Cybersecurity Interview Questions & Structured Answers

1. What is the Cyber Kill Chain?

The Cyber Kill Chain is a framework developed by Lockheed Martin to identify the stages of a cyber
attack. It helps in understanding and disrupting adversary behavior.

Stages:

1. Reconnaissance – Gathering information about the target.

2. Weaponization – Creating malicious payloads.

3. Delivery – Transmitting the payload to the target.

4. Exploitation – Triggering the payload to exploit a vulnerability.

5. Installation – Installing malware on the target system.

6. Command & Control (C2) – Establishing remote control.

7. Actions on Objectives – Performing the attacker's goal (e.g., data exfiltration).

2. How can you classify roles in Cybersecurity?

Cybersecurity roles can be broadly classified into:

• Governance, Risk & Compliance (GRC) – Policy, compliance audits.

• Security Operations (SOC) – Monitoring, incident response.

• Threat Intelligence – Tracking APTs, TTPs.

• Penetration Testing & Red Teaming – Offensive testing.

• Application Security – Secure coding, DevSecOps.

• Cloud Security – Securing cloud services and infrastructure.

• Digital Forensics & Incident Response (DFIR) – Post-breach investigation.

3. What is the CIA Triad?

The CIA Triad is a foundational model in cybersecurity:

• Confidentiality – Ensuring only authorized access to data.

• Integrity – Ensuring data accuracy and consistency.

• Availability – Ensuring systems and data are accessible when needed.

4. Difference between Symmetric and Asymmetric Cryptography:

 • Symmetric Cryptography: Uses the same key for encryption and decryption.

o Faster.

o Example: AES, DES.

• Asymmetric Cryptography: Uses public/private key pairs.

o More secure for key exchange.

o Example: RSA, ECC.

5. What are Ports in Computers? How many ports does a computer have?

Ports are logical endpoints for network communication.

• Range: 0 to 65535

o 0–1023: Well-known ports (e.g., 80 for HTTP)

o 1024–49151: Registered ports

o 49152–65535: Dynamic/private ports

6. Why is deleted data not truly gone when you delete it?

Deleting a file typically removes its pointer from the file system, but the actual data remains on disk
until overwritten. Data recovery tools can retrieve it.

7. Encryption vs Encoding vs Hashing:

• Encryption: Secure conversion using keys (reversible with key).

• Encoding: Format conversion for transmission (e.g., Base64).

• Hashing: One-way conversion to fixed-length digest (e.g., SHA-256).

8. What is Salting (in Hashing)?

Salting adds a random value to passwords before hashing to prevent rainbow table attacks and
improve security of stored hashes.

9. Encrypt and Compress or Compress then Encrypt?

Compress then Encrypt is preferred:

• Compression finds patterns, but encryption randomizes data.

• If you encrypt first, compression becomes ineffective.

10. Difference between Deep Web and Dark Web:

• Deep Web: Parts of the internet not indexed by search engines (e.g., academic databases).

• Dark Web: Encrypted online content accessed via special tools (e.g., Tor), often associated
with illegal activities.

11. What is MITRE ATT&CK?

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world
observations. Helps in:

• Threat modeling

• Detection & response

• Red/Blue Teaming

12. Vulnerability vs Exploit:

• Vulnerability: A weakness in a system.

• Exploit: Code or method used to take advantage of a vulnerability.

13. Vulnerability, Threat, and Risk:

• Vulnerability: Weakness (e.g., unpatched software)

• Threat: Potential attacker or cause of harm

• Risk: Likelihood + impact of a threat exploiting a vulnerability

14. Difference between VA and PT:

• Vulnerability Assessment (VA): Identifying known vulnerabilities.

• Penetration Testing (PT): Simulating real attacks to exploit vulnerabilities.

15. Difference between Events, Alerts, and Incidents:

• Event: Any observable activity (e.g., login attempt)

• Alert: Event flagged as suspicious

• Incident: Confirmed malicious activity

16. What are APT Groups?

Advanced Persistent Threats (APTs) are stealthy, state-sponsored threat actors with sophisticated
tools and long-term goals.

17. Any Experience with Ticketing Tools?

Yes, tools like:

• ServiceNow – ITSM & Incident Management

• JIRA – Security issue tracking

• RTIR/OTRS – Incident Response Management

18. What is traceroute and how do you use it?

Traceroute is a network diagnostic tool used to track the path packets take to reach a destination.

• Usage:

• traceroute example.com (Linux/macOS)

• tracert example.com (Windows)

• Helps identify network bottlenecks and hops.

19. What is SSH? On what port does SSH work?

• SSH (Secure Shell): Protocol for secure remote login and command execution.

• Default port: 22 (TCP).

20. Can you do SSH from Windows?

Yes. Windows 10+ includes a built-in SSH client, or tools like PuTTY/PowerShell can be used.

21. Why is DNS Monitoring Important? What information can it reveal?

• Reveals suspicious domain queries, command and control (C2) communications, and data
exfiltration.

• Helps detect malware, phishing, and DNS tunneling.

22. DNS Communication Happens on which port?

• Port 53

• Uses UDP for normal queries and TCP for large transfers or zone transfers.
23. What is VPN?

• VPN (Virtual Private Network) encrypts internet traffic between user and server.

• Hides IP, secures data, used for remote access.

24. What is a Proxy?

• A proxy server acts as an intermediary between client and server.

• Used for content filtering, anonymity, caching, access control.

25. Difference between VPN and Proxy?

Feature VPN Proxy

Encryption Yes No (usually)

Scope System-wide App-specific

Speed Slower Faster

Use Security Anonymity & bypassing filters

26. What is Forward Proxy and Reverse Proxy?

• Forward Proxy: Sits between client and internet.

• Reverse Proxy: Sits between internet and internal servers (e.g., load balancer, WAF).

27. What is a Load Balancer?

Distributes incoming network traffic across multiple servers to ensure reliability and performance.

28. What is CDN?

CDN (Content Delivery Network): A network of servers that deliver content based on geographic
location to improve load speed and availability.

29. Explain Man-in-the-Middle (MITM) Attack:

An attacker intercepts communication between two parties to eavesdrop or alter data.

• Common methods: ARP spoofing, DNS spoofing, rogue Wi-Fi.

30. Does HTTPS/SSL protect from MITM?

Yes, it encrypts communication end-to-end, making MITM attacks difficult unless certificates are
compromised.

31. What is the difference between IDS and IPS?

• IDS (Intrusion Detection System): Monitors network or system for malicious activity and
generates alerts.

• IPS (Intrusion Prevention System): Monitors and actively blocks or prevents detected
threats.

32. What is ARP Spoofing and how to prevent it?

ARP spoofing is an attack where a malicious actor sends falsified ARP messages to a network to
associate their MAC address with the IP of another device.

Prevention:

• Use static ARP entries

• Enable port security on switches

• Use DHCP snooping and dynamic ARP inspection

33. What is a Firewall? Types of Firewalls?

A firewall controls incoming and outgoing traffic based on predefined rules.

Types:

• Packet-Filtering Firewall

• Stateful Inspection Firewall

• Proxy Firewall

• Next-Generation Firewall (NGFW)

34. What is Port Scanning?

Port scanning is a technique used to identify open ports and services on a target machine. Common
tools: Nmap, Masscan.

Used by attackers for reconnaissance; defenders use it for vulnerability management.

35. What is SIEM? Name a few SIEM tools.

SIEM (Security Information and Event Management) aggregates and analyzes logs to detect threats.

Popular tools:
 • Splunk

• IBM QRadar

• ArcSight

• LogRhythm

• Microsoft Sentinel

(More advanced-level and incident response questions coming next.)

36. What is Incident Response (IR)? What are its phases?

Incident Response (IR) is the structured process of managing and mitigating the impact of security
incidents.

Phases (NIST SP 800-61):

1. Preparation – Establish IR policies, tools, training.

2. Identification – Detect and confirm incidents.

3. Containment – Limit spread and impact.

4. Eradication – Remove root cause and artifacts.

5. Recovery – Restore systems to normal.

6. Lessons Learned – Post-incident analysis for improvement.

37. What’s the difference between Containment, Eradication, and Recovery?

• Containment: Isolate the threat to prevent further damage.

• Eradication: Remove the threat completely (e.g., malware removal).

• Recovery: Restore systems and resume normal operations with monitoring.

38. What is Lateral Movement and how do you detect it?

Lateral Movement is when an attacker moves within a network to access additional systems after
initial compromise.

Detection:

• Log correlation (SIEM)

• Abnormal account activity (e.g., unusual login patterns)

• Use of remote execution tools (e.g., PsExec, WMI)

39. How do you handle a ransomware incident?

1. Identify signs (files encrypted, ransom note).

2. Isolate affected systems (network disconnection).

3. Preserve forensic evidence (memory, logs).

4. Do not pay ransom (discouraged by law enforcement).

5. Restore from clean backups.

6. Report to authorities.

7. Conduct post-incident review.

40. What is a Memory Dump and why is it useful in IR?

A memory dump is a snapshot of RAM contents. It helps:

• Analyze running processes

• Detect fileless malware

• Extract credentials or indicators

Tools: FTK Imager, Volatility, DumpIt.

41. What are Indicators of Compromise (IOCs)?

IOCs are artifacts indicating a breach or malicious activity.

Examples:

• Malicious IPs/domains

• File hashes (MD5/SHA256)

• Registry changes

• Unusual outbound traffic

42. What is Threat Hunting?

Threat hunting is a proactive approach to detect threats that evade traditional defenses.

Types:

• Hypothesis-driven (based on intel)

• Data-driven (based on logs)

• Entity-driven (based on users/endpoints)

43. What is Fileless Malware? How do you detect it?

Fileless malware operates in memory, avoiding disk-based detection.

Detection:

• Monitor memory and script execution

• Behavioral analysis

• Endpoint Detection & Response (EDR) tools

44. What’s the difference between IOC and IOA (Indicator of Attack)?

• IOC: Evidence of compromise after the fact.

• IOA: Behavioral indicators showing an attack in progress.

Example:

• IOC: MD5 of a known malicious EXE.

• IOA: PowerShell spawning from Word.exe (abnormal behavior).

45. What are the common log sources in a SOC environment?

• Firewall Logs – Traffic filtering and rules

• Endpoint Logs – AV, EDR, local activity

• Windows Event Logs – Logins, system events

• Network Logs – IDS/IPS, NetFlow

• Application Logs – Web servers, databases

• Authentication Logs – AD/LDAP

Would you like to continue