Real Life Cyber Security scenario based Interview questions

Bymihir

What makes modern EDR solutions like CrowdStrike Falcon or Cisco AMP more effective than traditional antivirus when protecting Windows servers?

Traditional antivirus relies on signature-based detection – it’s like checking if a file looks like a known bad one. But EDR tools go much deeper. They use behavioral analytics, monitor system processes, network activity, and user behavior to detect threats in real time.
With EDR:

  • You get a complete process tree, showing exactly what happened during an attack.
  • You can remotely isolate an endpoint, kill malicious processes, or investigate live systems – something AV can’t do.

You’ve received an OSINT report on a new ransomware strain. What kind of IOCs should you look for, and how would you mitigate them?

Two typical IOCs (Indicators of Compromise):

  • File hash (e.g., SHA256) of the ransomware binary
    Mitigation: Block the hash using your EDR or antivirus solution.
  • Command & Control (C2) IP address or domain
    Mitigation: Add the domain/IP to your firewall or DNS filtering blocklist.

Why might you deploy a Splunk Heavy Forwarder instead of a Universal Forwarder?

Universal Forwarder (UF): Lightweight, great for log collection only. No parsing.
Heavy Forwarder (HF): Can parse, filter, and route logs before they hit your indexers. Needed when:

  • Logs require custom parsing or masking.
  • You need to filter or route data (e.g., split by source or index).
  • You’re collecting from sources with complex TAs (like Cisco or Palo Alto firewalls)

A team reports a web shell discovered on a public-facing server. What is it, and what’s your immediate action plan?

A web shell is a script (PHP, ASPX, JSP, etc.) that gives attackers remote access to a server via a browser. Think of it as a backdoor disguised as a webpage.
What to do:

  • Isolate the server from the network.
  • Hunt for initial access (unpatched web apps, misconfigured uploads).
  • Check for additional persistence (new user accounts, scheduled tasks).
  • Rebuild the host if compromise is confirmed – don’t just delete the script.

An account tied to the compromised server is failing logins across multiple machines. Suspect lateral movement? How do you verify it in Splunk?

Use this Splunk search to identify unusual login attempts:

index=wineventlog (EventCode=4625 OR EventCode=4624)
Account_Name="suspicious_account"
| stats count by ComputerName, EventCode, Logon_Type, Account_Name
Then:
  • Look for a pattern: many failed logins across new hosts.
  • Correlate with EDR telemetry (e.g., tools launched, network scans).
  • Use historical data to see if this behavior is new or expected.

What key steps should be part of your ransomware response plan, and how do you ensure you’re ready?

Phases of a Ransomware Response Playbook:

  1. Preparation – Regular backups, tested recovery, known contacts.
  2. Detection -Alerts via EDR/SIEM, file activity, or CPU spikes.
  3. Containment – Isolate infected hosts, disable accounts, unplug shared drives.
  4. Eradication – Remove malware, patch vulnerabilities, change passwords.
  5. Recovery – Restore from clean backups, monitor post-incident.
  6. Post-Incident Review – RCA, update detection rules, train staff.

Similar Posts

Scenario Based Cyber Security Interview Questions

Bymihir

Scenario Based Cyber Security Interview Questions Question 1: What is the cyber kill chain?It is a framework that outlines the stages of a cyber-attack, including reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. Question 2: How can you identify an infected Windows PC in your network?Monitor Windows Event IDs for anomalies…

Leave a Reply

Your email address will not be published. Required fields are marked *