Cybersecurity Analyst Interview Prep Guide

Follow the NIST incident response lifecycle systematically: (1) Identification: analyze the alert in your SIEM, correlate with endpoint detection (CrowdStrike/Carbon Black), check for indicators of compromise (IOCs) like unusual process execution or lateral movement. (2) Containment: isolate the affected server from the network (short-term), preserve forensic evidence (memory dump, disk image), block identified C2 domains at the firewall. (3) Eradication: identify the attack vector (compromised credentials, unpatched vulnerability), remove persistence mechanisms. (4) Recovery: restore from clean backups, patch the vulnerability, monitor closely. (5) Lessons learned: timeline documentation, regulatory notification requirements (GDPR 72-hour rule, state breach notification laws), and detection rule improvements.

Start with the SIEM alert: identify source IP, destination IP, port, protocol, data volume, and time pattern. In Splunk/QRadar: query for all connections from the source host in the past 30 days to establish baseline. Check for DNS tunneling (unusually long DNS queries), beaconing patterns (regular interval connections), or large file transfers to unknown external IPs. Correlate with endpoint data: check process execution logs, file access logs, and user authentication events. Cross-reference destination IPs against threat intelligence feeds. Document your findings in a timeline and escalate based on severity assessment.

MITRE ATT&CK is a knowledge base mapping adversary tactics (the "why"), techniques (the "how"), and procedures (specific implementations) across the attack lifecycle: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Command & Control. For coverage assessment: map your existing detection rules and SIEM use cases to ATT&CK techniques, identify gaps (techniques with no detection), prioritize based on threat intelligence (which techniques are used by adversaries targeting your industry), and build detection engineering roadmap. Mention tools like ATT&CK Navigator for visualization.

Structured response: (1) Isolate: quarantine the email, do not click or open attachments. (2) Scope: search email logs for other recipients of the same sender/subject/attachment hash. (3) Analyze: submit attachment to sandbox (Any.run, Joe Sandbox) for dynamic analysis, check URL reputation, extract IOCs (hashes, domains, IPs). (4) Contain: block sender domain/IP at email gateway, block IOCs at firewall/proxy, check if any user clicked the link or opened the attachment. (5) Remediate: if compromised accounts found, force password reset, check for persistence, review recent file access and email forwarding rules. (6) Communicate: notify affected users, send awareness reminder to the organization. (7) Document and update detection rules to catch similar phishing in the future.

Layer your security: (1) Identity: IAM least-privilege roles, service accounts with scoped permissions, MFA for human access, OIDC for service-to-service. (2) Network: VPC isolation, security groups as allowlists, network policies in Kubernetes to restrict pod-to-pod communication, private endpoints for AWS services. (3) Container security: scan images for vulnerabilities (Triton, Snyk), use minimal base images, never run as root, enforce read-only file systems. (4) Secrets: AWS Secrets Manager or HashiCorp Vault, never in environment variables or code. (5) Data: encryption at rest (KMS) and in transit (TLS), classify data sensitivity. (6) Monitoring: CloudTrail for API audit, GuardDuty for threat detection, Falco for container runtime monitoring. (7) Shared responsibility model: AWS secures the infrastructure, you secure your workloads.

Symmetric encryption uses one shared key (AES-256) and is fast for bulk data. Asymmetric uses a key pair (RSA, ECDSA) and is slower but solves the key distribution problem. In TLS: the client and server use asymmetric encryption during the handshake to securely exchange a symmetric session key, then switch to symmetric encryption for the actual data transfer (for performance). Discuss: why AES-256-GCM is preferred for symmetric (authenticated encryption), why ECDSA is replacing RSA (smaller keys, same security), and what forward secrecy means (Diffie-Hellman ephemeral keys so compromising long-term keys cannot decrypt past sessions).

Use STAR format with security-specific depth. Describe: the detection method (was it your monitoring, a scan, or manual review?), your initial assessment (severity, blast radius, affected systems), the containment actions you took, the root cause analysis, the remediation steps, and the post-incident improvements (new detection rules, process changes, training). Quantify impact: "affected 12,000 user records" or "reduced mean time to detect similar threats from 4 hours to 15 minutes." Show you follow responsible disclosure practices and regulatory requirements.

IDS (Intrusion Detection System) monitors and alerts on suspicious activity but does not block traffic: lower risk of disrupting legitimate traffic, but threats are not stopped automatically. IPS (Intrusion Prevention System) actively blocks detected threats inline: stops attacks in real-time but risks false positives disrupting legitimate business traffic. In practice: use IPS at the network perimeter for known attack signatures, use IDS in monitoring mode initially when deploying new rules to tune and reduce false positives before switching to blocking mode. Discuss the importance of tuning rules to reduce false positives, which is a daily SOC task and a key interview topic.