CYBERSECURITY

SCENARIOS WITH
SAMPLE ANSWERS
FOR INTERVIEWS

By
Anandhu S
1. Scenario: You receive an alert about a potential malware infection on a user’s machine.
Question: What steps would you take to investigate and contain this incident?

Sample Answer: First, I would isolate the affected machine from the network to prevent
the malware from spreading. Then, I would analyze the alert details and check the
system logs to identify the malware type and source. I would run a full malware scan
using updated antivirus tools and, if necessary, use advanced tools for deep analysis.
Finally, I would remove the malware, update the system and antivirus software, and
monitor the network for any further signs of compromise.

2. Scenario: A suspicious email is reported by an employee.

Question: How would you handle this situation?

Sample Answer: I would first analyze the email headers and content for phishing
indicators or malicious links. Then, I would check if other employees have received
similar emails and alert them. I would also update the email security filters to block such
emails in the future and provide training to employees on recognizing phishing emails.

3. Scenario: A critical vulnerability is disclosed affecting your organization’s systems.

Question: Describe your immediate actions.

Sample Answer: I would first assess the impact of the vulnerability on our systems and
identify affected assets. Then, I would apply any available patches or workarounds to
mitigate the vulnerability. I would also review and update our security policies and
practices to prevent similar issues and communicate with the team to ensure everyone is
aware of the vulnerability and the steps taken.

4. Scenario: A data breach is suspected.

Question: Outline your incident response plan.

Sample Answer: The incident response plan includes several steps: Identification,
where we confirm the breach; Containment, to prevent further damage by isolating
affected systems; Eradication, to remove the root cause of the breach; Recovery, to
restore systems to normal operation; and Lessons Learned, where we review the
incident to improve our security posture and prevent future breaches.

5. Scenario: A sudden increase in failed login attempts is detected.

Question: What actions would you take?

Sample Answer: I would review the logs to identify the source and pattern of the failed
login attempts. If it appears to be a brute force attack, I would block the offending IP
addresses and ensure account lockout policies are in place. Additionally, I would inform
affected users to change their passwords and enable multi-factor authentication (MFA).
6. Scenario: Anomalous traffic is detected coming from an internal IP address.
Question: How would you investigate this traffic?

Sample Answer: I would analyze the traffic patterns and compare them with normal
baselines to determine the nature of the anomaly. I would also check the internal IP
address’s associated device logs and any recent changes to the device. If necessary, I
would use network monitoring tools to trace the source and destination of the traffic and
take appropriate action to mitigate the issue.

7. Scenario: A Distributed Denial of Service (DDoS) attack is targeting your web server.
Question: Describe your response strategy.

Sample Answer: I would activate our DDoS protection mechanisms, such as rate
limiting, traffic filtering, and using a content delivery network (CDN) to absorb the traffic. I
would also work with our internet service provider (ISP) to block malicious traffic at the
network level and monitor the attack in real-time to adapt our defenses as needed.

8. Scenario: An unauthorized device is detected on the network.

Question: What steps would you take to secure the network?

Sample Answer: I would immediately isolate the unauthorized device from the network
to prevent potential threats. Then, I would investigate how the device gained access and
identify any security gaps. I would review and update our network access control policies
to ensure only authorized devices can connect and enhance monitoring to detect such
incidents promptly.

9. Scenario: A firewall rule needs to be updated to allow a new application to function.

Question: How would you implement this change?

Sample Answer: I would first understand the requirements of the new application and its
network communication needs. Then, I would carefully review and modify the firewall
rules to allow necessary traffic while ensuring minimal exposure. After implementing the
change, I would test the application to ensure it functions correctly and monitor the
firewall logs for any unexpected behavior.

10. Scenario: A network segmentation policy needs to be enforced.

Question: Explain your approach to implementing network segmentation.

Sample Answer: I would start by identifying the different segments needed based on
the organization’s assets, data sensitivity, and business functions. I would configure
VLANs or use software-defined networking (SDN) to create these segments. I would
then apply access controls and firewall rules to restrict communication between
segments as required. Finally, I would test the segmentation to ensure it’s effective and
 monitor for any policy violations.

11. Scenario: An endpoint detection and response (EDR) alert indicates suspicious activity
on a workstation.
Question: What steps would you take to investigate and respond?

Sample Answer: I would review the EDR alert details to understand the suspicious
activity and cross-reference with logs from the workstation. I would conduct a deeper
analysis using forensic tools if necessary and quarantine the workstation to prevent
further harm. After determining the root cause, I would remediate the issue and update
security measures to prevent recurrence.

12. Scenario: A new zero-day exploit is targeting your operating system.

Question: How would you protect your endpoints?

Sample Answer: I would deploy any available temporary patches or workarounds to

mitigate the zero-day exploit. I would also ensure that all systems are running the latest
security updates and employ additional security measures like application whitelisting,
behavior-based detection, and enhanced endpoint monitoring. Training users to
recognize suspicious activity is also essential.

13. Scenario: A company laptop is reported stolen.

Question: Describe your immediate actions.

Sample Answer: I would remotely lock or wipe the stolen laptop using our endpoint
management tools to protect sensitive data. I would also change any credentials that
were accessible from the laptop and monitor for any signs of misuse. Additionally, I
would report the theft to the authorities and review our physical and cybersecurity
policies to prevent future incidents.

14. Scenario: An unauthorized software application is detected on multiple endpoints.

Question: How would you handle this situation?

Sample Answer: I would first identify the unauthorized software and assess the risk it
poses. I would then quarantine the affected endpoints to prevent potential threats and
remove the software. I would investigate how it was installed and implement measures
to block unauthorized software installation in the future, such as application whitelisting
and enhanced user permissions.

15. Scenario: A phishing email successfully compromises an employee’s credentials.

Question: What are your next steps?

Sample Answer: I would immediately change the compromised credentials and review
the affected account for any unauthorized activity. I would also run a full scan of the
 employee’s workstation for malware and conduct a phishing awareness session to
reinforce training. Implementing multi-factor authentication (MFA) and enhancing email
security filters are additional measures to prevent such incidents.

16. Scenario: Anomalous log entries are detected in the server logs.
Question: What steps would you take to investigate these entries?

Sample Answer: I would first identify the nature and source of the anomalous log
entries. I would correlate these entries with other logs to find patterns or related
activities. Using log analysis tools, I would deep dive into the timestamps, IP addresses,
and user actions to pinpoint the cause. Based on my findings, I would take appropriate
actions to remediate any security issues.

17. Scenario: A significant drop in log volume is observed.

Question: How would you address this issue?

Sample Answer: I would first check the logging configurations and ensure that all
logging services are running correctly. I would then review the network and system
changes that could have affected log collection. If necessary, I would investigate
potential issues with the log storage and processing systems. Restoring normal log
volume is crucial for maintaining visibility into the network and detecting security events.

18. Scenario: You need to set up a new log source for monitoring.
Question: How would you proceed?

Sample Answer: I would identify the critical log sources based on the security
monitoring requirements. Then, I would configure the log sources to send logs to our
centralized log management system, ensuring proper formatting and tagging for easy
analysis. I would validate the setup by checking the log flow and accuracy and create
alerts and dashboards to monitor the new log source effectively.

19. Scenario: A user reports receiving a suspicious email with an attachment.

Question: How would you handle this situation?

Sample Answer: I would first advise the user not to open the attachment. I would then
collect the email details, including the sender's address, subject line, and any URLs. I
would analyze the attachment in a secure environment using sandboxing tools to
determine if it contains malware. If confirmed malicious, I would block the sender's
domain and update our email filters to prevent future occurrences.

20. Scenario: Your SOC detects an unusual login attempt from an IP address in a foreign
country.
Question: What steps would you take in response to this alert?
 Sample Answer: I would immediately verify if the login attempt is legitimate by
contacting the user. If unauthorized, I would block the IP address, reset the affected
user’s credentials, and review logs for any other suspicious activity. I would also
implement additional security measures, such as geofencing and multi-factor
authentication.

21. Scenario: A critical server is under a DDoS attack.

Question: How do you mitigate the impact of this attack?

Sample Answer: I would activate our DDoS protection mechanisms, which include rate
limiting, IP blacklisting, and traffic rerouting through a content delivery network (CDN). I
would also coordinate with our internet service provider for additional support.
Simultaneously, I would communicate with stakeholders about the attack and our
mitigation efforts.

22. Scenario: Malware has been detected on an employee’s workstation.

Question: Describe the steps you would take to contain and remediate this threat.

Sample Answer: I would isolate the affected workstation from the network to prevent the
malware from spreading. I would then use our endpoint detection and response (EDR)
tools to identify the malware type and the extent of the infection. After that, I would
perform a thorough cleanup and restore the system from a clean backup. Finally, I would
review our security policies and update them to prevent future infections.

23. Scenario: An external scan shows an open port on your company's firewall that should
not be accessible.
Question: What actions would you take to address this vulnerability?

Sample Answer: I would first verify the scan results to confirm the open port. If the port is
indeed open and not required for business operations, I would close it immediately. If the
port is necessary, I would ensure that appropriate security controls, such as access
restrictions and monitoring, are in place. I would also conduct a review of our firewall
configurations to ensure there are no other unnecessary open ports.

24. Scenario: You receive an alert about a potential data exfiltration attempt from an internal
system.
Question: How would you investigate and respond to this alert?

Sample Answer: I would analyze network traffic logs to confirm the exfiltration attempt
and identify the source and destination of the data transfer. I would then isolate the
compromised system and interview the user associated with it. I would also check for
any indicators of compromise (IoCs) and take steps to block further data transfers.
Finally, I would assess the data's sensitivity and notify relevant stakeholders.
25. Scenario: A security researcher contacts your SOC claiming to have found a
vulnerability in your company's web application.
Question: How do you handle this situation?

Sample Answer: I would acknowledge the researcher’s report and thank them for their
responsible disclosure. I would then ask for detailed information about the vulnerability
and verify it in a controlled environment. If confirmed, I would prioritize the vulnerability
for patching and remediation. I would also update our security measures and
communicate the findings to our development and security teams to prevent future
issues.

26. Scenario: A user reports that their account has been locked out multiple times without
explanation.
Question: What steps do you take to resolve this issue?

Sample Answer: I would first check the account lockout policy and the account’s login
attempts to identify any patterns or suspicious activity. I would then verify the user’s
identity and reset their password. I would also look for signs of brute force attacks or
unauthorized access attempts. If necessary, I would implement additional security
measures, such as account monitoring and multi-factor authentication.

27. Scenario: Your SOC detects a vulnerability in a third-party software used by your
company.
Question: What is your approach to managing this risk?

Sample Answer: I would assess the vulnerability's impact on our systems and
determine if there are any available patches or workarounds from the software vendor. If
a patch is available, I would prioritize its deployment. If not, I would implement
compensating controls, such as restricting access and monitoring for exploitation
attempts. Additionally, I would stay in contact with the vendor for updates and review our
dependency on the software.

28. Scenario: An insider threat is suspected within your organization.

Question: Describe your approach to investigating and addressing this threat.

Sample Answer: I would conduct a thorough review of user activity logs, looking for
anomalies or patterns indicative of malicious behavior. I would also interview colleagues
and managers of the suspected individual. If evidence of insider threat activity is found, I
would escalate the issue to HR and legal departments for appropriate action. I would
also enhance monitoring and implement stricter access controls to prevent further
incidents.

29. Scenario: A new vulnerability has been disclosed that affects a critical application in
your environment.
 Question: How would you respond to this disclosure?

Sample Answer: I would immediately assess the vulnerability’s severity and the
potential impact on our systems. I would check if there are any available patches or
mitigation steps provided by the vendor. If a patch is available, I would prioritize its
deployment. If not, I would apply temporary mitigations, such as restricting access or
disabling affected features, while continuously monitoring for exploitation attempts.

30. Scenario: A phishing email successfully tricked an employee into providing their login
credentials.
Question: What steps would you take to mitigate the damage and prevent future
incidents?

Sample Answer: I would instruct the employee to change their password immediately
and enable multi-factor authentication if not already in place. I would then review the
email and login logs to determine if any unauthorized access has occurred. I would also
run a company-wide phishing awareness campaign and update our email filtering rules
to better detect and block similar phishing attempts in the future.

31. Scenario: The SOC receives an alert about unusual outbound traffic from a critical
server.
Question: How would you handle this alert?

Sample Answer: I would analyze the network traffic logs to understand the nature and
destination of the outbound traffic. I would then investigate the server to identify any
potential compromise or malware. If the server is compromised, I would isolate it from
the network, perform a thorough forensic analysis, and remediate any issues. I would
also implement measures to prevent future incidents, such as updating firewall rules and
enhancing monitoring.

32. Scenario: A critical system patch needs to be applied, but it may cause service
disruptions.
Question: How would you manage this situation?

Sample Answer: I would first test the patch in a staging environment to identify any
potential issues. I would then schedule the patch deployment during a maintenance
window to minimize service disruptions. I would communicate the plan to all
stakeholders and have a rollback plan in place in case any issues arise during the
deployment. Post-deployment, I would monitor the system closely to ensure stability.

33. Scenario: There is a suspected physical security breach in the data center.
Question: What steps would you take to secure the environment and investigate the
breach?
 Sample Answer: I would immediately secure the data center by alerting security
personnel and locking down access. I would review security camera footage and access
logs to identify any unauthorized individuals. I would also conduct a physical inspection
of the data center to check for any tampering or breaches. If evidence of a breach is
found, I would coordinate with law enforcement and conduct a thorough investigation to
identify the perpetrators and assess any potential damage.

34. Scenario: A new zero-day vulnerability is announced that affects your environment.
Question: What actions do you take to protect your systems?

Sample Answer: I would first gather information about the zero-day vulnerability from
trusted sources and security vendors. I would assess the potential impact on our
systems and apply any recommended mitigations or workarounds. I would also increase
monitoring for any signs of exploitation and ensure that all relevant systems are
up-to-date with the latest security patches. Additionally, I would keep stakeholders
informed about the situation and our response plan.

35. Scenario: An employee accidentally downloads a malicious file from the internet.
Question: Describe your response to this incident.

Sample Answer: I would instruct the employee to disconnect their device from the
network immediately. I would then analyze the downloaded file in a secure environment
to understand the nature of the threat. I would perform a full scan of the affected device
and remove any malicious content. If necessary, I would restore the device from a clean
backup. I would also educate the employee on safe browsing practices to prevent future
incidents.

36. Scenario: A ransomware attack encrypts several critical servers.

Question: How do you respond to this situation?

Sample Answer: I would immediately isolate the affected servers to prevent the
ransomware from spreading. I would then identify the ransomware variant and follow our
incident response plan. This includes restoring data from the most recent backups,
notifying relevant stakeholders, and working with law enforcement if necessary. I would
also review and enhance our security measures to prevent future attacks.

37. Scenario: A user reports that their account was compromised and unauthorized
transactions were made.
Question: What steps do you take to address this issue?

Sample Answer: I would verify the user’s identity and help them reset their password. I
would then review the account activity logs to identify the source of the compromise. If
the unauthorized transactions involve financial loss, I would work with our finance team
 and law enforcement to investigate. I would also advise the user on security best
practices, such as enabling multi-factor authentication.

38. Scenario: Your SOC detects a large number of outbound spam emails from an internal
email account.
Question: What actions would you take to stop this?

Sample Answer: I would immediately suspend the compromised account and

investigate the source of the breach. I would then clean the account of any malware or
unauthorized access. After securing the account, I would implement email filtering rules
to prevent further spam, and educate the user on recognizing phishing emails and other
threats.

39. Scenario: A critical vulnerability is discovered in your company’s customer-facing web

application.
Question: How do you handle this?

Sample Answer: I would work with our development team to assess the vulnerability and
prioritize its remediation. If a patch is available, I would ensure it is deployed promptly. In
the meantime, I would implement temporary measures, such as web application
firewalls, to mitigate the risk. I would also monitor for any signs of exploitation and inform
our customers about the vulnerability and our response.

40. Scenario: You discover that sensitive customer data was accidentally exposed online.
Question: What is your response to this data breach?

Sample Answer: I would first remove the exposed data from the online platform and
investigate how the breach occurred. I would notify affected customers and regulatory
bodies as required by law. I would then review and strengthen our data handling and
security practices to prevent future incidents. Additionally, I would offer support to
affected customers, such as credit monitoring services.

41. Scenario: An employee reports their laptop was stolen while traveling.
Question: What steps do you take to protect the data on the stolen laptop?

Sample Answer: I would initiate a remote wipe to erase all data on the stolen laptop. If
remote wipe is not possible, I would ensure the device’s data encryption is active to
protect the data. I would also reset passwords for any accounts accessed from the
laptop and monitor for any suspicious activity. Finally, I would provide the employee with
a replacement device and reinforce our security policies on handling equipment.

42. Scenario: Your SOC receives a report of a potential insider threat based on suspicious
behavior.
Question: How would you investigate this report?
 Sample Answer: I would conduct a thorough review of the employee’s activity logs,
looking for any signs of unauthorized access or data exfiltration. I would also interview
colleagues and supervisors to gather additional context. If evidence of an insider threat
is found, I would escalate the issue to HR and legal departments for appropriate action,
and implement additional monitoring and access controls to prevent further incidents.

43. Scenario: A vulnerability scan reveals outdated software on several servers.

Question: What actions do you take to address this issue?

Sample Answer: I would prioritize patching the outdated software based on the severity
of the vulnerabilities. I would coordinate with the IT team to schedule updates and
ensure minimal disruption to operations. After patching, I would run another vulnerability
scan to verify that the issues have been resolved. I would also implement a regular patch
management schedule to prevent future occurrences.

44. Scenario: A third-party vendor informs you of a data breach that affects your company.
Question: What steps do you take in response to this notification?

Sample Answer: I would first assess the impact of the breach on our company’s data
and operations. I would work with the vendor to understand the details of the breach and
their remediation efforts. I would notify relevant stakeholders within our company and
take steps to secure any affected systems. If necessary, I would inform our customers
and regulatory bodies. I would also review our vendor risk management practices to
ensure stronger security measures.

45. Scenario: Your SOC detects unusual traffic patterns indicative of a possible
Man-in-the-Middle (MitM) attack.
Question: How would you respond to this threat?

Sample Answer: I would analyze the network traffic to confirm the presence of a MitM
attack. I would then implement network segmentation and encryption to protect sensitive
data. I would also review and update our network security protocols, such as using
secure communication channels and enforcing strong authentication. Additionally, I
would monitor for any compromised devices and take steps to remediate them.

46. Scenario: A critical business application is experiencing performance issues possibly

due to a cyber attack.
Question: What steps do you take to diagnose and resolve the issue?

Sample Answer: I would first monitor the application’s performance and review logs for
any signs of malicious activity. I would then work with the application and network teams
to identify the root cause of the performance issues. If a cyber attack is confirmed, I
would implement appropriate mitigation measures, such as blocking malicious IP
 addresses or applying security patches. I would also enhance monitoring to ensure the
issue does not recur.

47. Scenario: A user reports that their system is running unusually slow and displaying
pop-up ads.
Question: How would you handle this report?

Sample Answer: I would first instruct the user to disconnect from the network to prevent
any potential spread of malware. I would then perform a malware scan on the system
using our EDR tools to identify and remove any malicious software. After cleaning the
system, I would review the user’s browsing habits and recommend best practices to
avoid future infections. I would also update our security policies and filters to block
similar threats.

48. Scenario: A zero-day exploit is being actively used against your organization's systems.
Question: What immediate actions do you take to protect your systems?

Sample Answer: I would gather information about the zero-day exploit from trusted
sources and assess the potential impact on our systems. I would apply any available
mitigation measures, such as disabling vulnerable features or restricting access. I would
also increase monitoring for any signs of exploitation and ensure that our incident
response team is prepared to act quickly. Additionally, I would stay in contact with
security vendors for updates and patches.

49. Scenario: A critical file server is found to be compromised and hosting unauthorized
files.
Question: Describe your response to this incident.

Sample Answer: I would immediately isolate the compromised server to prevent further
unauthorized access. I would then conduct a forensic analysis to determine the scope of
the compromise and identify the unauthorized files. I would remove the malicious files
and restore the server from a clean backup. I would also review and update our security
measures, such as access controls and monitoring, to prevent future incidents.

50. Scenario: A user notices a new, unfamiliar device connected to the corporate network.
Question: How would you handle this situation?

Sample Answer: I would use our network monitoring tools to identify the device and its
activity on the network. I would then determine if the device is authorized or if it poses a
security risk. If unauthorized, I would disconnect the device from the network and
investigate how it gained access. I would also review our network access controls and
educate employees on recognizing and reporting suspicious devices.