It's not that you're thinking like an attacker, it's that you're looking for the sexy (but stupid) answer instead of the boring (but sensible) answer. Both blue team and red team would benefit from a script to banner grab for the SSL version -- red team would use it during recon to know what attacks to try, blue team would use it to know what patches to apply and how to monitor/mitigate systems that can't be patched. If I'm running Wireshark to look for real time exploitation of Heartbleed, that only helps if someone uses Heartbleed while I'm watching. If I look for five minutes, go "oh, I don't see any attacks happening" and close it, there's now 23 hours and 55 minutes that someone COULD be exploiting Heartbleed without my knowing. Also, in an enterprise there are multiple servers, you're going to want to check all of them. So you'd have to set up some long-term, enterprise-wide monitoring/event capture/alerting, which frankly I'm not sure Wireshark is the right tool for -- something like Security Onion would let you run full pcap + Bro + Snort. And that still is only going to tell you whether something is being exploited, not whether it could be. A sexy but slightly more sensible answer (at least in my mind) would be "i would try to exploit Heartbleed on that server" -- but if you were doing that, I sure hope you'd check the version number first to make sure it's exploitable before trying to run said exploit, which brings us back to our banner grab script. (And if you do want to actively exploit each server, remember this is an enterprise-setting and you may have 25,50, 100 servers you're supposed to check. With hundreds of vulnerabilities you may be checking for, carefully proving each one by exploiting it is a terrible use of your time.) More on reddit.com

I'm a security engineer on the infrastructure/blue team side, but close enough I think? Some of the ones I've gotten are The main website for customers goes down unexpectedly. What do you do? My answer was "First verify that nothing weird happened from a CyberSecurity perspective, but otherwise I let the web admins/sys admins handle it" Was told that was the correct answer, as they want someone that understands separation of duties Say you get hired. Do you need to be an admin to our VM, firewall, and other backend systems? My answer was "No, only if I need to be an admin to perform typical duties within that system" Again, separation of duties, and ensuring they don't get a person that hoards admin rights. Are you familiar with IT controls/frameworks, and if so, which ones This is going to be stuff like NIST-800-53B, ISO 27001, etc. Good to have a somewhat decent idea of what those entail You're woken up at 3am by helpdesk because someone has a message on their screen that looks like ransomware. What do you do. Somewhat of a trick question. The answer is "I would follow the process as laid out by our incident response plan, but without knowing what that is, the first thing would be to confirm the incident before making any actions." If they ask you what you would expect to see in an incident response plan you can go into it (ie, isolate the machine while you assess damage) but this is one I get all the time because they want to make sure you don't make a premature knee jerk reaction and shut everything down for a false positive. How many times should a user fail a phishing test before action is taken? My answer was basically the first 1 or 2 times, user is notified and maybe has to do online training. 3 or 4, I'm reaching out to the user directly to work with them 1 on 1. After that, it's HR/manager time. However, whatever policy/procedure we have in place surrounding this is what would be appropriate in terms of reprimanding a user. Made an emphasis that the goal isn't to fire skilled people that may be hard to replace but to instead educate, which seems to be met with appreciation. Do all of our laptops and PCs need to be encrypted? What if they don't have any sensitive info? My answer was "Yes, they should. It's an added layer of security that we can implement for no cost in an Active Directory environment. It's transparent to the user, and ensures that if something fell through the cracks of a DLP (data loss prevention) program, that we would have that fall-back layer of security." How would you explain what a DMZ is to normal users This is one was a test to see how well I can explain complex technical things to non-technical users. Very important skill to master, because you're going to be dealing with executive teams that are not technical at all. I like to use analogies. More on reddit.com

cia triad explainations, difference between encryptions, principles of least privilege, how do firewalls work, what types of vpns are there, how do they work, how do you prevent sql injection, how dp you handle a data breach, how does ssl/tls work, what are hashing algorithms and their purposes, how do you secure data in the cloud, how do you harden OS, what the point of EDRs, types of cybersec frameworks, how do you handle certain compromised user accounts... More on reddit.com

There's a few broad areas I discuss during interviews: Offensive Active Directory Be able to talk about common Active Directory attacks, how they work, and how to mitigate them. For example: Kerberoasting, Silver/Golden Ticket attacks, and (Un)constrained delegation. EDR Evasion Techniques Process Injection, what is execute-assembly, API hooking, AMSI bypasses Command and Control OPSEC considerations when running C2, Domain Fronting, C2 protocols, domain reputation Persistence Techniques RunOnce regkeys, modifying existing scheduled tasks, hijacking services Lateral Movement Named pipes, WMI, PowerShell Remoting, remotely scheduling tasks Ultimately, just walking through the various steps of a red team operation and having an open discussion about the techniques, procedures, and how they work under the hood. Also, I like to ask about any outside of work projects like home labbing, CTFs, etc. More on reddit.com