Threat Hunting SSA Audits Interview Question-Answer

What is Proactive Threat Hunting?

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

Threat Hunting Methodologies

Threat hunters assume that adversaries are already in the system, and they initiate investigation to find unusual behavior that may indicate the presence of malicious activity. In proactive threat hunting, this initiation of investigation typically falls into three main categories:

1. Hypothesis-driven investigation

Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowdsourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment

2. Investigation based on known Indicators of Compromise or Indicators of Attack

This approach to threat hunting involves leveraging tactical threat intelligence to catalog  known IOCs and IOAs associated with new threats. These then become triggers that threat hunters use to uncover potential hidden attacks or ongoing malicious activity.

3. Advanced analytics and machine learning investigations

The third approach combines powerful data analysis and machine learning to sift through a massive amount of information in order to detect irregularities that may suggest potential malicious activity. These anomalies become hunting leads that are investigated by skilled analysts to identify stealthy threats.

All three approaches are a human-powered effort that combines threat intelligence resources with advanced security technology to proactively protect an organization’s systems and information.

TOP 20+ Interview Questiosn and Answers:-

Q.1 Threat hunters will be able to offer a high degree of protection only if there is a _____________.

A. Moderate level of visibility into networks

B. High level of visibility into networks

C. Low level of visibility into networks

D. None of these

Ans : High level of visibility into networks

Q.2 Threat hunters use __________.

A. Automated tools

B. Manual methods

C. Both the options

D. None of the options

Ans : Both the options

Q.3 Approximate amount spent on security detection and defense technologies to identify and stop advanced threats is _______.

A. $850000

B. $750000

C. $650000

D. $550000

Ans : $550000

Q.4 Which of the following are threat hunting platforms?

A. Sqrrl

B. Infocyte

C. Endgame Inc

D. Vectra

E. All the Options

Ans : All the Options

Q.5 Which of the following are threat hunting techniques?

A. Stack counting

B. Clustering

C. Grouping

D. All the Options

Ans : All the Options

Q.6 Which threat hunting platform was acquired by Amazon Web Services?

A. Maltego

B. Exabeam

C. Vectra

D. Sqrrl

Ans : Sqrrl

Q.7 Which of the following is the cyber threat intelligence model that have been widely used in the industry?

A. The Diamond Model of intrusion analysis

B. The Cyber Kill Chain

C. None of the options

D. Both the options

Ans : Both the options

Q.8 _____________ is used for identification and prevention of cyber intrusions.

A. Hunting maturity model

B. Cyber kill chain

C. Hunting loop

D. Hunting Matrix

Ans : Cyber kill chain

Q.9 Which of the following is a stage in Cyber Kill Chain?

A. Reconnaissance

B. Actions on Objectives

C. Installation

D. Delivery

E. All the Options

Ans : All the Options

Q.10 Who developed hunting maturity model?

A. David Bianco, a infocyte’s security technologist

B. David Bianco, a Maltego’s security technologist

C. David Bianco, a Sqrrl’s security technologist

D. David Bianco, a Vectra’s security technologist

Ans : David Bianco, a Sqrrl’s security technologist

Q.11 ______ is a proactive way of hunting attacks.

A. Cyber security

B. Threat hunting

C. Threat intelligence

D. Threat modeling

Ans : Threat hunting

Q.12 _______ includes the information relevant to protecting an organization from external and internal threats and also the processes, policies and tools designed to gather and analyze that information.

A. Threat Modeling

B. Threat Hunting

C. Threat Intelligence

D. None of the options

Ans : Threat Intelligence

Q.13 In data flow diagrams (DFD), the data flow shape represents boundary between trust levels or privileges.

A. True

B. False

Ans : True

Q.14 The process of designing a security specification and then eventually testing that specification is known as __________.

A. Threat modeling

B. Threat hunting

C. Threat intelligence

D. Threat mitigation

Ans : Threat modeling

Q.15 Which of the following are threat modeling tools?

A. Securicor

B. Irius Risk

C. Threat Modeler

D. All the Options

Ans : All the Options

Q.16 Which of the following is not a phase in hunting loop?

A. Inform and enrich analytics

B. Uncover new patterns and TTP’s

C. Creating hypothesis

D. Innovative approach

Ans : Uncover new patterns and TTP’s

Q.17 Which of the following is an adaptation of the U.S. military’s kill chain process?

A. The Cyber Kill Chain

B. The Active Cyber Defense Cycle

C. The Diamond Model of intrusion analysis

D. None of the options

Ans : The Cyber Kill Chain

Q.18 EDR stands for _______.

A. End point Detection and Response

B. End point Defect and Response

C. End point Defense and detective

D. Earlier defense and response

Ans : End point Detection and Response

Q.19 Which of the following are the aspects of threat modeling?

A. Killing the threats

B. Understanding the threats

C. Categorizing the threats

D. Identify mitigation strategies

E. Identify mitigation strategies Categorizing the threats

Ans : Categorizing the threats

Q.20 Full form of TTP is ____________.

A. Tactics, techniques and process

B. Tactics, techniques and procedures

C. Tactics, technology and process

D. Tactics, technology and procedures

Ans : Tactics, techniques and procedures

Q.21 Threat hunting should not be conducted by external service provider.

A. True

B. False

Ans : False

Q.22 Threat Hunting is Proactive Approach.

A. True

B. False

Ans : True

Q.23 Which of the following is perfect for highlighting the continuous process improvement?

A. Hunting matrix

B. Hunting loop

C. Hunting maturity model

D. None of the options

Ans : Hunting maturity model

Q.24 Modifying a data within the system to achieve a malicious goal is known as __________.

A. Information disclosure

B. Tampering

C. Spoofing

D. Denial of service

Ans : Tampering

Q.25 Which level of hunting maturity model mainly focuses on automated alerts?

A. Leading

B. Minimal

C. Procedural

D. Initial

Ans : Initial

Q.26 In the word STRIDE, R stand for _________.

A. Reduction

B. Reproducibility

C. Remediation

D. Repudiation

Ans : Repudiation

Q.27 HMM stands for ___________.

A. Hunting modernity model

B. Hunting magnification model

C. Hunting maturity model

D. Hunting matrix model

Ans : Hunting maturity model

Q.28 An organization should focus mainly on ___________.

A. Internal threats

B. External threats

C. Both the options

D. None of the options

Ans : Both the options

Q.29 Which of the following is the cyber threat intelligence model that have been widely used in the industry?

A. The Diamond Model of intrusion analysis

B. The Cyber Kill Chain

C. Both the options

D. None of the options

Ans : Both the options

SSA Audits Interview Question-Answer

Q.1 Who is responsible for finding patterns in the security data ingested into Metron?

A. Forensic Investigator

B. SOC Investigator

C. Security Data Scientist

D. SOC Analyst

Ans : Security Data Scientist

Q.2 Apache Metron is built on top of _________.

A. Cisco Open Source Technologies

B. Apache Open Source Technologies

C. Multiple Cisco and Apache Technologies

D. Cisco Licensed Technologies

Ans : Cisco Open Source Technologies

Q.3 Apache Metron in Deployment is __________

A. replicated

B. distributed

C. can be either centralised or distributed

D. centralised

Ans : can be either centralised or distributed

Q.4 Which of the following is an Example of Threat Intel feeds in Metron?

A. DPI

B. Bro

C. Nifi

D. Soltra

Ans : Soltra

Q.5 Consider you are a store owner operating your own website for the people of your Town. What can be ideal for maintaining security of the shopping platform on your site?

A. Traditional SIEM

B. Security is not needed

C. Metron

D. Either Metron or Traditional SIEM

Ans : Traditional SIEM

Q.6 Telemetry Data Ingestion is possible into Metron through ___________.

A. Apache Impala

B. Apache Kudu

C. Apache Storm

D. Apache Nifi

Ans : Apache Nifi

Q.7 Timestamp in Metron is parsed in ________.

A. Both POSIX and UTC

B. UTC format

C. POSIX format

D. None of the given options

Ans : POSIX format

Q.8 Machine Learning models can be adopted in Metron for ________.

A. Advanced Analytics

B. Threat Prediction

C. Anomaly Detection

D. all the given options

Ans : all the given options

Q.9 Metron Provides support for multiple types of data through its __________.

A. Intelligence Platform

B. Data Vault

C. Pluggable framework

D. all the given options

Ans : Pluggable framework

Q.10 Which of the following is NOT a component of parsing topology?

A. Storm kafka spout

B. kafka parser bolt

C. Storm parser spout

D. none of the options

E. all the given options

Ans : Storm parser spout

Q.11 Parallel Enrichment is available on Metron by default

A. True

B. False

Ans : False

Q.12 What is the order of stages in Stream Processing Pipeline. a) Theat Intel b.) Telemetry Parsing c.) Index and Write d.) Alert Triage e.) Enrichment

A. a, b, c, d, e

B. b, e, a, d, c

C. b, e d, a, c

D. b, a d, e, c

E. none of the given options

Ans : b, e, a, d, c

Q.13 In Telemetry Parsing Stage ________.

A. data normalization takes place

B. data validation takes place

C. data enrichment takes place

D. data transformation takes place

Ans : data normalization takes place

Q.14 Stellar Expressions can be used in telemetry parsing as part of ______.

A. data normalization

B. cannot be used in telemetry parsing

C. data validation

D. data transformation

E. all the given options

Ans : cannot be used in telemetry parsing

Q.15 Threat Intel Feeds can be __________.

A. streamed in real-time

B. normalised and de-duped

C. Bulk-loaded

D. all the given options

Ans : all the given options

Q.16 Client for MaaS is written in ___________.

A. Scala

B. Node.js

C. Python

D. Java

Ans : Java

Q.17 Profiler can be configured for entities like

A. application

B. user

C. subnet

D. server

E. all the given options

Ans : all the given options

Q.18 Solr and ElasticSearch Indices are supported __________.

A. as they are cold storage indices

B. as they are kibana supported

C. as they are random access indices

D. all the given options

Ans : as they are kibana supported

Q.19 Which of the following statements regarding MetaalertDao is/are TRUE

A. pagination of metaalerts is not possible

B. alerts are linked to metaalerts by id

C. It denormalizes the relation between alerts and metaalerts

D. none of the given options

Ans : It denormalizes the relation between alerts and metaalerts

Q.20 HDFS Index updates are supported in Metron.

A. No, Only Random Access Index updates are supported

B. Yes, Using a NoSQL write ahead log

C. Yes, Natively Supported

D. none of the given options

Ans : No, Only Random Access Index updates are supported

Q.21 Enrichment configuration can be stored on _________.

A. storm

B. Hbase

C. zookeeper

D. HDFS

Ans : zookeeper

Q.22 Validation of data entering Metron can be validated ___________.

A. fully at the time of ingestion

B. partially at the time of ingestion

C. partially at time of enrichment

D. all the given options

Ans : partially at time of enrichment

Q.23 Threat Intel Store is based on.

A. Key – Value Pair

B. Graph DB

C. Columnar Table

D. Document DB

Ans : Key – Value Pair

Q.24 Select the Correct order of nested data in a JSON file which is processed in the pipeline.

A. threatIntel -> triageConfig -> enrichment

B. enrichment -> triageConfig -> threatIntel

C. enrichment -> threatIntel ->triageConfig

D. None of the options

Ans : enrichment -> threatIntel ->triageConfig

Q.25 UDFs are supported by Stellar.

A. True

B. False

Ans : True

Q.1 Who is responsible for finding patterns in the security data ingested into Metron?

A. Forensic Investigator

B. SOC Investigator

C. Security Data Scientist

D. SOC Analyst

Ans : Security Data Scientist

Q.2 Apache Metron is built on top of _________.

A. Cisco Open Source Technologies

B. Apache Open Source Technologies

C. Multiple Cisco and Apache Technologies

D. Cisco Licensed Technologies

Ans : Cisco Open Source Technologies

Q.3 Apache Metron in Deployment is __________

A. replicated

B. distributed

C. can be either centralised or distributed

D. centralised

Ans : can be either centralised or distributed

Q.4 Which of the following is an Example of Threat Intel feeds in Metron?

A. DPI

B. Bro

C. Nifi

D. Soltra

Ans : Soltra

Q.5 Consider you are a store owner operating your own website for the people of your Town. What can be ideal for maintaining security of the shopping platform on your site?

A. Traditional SIEM

B. Security is not needed

C. Metron

D. Either Metron or Traditional SIEM

Ans : Traditional SIEM

Q.6 Telemetry Data Ingestion is possible into Metron through ___________.

A. Apache Impala

B. Apache Kudu

C. Apache Storm

D. Apache Nifi

Ans : Apache Nifi

Q.7 Timestamp in Metron is parsed in ________.

A. Both POSIX and UTC

B. UTC format

C. POSIX format

D. None of the given options

Ans : POSIX format

Q.8 Machine Learning models can be adopted in Metron for ________.

A. Advanced Analytics

B. Threat Prediction

C. Anomaly Detection

D. all the given options

Ans : all the given options

Q.9 Metron Provides support for multiple types of data through its __________.

A. Intelligence Platform

B. Data Vault

C. Pluggable framework

D. all the given options

Ans : Pluggable framework

Q.10 Which of the following is NOT a component of parsing topology?

A. Storm kafka spout

B. kafka parser bolt

C. Storm parser spout

D. none of the options

E. all the given options

Ans : Storm parser spout

Q.11 Parallel Enrichment is available on Metron by default

A. True

B. False

Ans : False

Q.12 What is the order of stages in Stream Processing Pipeline. a) Theat Intel b.) Telemetry Parsing c.) Index and Write d.) Alert Triage e.) Enrichment

A. a, b, c, d, e

B. b, e, a, d, c

C. b, e d, a, c

D. b, a d, e, c

E. none of the given options

Ans : b, e, a, d, c

Q.13 In Telemetry Parsing Stage ________.

A. data normalization takes place

B. data validation takes place

C. data enrichment takes place

D. data transformation takes place

Ans : data normalization takes place

Q.14 Stellar Expressions can be used in telemetry parsing as part of ______.

A. data normalization

B. cannot be used in telemetry parsing

C. data validation

D. data transformation

E. all the given options

Ans : cannot be used in telemetry parsing

Q.15 Threat Intel Feeds can be __________.

A. streamed in real-time

B. normalised and de-duped

C. Bulk-loaded

D. all the given options

Ans : all the given options

Q.16 Client for MaaS is written in ___________.

A. Scala

B. Node.js

C. Python

D. Java

Ans : Java

Q.17 Profiler can be configured for entities like

A. application

B. user

C. subnet

D. server

E. all the given options

Ans : all the given options

Q.18 Solr and ElasticSearch Indices are supported __________.

A. as they are cold storage indices

B. as they are kibana supported

C. as they are random access indices

D. all the given options

Ans : as they are kibana supported

Q.19 Which of the following statements regarding MetaalertDao is/are TRUE

A. pagination of metaalerts is not possible

B. alerts are linked to metaalerts by id

C. It denormalizes the relation between alerts and metaalerts

D. none of the given options

Ans : It denormalizes the relation between alerts and metaalerts

Q.20 HDFS Index updates are supported in Metron.

A. No, Only Random Access Index updates are supported

B. Yes, Using a NoSQL write ahead log

C. Yes, Natively Supported

D. none of the given options

Ans : No, Only Random Access Index updates are supported

Q.21 Enrichment configuration can be stored on _________.

A. storm

B. Hbase

C. zookeeper

D. HDFS

Ans : zookeeper

Q.22 Validation of data entering Metron can be validated ___________.

A. fully at the time of ingestion

B. partially at the time of ingestion

C. partially at time of enrichment

D. all the given options

Ans : partially at time of enrichment

Q.23 Threat Intel Store is based on.

A. Key – Value Pair

B. Graph DB

C. Columnar Table

D. Document DB

Ans : Key – Value Pair

Q.24 Select the Correct order of nested data in a JSON file which is processed in the pipeline.

A. threatIntel -> triageConfig -> enrichment

B. enrichment -> triageConfig -> threatIntel

C. enrichment -> threatIntel ->triageConfig

D. None of the options

Ans : enrichment -> threatIntel ->triageConfig

Q.25 UDFs are supported by Stellar.

A. True

B. False

Ans : True

Q.26 Which of the following statements regarding MetaalertDao is/are TRUE.

A. It is limited by parent-child relationships between alerts and metaalerts

B. It denormalizes the relation between alerts and metaalerts

C. alerts are linked to metaalerts by id

D. none of the given options

Ans : It is limited by parent-child relationships between alerts and metaalerts

Q.27 Apache Metron do NOT have a dependency on _______.

A. docker

B. python

C. ansible

D. vagrant

Ans : ansible

Q.28 Identify the Stellar Function which is NOT VALID.

A. IS_DOMIAN

B. IS_IP

C. IS_SUBNET

D. IS_EMAIL

Ans : IS_SUBNET

Q.29 When Machine Learning models are employed for threat intelligence what is considered to be an infrastructure challenge?

A. Type of adopted model

B. Model Implementation Language dependency

C. Implemented Model accuracy

D. all the given options

Ans : Type of adopted model

Q.30 Consider you are trying to parse telemetry of a application which uses a custom API. Its telemetry is highly complex and the data is generated at a rapid rate. What is an ideal parsing strategy for the scenario?

A. Write a Custom JVM parser while using Grok as stop gap

B. Write and use a Custom JVM parser

C. Modify a Grok Parser while using JVM parser as stop gap

D. Use in-built Grok Parser

Ans : Use in-built Grok Parser

Q.31 MaaS scaling can be done through ______.

A. YARN

B. Service Discovery

C. REST

D. Storm

Ans : REST

Q.32 Data to create a profiler is collected.

A. Over sliding windows

B. Over multiple windows

C. from different data sources

D. In time series way

Ans : Over multiple windows

Q.33 Zeppelin Interpreter do NOT support.

A. Python

B. JDBC

C. Node.js

D. Cassandra

Ans : Node.js

Q.34 Stellar is Integrated into Metron Components such as _________.

A. Enrichment and Indexing

B. Indexing and Threat Triage

C. Enrichment and Threat Triage

D. Global Validation and Threat Triage

E. Global Validation and Enrichment

Ans : Global Validation and Threat Triage

Q.35 Default Indexer of Metron is ____________.

A. HDFS

B. Hbase

C. Elastic Search

D. Solr

Ans : HDFS

Q.36 How does Network Intrusion Detection System works?

A. Uses fixed rules to identify abnormal events

B. Tracks communication between actors of target network

C. Extracts application level request details

D. all the given options

Ans : Uses fixed rules to identify abnormal events

Q.37 DPI(Deep Packet Inspection) Data is best to be extracted only for ____________.

A. DNS Protocol

B. REST Protocol

C. PCAP

D. Netflow protocol

Ans : Netflow protocol

Q.38 Pick out the Stellar Keyword among the following.

A. NaN

B. except

C. case

D. all the given options

Ans : NaN

Q.39 Metron apart from in-built Geo Enrichment supports.

A. Asset and User Enrichment

B. none of the given options

C. Asset and Network Enrichment

D. User and Network Enrichment

Ans : Asset and Network Enrichment

Q.40 Who among the following is considered to be an advanced SME w.r.t Apache Metron Platform _____________.

A. SOC Investigator

B. Security Platform Ops Engineer

C. SOC Analyst

D. Forensic Investigator

Ans : Security Platform Ops Engineer

Q.27 Apache Metron do NOT have a dependency on _______.

A. docker

B. python

C. ansible

D. vagrant

Ans : ansible

Q.28 Identify the Stellar Function which is NOT VALID.

A. IS_DOMIAN

B. IS_IP

C. IS_SUBNET

D. IS_EMAIL

Ans : IS_SUBNET

Q.29 When Machine Learning models are employed for threat intelligence what is considered to be an infrastructure challenge?

A. Type of adopted model

B. Model Implementation Language dependency

C. Implemented Model accuracy

D. all the given options

Ans : Type of adopted model

Q.30 Consider you are trying to parse telemetry of a application which uses a custom API. Its telemetry is highly complex and the data is generated at a rapid rate. What is an ideal parsing strategy for the scenario?

A. Write a Custom JVM parser while using Grok as stop gap

B. Write and use a Custom JVM parser

C. Modify a Grok Parser while using JVM parser as stop gap

D. Use in-built Grok Parser

Ans : Use in-built Grok Parser

Q.31 MaaS scaling can be done through ______.

A. YARN

B. Service Discovery

C. REST

D. Storm

Ans : REST

Q.32 Data to create a profiler is collected.

A. Over sliding windows

B. Over multiple windows

C. from different data sources

D. In time series way

Ans : Over multiple windows

Q.33 Zeppelin Interpreter do NOT support.

A. Python

B. JDBC

C. Node.js

D. Cassandra

Ans : Node.js

Q.34 Stellar is Integrated into Metron Components such as _________.

A. Enrichment and Indexing

B. Indexing and Threat Triage

C. Enrichment and Threat Triage

D. Global Validation and Threat Triage

E. Global Validation and Enrichment

Ans : Global Validation and Threat Triage

Q.35 Default Indexer of Metron is ____________.

A. HDFS

B. Hbase

C. Elastic Search

D. Solr

Ans : HDFS

Q.36 How does Network Intrusion Detection System works?

A. Uses fixed rules to identify abnormal events

B. Tracks communication between actors of target network

C. Extracts application level request details

D. all the given options

Ans : Uses fixed rules to identify abnormal events

Q.37 DPI(Deep Packet Inspection) Data is best to be extracted only for ____________.

A. DNS Protocol

B. REST Protocol

C. PCAP

D. Netflow protocol

Ans : Netflow protocol

Q.38 Pick out the Stellar Keyword among the following.

A. NaN

B. except

C. case

D. all the given options

Ans : NaN

Q.39 Metron apart from in-built Geo Enrichment supports.

A. Asset and User Enrichment

B. none of the given options

C. Asset and Network Enrichment

D. User and Network Enrichment

Ans : Asset and Network Enrichment

Q.40 Who among the following is considered to be an advanced SME w.r.t Apache Metron Platform _____________.

A. SOC Investigator

B. Security Platform Ops Engineer

C. SOC Analyst

D. Forensic Investigator

Ans : Security Platform Ops Engineer

About Author


After years of Technical Work, I feel like an expert when it comes to Develop wordpress website. Check out How to Create a Wordpress Website in 5 Mins, and Earn Money Online Follow me on Facebook for all the latest updates.