CYBERSECURITY

INTERVIEW
QUESTIONS ON EDR

Vaishali Shishodia
CYBERSECURITY ANALYST
1. What is an adversary in the context of cybersecurity?

Q: Can you explain what an adversary is in the context of cybersecurity?

A: In cybersecurity, an adversary is any entity or group attempting to compromise, damage, or gain

unauthorized access to an organization’s systems, networks, or data. Adversaries can be
cybercriminals, hacktivists, state-sponsored groups, insiders, or any malicious actor with the intent to
exploit vulnerabilities for various reasons such as financial gain, espionage, or disruption.

2. Types of Adversaries

Q: What are the different types of adversaries in cybersecurity?

A: Adversaries in cybersecurity can be categorized into several types based on their motives and
tactics:

1. Cybercriminals – Individuals or groups motivated by financial gain, engaging in activities like

stealing credit card information, deploying ransomware, or engaging in identity theft.

2. Hacktivists – Individuals or groups who attack systems to promote political or social causes,
often defacing websites or disrupting services to make a statement.

3. State-Sponsored Actors – Nation-state groups that conduct cyberattacks for espionage,

intelligence gathering, or to disrupt critical infrastructure of other countries.

4. Insiders – Employees or contractors who use their access to systems for malicious purposes,
either for personal gain or to cause harm to the organization.

5. Advanced Persistent Threats (APTs) – Well-organized, persistent groups often backed by a

nation-state or large organization, using sophisticated tactics to infiltrate systems, steal data,
and maintain long-term access.

3. Adversary Tactics, Techniques, and Procedures (TTPs)

Q: What do TTPs stand for in the context of adversary behavior, and why are they important?

A: TTPs stand for Tactics, Techniques, and Procedures. These are the methods and strategies that
adversaries use to carry out their attacks. Understanding TTPs is crucial for cybersecurity teams
because it helps in identifying, detecting, and defending against attacks by recognizing patterns of
behavior.

• Tactics refer to the overall objectives of an adversary (e.g., data exfiltration, system
disruption).

• Techniques are the specific methods used to achieve those objectives (e.g., phishing,
credential dumping).

• Procedures refer to the detailed steps adversaries follow when executing their techniques.
4. Adversary Behavior Analysis

Q: How would you analyze adversary behavior during a security incident?

A: To analyze adversary behavior during a security incident, I would:

1. Collect and analyze logs from various systems, such as firewalls, servers, and endpoints, to
identify unusual or malicious activity.

2. Look for indicators of compromise (IOCs), such as IP addresses, domains, file hashes, or
suspicious file names that could be linked to the attack.

3. Map the attack to MITRE ATT&CK framework to categorize adversary tactics, techniques,
and procedures.

4. Identify the attack’s progression by tracing the steps taken by the adversary, from initial
access to the final objective (e.g., data exfiltration).

5. Collaborate with threat intelligence to understand if the adversary is known and if they have
any associated patterns or past incidents.

5. Identifying and Defending Against Adversaries

Q: How would you defend against a known adversary group targeting your organization?

A: Defending against a known adversary group would involve:

1. Studying the adversary’s TTPs through threat intelligence feeds, past incident reports, and
the MITRE ATT&CK framework.

2. Strengthening defenses based on the adversary’s common attack vectors. For example, if the
adversary uses phishing as an entry point, I would implement better email filtering, user
training, and multi-factor authentication (MFA).

3. Proactively patching vulnerabilities that the adversary might exploit based on the tools they
commonly use.

4. Segmenting networks to limit lateral movement within the organization, thereby containing
any potential breach.

5. Implementing Endpoint Detection and Response (EDR) solutions like CrowdStrike Falcon or
similar tools that can help detect abnormal activity and respond to attacks in real time.

6. Simulating the adversary's tactics via red teaming or penetration testing to identify and
mitigate weaknesses.

6. How do you prioritize threats from different adversaries?

Q: How do you prioritize responses to threats coming from different adversary groups?

A: Prioritization depends on several factors:

1. The adversary’s capabilities and history – State-sponsored groups or APTs tend to have
more advanced capabilities, so their actions are prioritized due to the potential impact.
 2. Business impact – Threats that target critical assets, intellectual property, or sensitive data
should be prioritized based on the value and impact to the organization.

3. The attack’s stage – If an adversary has gained initial access or is already moving laterally,
immediate containment and investigation are necessary.

4. Risk exposure – Threats exploiting known vulnerabilities or zero-day exploits are critical, as
they can lead to widespread damage or compromise.

5. Intelligence sharing – If there’s shared threat intelligence indicating an imminent attack from
a known adversary group, it would be prioritized.

7. How do you track an adversary’s activity over time?

Q: What methods do you use to track an adversary’s activity over time?

A: To track an adversary’s activity over time, I would:

1. Set up continuous monitoring using SIEM (Security Information and Event Management)
systems to analyze logs from multiple sources such as firewalls, endpoints, and intrusion
detection systems.

2. Use threat intelligence feeds to stay updated on adversary tactics and any new attack
techniques they may be using.

3. Maintain a timeline of attack events to track the progress of the attack and understand how
the adversary is evolving their approach.

4. Implement network segmentation to observe adversary movement between segments and

detect any attempts at lateral movement.

5. Document IOCs and TTPs associated with the adversary, creating a database of known
activities to watch for on the network.

6. Conduct regular threat-hunting activities based on the adversary’s profile, including

searching for hidden backdoors, unusual activity, or data exfiltration patterns.

8. How would you respond to a targeted attack from a sophisticated adversary group?

Q: What steps would you take in response to a sophisticated, targeted attack from an adversary
group?

A: In response to a targeted attack from a sophisticated adversary:

1. Isolate affected systems immediately to prevent further spread.

2. Contain the attack by blocking any known malicious IPs, domains, or URLs associated with
the attack.

3. Forensically investigate the attack by collecting and analyzing logs, memory dumps, and
system snapshots to identify the adversary's TTPs.
 4. Communicate with stakeholders to ensure everyone is aware of the situation and
understand the steps being taken.

5. Eradicate the threat by removing all traces of the adversary’s presence from the affected
systems.

6. Recover from backup and restore systems, ensuring they are secure and free of compromise.

7. Perform a post-mortem to understand the attack vector, strengthen defenses, and update
incident response plans.

9. What are Custom Intelligence Indicators (CII)?

Q: Can you explain what Custom Intelligence Indicators (CII) are in the context of cybersecurity?

A: Custom Intelligence Indicators (CII) refer to unique, organization-specific indicators of compromise

(IOCs) that are created to detect threats tailored to an organization's environment. These can include
custom file hashes, IP addresses, domain names, or behavioral patterns that may not be covered by
standard threat intelligence feeds. Custom CIIs are particularly important for detecting sophisticated
or targeted attacks that use tactics or tools that are not commonly known in general threat
intelligence.

10. Why would you create Custom Intelligence Indicators (CII)?

Q: Why would an organization choose to create Custom Intelligence Indicators instead of relying
solely on external threat intelligence feeds?

A: An organization might create Custom Intelligence Indicators for several reasons:

1. Specific Threats: When facing targeted or advanced persistent threats (APT) that are
customized to their environment, external threat intelligence might not have the necessary
indicators.

2. Tailored Detection: CIIs allow organizations to detect subtle attack techniques that are
unique to their systems, such as malware variants or exploitation methods specific to their
infrastructure.

3. Proactive Defense: CIIs can be used to preemptively detect and block known malicious
behaviors or tactics based on internal findings, improving defense before external
intelligence reports are available.

4. Customization: CIIs can help enhance detection by integrating with existing security systems
and adjusting the security posture according to an organization’s specific risks and
requirements.

11. What types of Custom Intelligence Indicators can be created?

Q: What are some common types of Custom Intelligence Indicators (CII) that can be created?

A: The most common types of CIIs include:

 1. File Hashes (MD5, SHA1, SHA256): Unique fingerprints of known malicious files that can be
detected on endpoints or network traffic.

2. IP Addresses: Known malicious IP addresses associated with C2 (Command and Control)

servers or attack infrastructure.

3. Domains and URLs: Malicious or suspicious domains and URLs used for phishing, data
exfiltration, or malware delivery.

4. Registry Keys: Suspicious registry changes that could indicate persistence mechanisms on
endpoints.

5. Email Addresses: Malicious or known sender addresses associated with phishing campaigns.

6. File Paths: Unusual file paths where malware or unauthorized programs may reside.

7. Network Artifacts: Specific network traffic patterns, protocols, or communication methods

indicative of malicious activity.

8. Mutexes: Named objects that malware uses to ensure only one instance runs at a time; can
be indicators of a specific malware family.

12. How would you create a Custom Intelligence Indicator (CII)?

Q: What are the steps involved in creating a Custom Intelligence Indicator (CII)?

A: Creating a CII typically involves the following steps:

1. Collect data: Gather internal logs, network traffic, endpoint data, and other telemetry to
identify suspicious or anomalous activity.

2. Analyze the threat: Use tools like threat analysis platforms, malware sandboxes, or incident
reports to understand the threat and identify patterns, such as file hashes, IPs, or behaviors.

3. Define the indicator: Based on the analysis, define the specific indicator—whether it's a
hash, IP, domain, or other type—that uniquely represents the threat or malicious activity.

4. Validate the indicator: Confirm the indicator’s legitimacy and relevance by cross-referencing
with other internal systems or external threat intelligence sources.

5. Deploy the indicator: Implement the CII into security solutions like SIEM, firewalls, endpoint
detection systems, or intrusion detection systems to monitor for future instances of the
attack.

6. Monitor and refine: Continuously monitor the efficacy of the CII, and refine it as more
information is gathered, adjusting it to detect new variants or evolving tactics.

13. How would you use Custom Intelligence Indicators in a SIEM system?

Q: How would you implement and use Custom Intelligence Indicators (CII) in a SIEM system to
improve threat detection?

A: To use CIIs in a SIEM system effectively, I would:

 1. Integrate CIIs: Import the CII data (e.g., file hashes, IPs, domains) into the SIEM tool,
ensuring they are linked to relevant detection rules or use cases.

2. Create Detection Rules: Set up custom detection rules based on CIIs to monitor for any
matches in logs or alerts (e.g., file hashes appearing on an endpoint or suspicious domain
requests).

3. Alerting and Correlation: Configure the SIEM to generate alerts when a CII is detected or
correlates with other abnormal activity. For example, if a malicious file hash is detected on a
system and there is unusual network traffic, the SIEM should trigger an alert.

4. Dashboarding and Reporting: Use dashboards to track the presence of CIIs in real time and
monitor trends in detected indicators. Reports can help track how often specific CIIs are seen
across endpoints and networks.

5. Fine-tuning: Regularly refine the CIIs based on feedback from incident response and threat-
hunting teams to ensure they remain relevant and useful.

14. How do you validate Custom Intelligence Indicators to ensure they are legitimate?

Q: How would you validate the accuracy and legitimacy of Custom Intelligence Indicators (CII)?

A: To validate CIIs:

1. Cross-reference with external threat intelligence: Compare the custom indicators with
reputable threat intelligence platforms (e.g., MISP, OpenDXL, or commercial threat feeds) to
ensure they are not false positives or already widely known.

2. Check for false positives: Run tests in a sandbox or isolated environment to see if the CII
triggers any unwanted alerts or causes systems to behave abnormally.

3. Review historical incidents: Verify the indicators against past incidents in your environment
to ensure they correlate with real attacks or behaviors.

4. Validate via endpoint scanning: Use endpoint detection tools to scan for the presence of CIIs
(e.g., file hashes, registry keys) on endpoints to confirm their relevance.

5. Collaborate with threat analysts: Work closely with threat analysts to review any new IOCs
generated by threat-hunting efforts to ensure their validity and effectiveness.

15. What challenges might you encounter when using Custom Intelligence Indicators?

Q: What are some of the challenges you might face when using Custom Intelligence Indicators (CII)?

A: Some challenges include:

1. Over-reliance on static indicators: Custom indicators may become outdated or ineffective as

adversaries change their tactics. Regular updates are necessary to ensure their continued
effectiveness.

2. False positives: Poorly defined CIIs may result in false positives, causing unnecessary alerts
and potentially desensitizing security teams.
 3. Complexity in management: As the number of CIIs grows, managing and maintaining them
can become cumbersome. A robust management process is required.

4. Evasion by sophisticated adversaries: Advanced attackers may actively modify their tactics
to avoid detection by CIIs, requiring constant monitoring and adjustment of indicators.

5. Performance impact: Excessive or poorly configured CIIs can lead to performance issues on
security tools or endpoints, such as slowing down scans or triggering excessive alerts.

16. How do you keep Custom Intelligence Indicators updated?

Q: How do you ensure that Custom Intelligence Indicators (CII) stay current and effective over time?

A: Keeping CIIs updated involves:

1. Regular reviews: Continuously review internal logs and threat intelligence sources to identify
new threat patterns and update CIIs accordingly.

2. Automated feeds: Implement automated intelligence feeds where new CIIs are integrated
into security tools dynamically, reducing manual updates.

3. Collaboration with threat intelligence teams: Work with external threat intelligence sources
or teams to stay informed about emerging threats and ensure that custom indicators reflect
those changes.

4. Testing and validation: Regularly test the CII’s effectiveness through threat-hunting exercises
and incident response to ensure that they are still relevant to current attack techniques.