Skip to content

Interview

TODO

  • [ ] TCP/IP Model
  • [ ] Access Control Models
  • [ ] OSI Model
  • [ ] EDR
  • [ ] Recent CVE -> CVE-2024-3400 -> Global Protect Palo Alto Network

QA

CrowdStrike

  • Goal: We stop breaches!

  • Falcon Platform

    • Endpoint Security
      • Next-Gen Antivirus
      • Endpoint Detection & Response
      • Device Control
    • Security Platform
      • IT Hygiene
      • Threat Hunting
      • Vulnerability Management
    • Threat Intelligence
      • Intelligence Automation
      • Malware Search
      • Malware Analysis

  • Endpoint Security

    • Cybersecurity approach to defending endpoints such as desktops, laptops, and mobile devices from malicious activity.
    • An endpoint is any device that connects to the corporate network from outside its firewall.
    • Endpoint Protection Platform:
      • Solution used to detect & prevent security threats like file-based malware attacks
      • Provides investigation & remediation capabilities needed to respond to dynamic security incidents & alerts.
    • Endpoint Security is necessary because every remote endpoint can be entry point from the attack
    • Working:
      • Examines files, processes & system activity for suspicious or malicious indicators
      • Offers a centralized management console from which administrators can monitor, protect, investigate & respond to incidents
    • Benefits:
      • Endpoint Protection
      • Identity Protection
      • Threat Detection & Response
    • Core Functions
      • Next-Gen Anti-Virus (NGAV) (Prevention)
        • Traditional AC compares malicious signatures or bits of code, to a database that is updated by contributors whenever a new malware signature is detected.
        • But, unknown antivirus can not be identified using that database.
        • NGAV closes this gap by using advanced endpoint protection technologies such as AI & ML, to identify new malware by examining more elements such as file hashes, URLs & IP addresses.
      • Endpoint Detection & Response (EDR) (Detection)
        • Silent Failure: Allow attackers to access organization's environment without detection
        • To prevent silent failures, an EDR solution provides continuous & comprehensive visibility into what is happening on endpoints in real time.
      • Managed Threat Hunting:
        • Conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data & provide guidance on how best to respond when malicious activity is detected
      • Threat Intelligence Integration:
        • Provides automation to investigate all incidents & gain knowledge in minutes
        • It should generate custom indicators of compromise directly from endpoints to enable a proactive defense.
    • Types of Endpoint Protection:
      • Legacy Endpoint Protection: On-Premises security framework that operates in conjunction with a locally hosted data center
      • Hybrid Endpoint Protection: Legacy + Cloud
      • Cloud-Native Endpoint Protection: Cloud-based solution, Network administrators can remotely monitor & manage all endpoints through a centralized management console & lightweight agent
    • Challenges:
      • Diversity of Devices
      • High Volume of alerts
      • Advanced Persistent Threats (APT)
    • Key Aspects:
      • Endpoint Visibility: View activities on endpoints
      • Threat Database: Signs of attacks with variety of analytic techniques
      • Behavioral Protection: Search for indicators of attack (IOAs)
      • Insight & Intelligence: Threat Intelligence can provide context
      • Fast Response: Fast & Accurate Response
      • Cloud-Based Solution: Manage & monitor in cloud

  • Security Platform:

    • IT Hygiene:
      • Provides real time & historical visibility into your assets & applications
      • Identify rogue computers
      • Gets an accurate inventory of the systems in your environment, software they are running & user accounts.
    • Threat Hunting:
      • Threat Hunting is the practice of proactively searching for cyber threats that are present undetected in a network
      • Methodology:
        • Threat Hunters assume that adversaries are already in system
        • Hypothesis Based Investigation: Identify Tactics, Techniques & Procedures (TTPs)
        • Investigation based on Indicators of Compromise / Attack (IOCs or IOAs)
        • Advanced Tactics & ML investigations: Use ML to analyze massive data
    • Vulnerability Management:
      • Ongoing, Regular process of identifying, assessing, reporting, managing & remediating security vulnerabilities across endpoints, workloads & systems
      • Concepts:
        • Vulnerability: A weakness of an asset
        • Threat: Something can exploit the vulnerability
        • Risk: What happens when threat exploits the vulnerability

  • Threat Intelligence:

    • Automated Intelligence:
      • Uses data analytics & AI/ML algorithms to analyze, predict & respond to cyber threats, enriching telemetry with high threat intelligence
      • System can learn from data, identify patterns & make decision with minimal human input.
    • Malware Search:
      • Process of understanding the behavior & purpose of suspicious file or URL
      • Static Analysis: Examines the file for signs of malicious intent
      • Dynamic Analysis: Executes malicious code in a safe environment called sandbox
      • Hybrid Analysis: Static + Dynamic

  • Security Controls

    • Measure / Mechanism implemented to reduce the risk of threats
    • Preventive, Detective, Compensating, Corrective, Administrative
  • Information Lifecycle:
    • Creation, Storage, Processing, Transmission, Disposal
  • Information Security Governance:
    • Framework, Processes & structures that an organization implements to ensure information security
  • Secure a server
    • Update & Patch
    • Configure Firewall
    • Ensure Port Security
  • Why insider threats are easy
    • Insider Knowledge
    • Legitimate Access
    • Insufficient Monitoring & Controls
  • Deleted Data
    • OS removes file entry from file system index. But, the actual data remains intact until it is overwritten by new data
  • Chain of Custody
    • Tracking of handling, transfer & preservation of digital evidence throughout its lifecycle
  • Ports
    • Filtered Ports: Protected by Firewall
    • Closed Ports: Not actively listening
  • Cloud Security Challenges
    • Misconfiguration
    • Poor Authentication Controls
    • Poor API Implementation
    • DDOS
    • Data Loss
    • Open S3 Buckets
    • Lambda Command Injection
  • OSI Model
    • Physical: Transmits raw bits over physical medium
    • Data Link: Responsible for framing data into frames & adding physical addresses to frames
    • Network: Responsible for routing packets from source to destination across multiple networks
    • Transport: Responsible for end-to-end communication between hosts, providing reliable & ordered delivery of data packets.
    • Session: Responsible for establishing, managing & terminating sessions between applications
    • Presentation: Responsible for data translation, encryption & compression to ensure integrity & confidentiality
    • Application: Provides network services to end users such as HTTP, SMTP, FTP, etc.
  • CSRF
    • Vulnerability that allows attacker to trick user into executing unintended actions
    • CSRF Tokens, SameSite Cookies, Referrer Header, Anti-CSRF Header
  • Malwares
    • Trojans
    • Ransomeware
    • Botnets
    • Worms
    • Spyware
    • Keyloggers
    • Fileless Virus
  • XSS
    • Attackers inject malicious scripts into web pages viewed by other users
  • IDOR -> Insecure Direct Object Reference
  • NIST Cybersecurity Framework:
    • Help businesses to understand, manage & reduce their cybersecurity risk & protect their network & data
    • Identify, Protect, Detect, Respond, Recover