff b/w local rule and global rule

>what is SIM generic

>what is cre event, do we use that anywhere?

>what is severity credibility and relevance is qradar magnitude calculation

Types of flows:

Standard flow: A single standard flow record

•Type A Super flow (Network scans): One source to many destination IPs

This is a unidirectional flow, which has the same source, but multiple destinations.

•Type B Super flow (DDoS): Multiple sources to a single destination IP

This is a unidirectional flow, which has the

multiple sources but has a single destination.

•Type C Super flow (Port scans): One-to-one source and destination with
 Cyberpr
oof:
Business
Sensitiv
many ports This is a one-to-one flow with different
e source or destination ports
Informa
•Over Flow record: Created when license limits are
tionexceeded
When a QFlow collector hits its flow license limit, it begins creating over flow records. Over flow records
have a source IP of 127.0.0.4 and a destination IP of 127.0.0.5 with one flow created per protocol (icmp,
udp, tcp, etc). When the license limit is reached, QFlow rolls the rest of the traffic for the protocol within
the interval in to a single record. All bytes and packet counts are totaled up and added to these
“overflow records”

>what is the concept of virtual ip in HA cluster

>Damn vulnerable web application (DVWA)

>Diffie–Hellman key exchange

>what is cyber kill

chain(reconnisance,weapanization,delivery,exploit,installation,command&control,action)

>what is bruteforce attack

>What is GRUB

>What si d/f b/w soft SIM clean and Hard SIM clean.

>what is sudo

>in which layer ddos,dos happens

>diff b/w OSI and TCP/IP

>carbon black(End point security, Defense, Response, Protect)

>DF(disk free) -h(human understandable)

>swap memory-It is a extra memory which is taken from HDD when the ram memory is full and the
system needs more memory resources.

>Attacks at each layer

Application attacks - Distributed DoS (DDoS) and spoofing

Presentation attacks - DDoS and spoofing

Session attacks - DDoS and spoofing

Transport attacks - DoS and hijacking

Network attacks - Spoofing of IP & poisoning of ARP

Data Link attacks - Overload of MAC table and port

Physical attacks - Sniffing and severing of backbon

>QID:
 Cyberpr
oof:
Business
Sensitiv
>Kill switch e
Informa
>Domain generation algorithms (DGA) tion
Double Pulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA)
Equation Group that was leaked by The Shadow Brokers in early 2017

Double Pulsar runs in kernel mode, which grants cybercriminals a high level of control over the
computer system.[3] Once installed, it uses three commands: ping, kill, and exec, the latter of which can
be used to load malware onto the system

>Directory Traversal attack

>psql command to check events in offense for qradar

>CISSP, CISSP-ISSAP, CISA, CISM, CEH, CHFI, ITILv3F, ISO 27001 LI, CCNA

>firewalls having different login levels:(verbose,warn,information,

>siem implementation what all

>what is the size of single event for windows, firewall, etc.

>why meltdown, specter is difficult to crack and what are the practical issues to fix them

> netstat -an | grep 111 to check the port status

tcp6 0 0 127.0.0.1:43936 127.0.0.1:32005 ESTABLISHED

[root@baril-rozz-it-qcon1 ~]# netstat -an | grep 32006

tcp 0 0 127.0.0.1:32006 0.0.0.0:* LISTEN

tcp6 0 0 ::1:32006 :::* LISTEN

tcp6 0 0 172.24.41.108:36842 172.24.41.110:32006 TIME_WAIT

tcp6 0 0 127.0.0.1:37246 127.0.0.1:32006 TIME_WAIT

ESTABLISHED: Connection is existed already

Listen: Port is opened to communicate

Time Wait: If the port is in idle position

>How do you confirm and analyze whether email is compromised or not

>How do you analyze whether the system got compromised when you open an attachment

>use case: brute force login attempt

>How do confirm & analyze if your system is infected with malware

>How do analyze phishing attack

>How does WAF, ROUTER, SWITCH, PROXY, IDS, IPS, EMAIL GATEWAY, ETC works
 Cyberpr
oof:
Business
Sensitiv
>How do you confirm whether sql injection, Xss attack
e happened and which logs you will check
Informa
for confirmation and what actions, you will take tion

>what are the top web application attacks(OWASP) and what is the mitigation for each attack

>How do you confirm DOS, DDOS, attack happened and what action you will take to fix it

>like wise

1)learn each attack

2)Which logs you will check to confirm the attack

3)how do you mitigate the attack

>Pluralsight

>Anomaly behavioral threshold rules

Categories: Application, Authentication, DOS, Exploit, Malware, policy, potential exploit, suspicious
activity

>why there is no high-level category in flows?

>how to break the HA How to rejoin the HA

>System Monitor (Sysmon)

>Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event
messages to a specific server, called a syslog server. It is primarily used to collect various device logs
from several different machines in a central location for monitoring and review.

>command to check Linux version using CLI : uname -a

Linux basxtsmgtsemv01.xchanginghosting.com 3.10.0-514.21.2.el7.x86_64 #1 SMP Sun May 28 17:08:21

EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

>command to check windows version using CMD: winver

>netstat: The netstat command is a Command Prompt command used to display very detailed
information about how your computer is communicating with other computers or network devices

netstat -f

>The Forwarded protocol is typically used to forward events to another QRadar® Console. For example,
Console A has Console B configured as an off-site target.

>IBM resilient

>snare agent instead of win collect

>Difference between push and urgent flag

>What protocol we use for JDBC, SQL

 Cyberpr
oof:
Business
Sensitiv
>How do you integrate DB, MacAfee, cisco, checkpoint
e (what are the ports you use for them)
Informa
>What are the use cases you have created tion
>Why do we need multiple consoles and it's purpose

> McAfee ePolicy Orchestrator

protocol -JDBC

database-MSDE (Microsoft SQL Server Data Engine) 1433

-postgress DB 5432

-Oracle DB what is the

-Sybase DB 5000

-DB2 50000

-Informix DB 9088

>Windows without win collect - Microsoft Remote Procedure Call (MSRPC) 135

we will take the username, password, domain name

>checkpoint- Protocol, port OPSEC/LEA 18184, TLS syslog 6514

Secure Internal Communication (SIC) files

>Akamai Kona waf- Protocol, port (HTTPS,12469)

>Amazon AWS CloudTrail-Amazon AWS s3 REST API

>How do you measure Risk and threat

From Risk Assessment perspective as per ISO 27001

the risk can be measured quantitively or qualitatively

Quantitively the risk will be measured in terms of money like 2000$ risk etc.

it is difficult and usually not done

Qualitatively is the common method, using this you will measure risk as Low High and Medium as a scale
from 1 to 10 etc

a value form 0-3 low

4-7 MEDIUM

8-10 HIGH

>Is there a way to know which user created a rule and who edit it
 Cyberpr
oof:
Business
Sensitiv
Look in these events: e
Informa
Event name: CRE Rule Modified, CRE Rule Addedtion

Log Source: SIM Audit-2 :: hostname

>When we add log source which database will be updated, or which location will be updated in the
qradar backend

>What is TCP header

CyberArk, fire eye, force point,

>How do you Find malware on your Windows box (using the command line) >netstat -ano,net
users,tasklist /svc,net localgroup administrators, Netstat –an –proto,Netstat –s

>How does coalescing work, what are the parameters for coalescing to work, can we modify those
parameters?

>What is cyber kill chain analysis

>What is ransomware, types of ransomware and how do we analyze and mitigate them

>What is the minimum bandwidth and latency required for a HA pair in qradar

>What are parameters you will check while calculating a license for qradar

>Can we keep one device in HA pair in one location and other in another geo location, if so what are the
challenges we get

>What parameter you will check to give log source identifier as hostname / Ip address

>What are configurations steps you do on a firewall, proxy, email gateway, WAF, End point device, ...etc
to send the logs to SIEM

>What are the parameters we will check to confirm a website is a secured or not

>How do you confirm or how do you analyze whether your email id is compromised or not

>When a antivirus software is updating during that if any virus attack the system will the AV detect the
threat or not

>How does the malware identify a normal system and sandbox and it behaves differently in those 2
scenarios

>What are the standard parameters we will check to confirm SQL injection, XSS is performed (True
positive/false positive)

>False positive or false negative which one we need to be more concerned about?

>What is the protocol used to collect logs from windows device other than win collect, syslog?

>How do you collect flows

 Cyberpr
oof:
Business
Sensitiv
>Types of DDOS attack e
Informa
>what will happen if we select annotate and droption
the event options: Events will be dropped and not
captured in the offense.

>Can we use custom event properties for offense index

>Diff between reference set (set of elements to refer ip’s, md5, usernames, IOC’s) and building block

>what is the difference between defining severity, credibility and relevance in rule actions and rule
responses?

>Diff b/w reference set and reference data

>/opt/qradar/support/validate_deployment.sh

>IBM APAR (Authorized Program Analysis Record)

>command(How) to check content in cache memory in linux

>In which layer DDOS attack happens

>How do you login to server as admin using SQL injection

>What is honeypot

Firewall:Palo Alto,cisco ASA,Juniper,checkpoint,fortinet,forcepoint

WAF:

Email secure gateway:Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet
FortiMail, McAfee Security for Email Servers, Microsoft Exchange Online Protection, Proofpoint Email
Protection, Sophos Email Appliance, Symantec Email Security.cloud, Symantec Messaging Gateway,
Trend Micro InterScan Messaging Security

Webgateway:Symantec,iboss,McAfee,F5 Networks,Check
PointSoftware,zScaler,Cisco,Barracuda,Forcepoint

>Diff b/w host context and Host services

>Diff b/w UDSM and LSX

>How can we bypass correlation for a log source which is sending logs to qradar

>Diff b/w deploy changes and full deploy changes

>which component is responsible for providing the system notifications in qradar

>Diff b/w UDSM, universal LEEF, Universal CEF

>What is the port number for protocol DRBD (Distributed Replicated Block Device) 7789

>Parsing Enhancement vs. Parsing Override

>difference between usdm and lsx in qradar

 Cyberpr
oof:
Business
Sensitiv
>what is the minimum number of events for coalescing
e in qradar
Informa
>How do we calculate EPS in qradar tion
>privilege escalation attack

>Cross site request forgery (CSRF) attack

>How can take data/config back up using CLI (using perl script)

/opt/qradar/bin/contentManagement.pl

>How can we do restore of backup using CLI

https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/
t_cmt_importing_content.html

> what is flow bias in qradar

>Service now app (to create the ticket from the offense)

>windows internet name server (WINS)

>how would you confirm that a windows 7 system has been compromised

>what are the examples of tools or logs might use to collect and analyze evidence

>when you suspect that an attack against network has occurred what information should you collect to
prove the theory

>what is an SSL certificate and how does it work to secure a session

>what is an IDS system and how does it work

>what is vulnerability scanning and how does it help to keep an enterprise secure

>push vs urgent flag

PSH

TCP buffers data that you send. This means it won't send data immediately and will wait to see if you
have more. By setting the PSH flag, and confirming that you have no more data to send, TCP will "push"
or send the buffered or collected data into the wire towards the receiver. In the receiving end, normally,
it will also buffer data. But, if it sees the PSH flag being set, it pushes it immediately to the application. If
a packet leaving the sender has the PSH field set, it only means that the sender has nothing more to
send.

URG

If you have pushed data, the receiving end will wait for all of the data first and will see the PSH flag being
set. Then it forwards the data to the application. This means, you have to wait for the receiver to get all
of the data before forwarding it and processing a new one. If the URG flag is set, this is like the sender
saying "You do not need to wait for all of the data before sending them. Go ahead and prioritize sending
 Cyberpr
oof:
Business
Sensitiv
urgent data.". This causes the receiving TCP to forward
e the urgent data on a separate channel to the
application. This allows the application to processInforma
the data out of band.
tion
The urgent pointer is the one that indicates how much of the data in the segment is urgent where in it
starts counting from the first byte.

> exploit vulnerability payload

>what is banner grabbing: getting the details of OS

> Enumeration: The process of counting off or listing what services, applications, and protocols are
present on each identified computer

>>>>>>>>>>>>>>>>>>>>>>>>>

>Tell me recent attacks you have worked on recently

>What is SQL injection how do you identify this attack using qradar
>What is Cyber kill chain
>What are correlation rules you have created in Qradar
>How do you integrate log sources in qradar

Example: Linux, windows, firewalls

>How do you mitigate log4j attack

>Did you work on Splunk
>How do you analyse phishing email.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>