← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 10 · Cyberspace Tech Solutions Cybersecurity Curriculum

Security Operations & Threat Intelligence

~60 minutes of structured interview prep, MCQs, and hands-on simulations covering SOC fundamentals, threat intelligence lifecycle, and advanced detection techniques.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Understand the structure and functions of a Security Operations Center (SOC)
  • Utilize threat intelligence to predict and prevent cyber threats
  • Conduct proactive threat hunting using SIEM and EDR tools

Topics Covered

#TopicTimeType
1SOC Structure, SIEM, SOAR, EDR10 minReading
2Threat Intelligence Lifecycle & MITRE ATT&CK5 minReading
3Interview Questions & Answers (20)20 minQ&A
4MCQ Quiz (25 questions)15 minQuiz
5Alert Triage Simulator4 minSimulation
6MITRE ATT&CK Tactic Mapper3 minSimulation
7Threat Intel Classification3 minSimulation
8SOC Tier Router3 minSimulation
💡 Tip: SOC/SecOps roles are among the most in-demand in cybersecurity. MITRE ATT&CK knowledge and SIEM experience are top interview differentiators.
Core Concepts · ~15 min

SOC, Threat Intel & Detection

Essential theory before tackling interview questions.

SOC Structure — Three Tiers

TierRoleActivitiesTools
Tier 1Alert Analyst / TriageMonitor SIEM dashboards, initial alert triage, create/close tickets, escalateSIEM, Ticketing (Jira/ServiceNow)
Tier 2Incident ResponderDeep investigation, timeline building, context correlation, malware analysisEDR, SIEM, Sandbox, Threat Intel
Tier 3Threat Hunter / Senior IRProactive threat hunting, TTP-based detection, tool tuning, red team engagementVelociraptor, YARA, ATT&CK, osquery
SOC also includes roles like SOC Manager (operations/KPIs), Threat Intelligence Analyst (feeds, IOCs), and Incident Commander (P1 coordination). Large SOCs run 24×7 follow-the-sun shifts.

SIEM, SOAR & EDR

ToolFull NameWhat it doesExamples
SIEMSecurity Information & Event ManagementCollects logs from all sources, correlates events, fires alerts, enables investigationSplunk, Microsoft Sentinel, IBM QRadar, Elastic
SOARSecurity Orchestration, Automation & ResponseAutomates repetitive tasks via playbooks; integrates tools; auto-contains threatsPalo Alto XSOAR, Splunk SOAR, Microsoft Sentinel
EDREndpoint Detection & ResponseMonitors endpoints in real time, detects threats, enables threat hunting & rollbackCrowdStrike Falcon, Microsoft Defender XDR, SentinelOne
⚠️ Key difference: SIEM collects and alerts. SOAR acts and automates. EDR protects endpoints. SIEM + SOAR + EDR together form the modern detection & response stack.

Threat Intelligence Types

Strategic

High-level, long-term trends for executives. "Nation-state actors are increasing attacks on healthcare." Audience: CISO, Board.

Operational

Upcoming specific campaigns or actor intentions. "APT29 planning spear phishing campaign next month." Audience: SOC Manager, IR.

Tactical

TTPs — how adversaries operate. "Uses PowerShell with -EncodedCommand for execution." Audience: Tier 2/3 analysts.

Technical

Machine-readable IOCs: IP addresses, domains, file hashes, URLs. Used to feed SIEM/EDR blocklists. Audience: Tier 1.

Threat Intelligence Lifecycle

📋
Planning
Define requirements
🔎
Collection
OSINT, feeds, HUMINT
⚙️
Processing
Normalize, parse
🧠
Analysis
Context, attribution
📢
Dissemination
Reports, feeds
🔄
Feedback
Refine requirements

MITRE ATT&CK Framework — 14 Tactics

TacticDescriptionExample Technique
ReconnaissanceGathering info before attackActive scanning, OSINT
Resource DevelopmentEstablishing attack resourcesCreate accounts, buy infrastructure
Initial AccessGetting a footholdPhishing, exploit public-facing app
ExecutionRunning malicious codePowerShell, WMI, scheduled task
PersistenceMaintaining accessRegistry run key, scheduled task, startup
Privilege EscalationGetting higher permissionsToken impersonation, exploit local vuln
Defense EvasionAvoiding detectionDisable AV, obfuscation, process injection
Credential AccessStealing credentialsMimikatz/LSASS dump, keylogging
DiscoveryUnderstanding the environmentNetwork scan, account enumeration
Lateral MovementMoving through the networkPass-the-hash, PSExec, RDP
CollectionGathering data of interestScreen capture, clipboard data, file staging
Command & ControlCommunicating with implantsHTTP/DNS beaconing, C2 frameworks
ExfiltrationStealing dataFTP, DNS tunneling, cloud storage
ImpactDisrupting/destroying assetsRansomware, data destruction, DDoS

Key SOC Metrics

MetricDefinitionTarget
MTTD — Mean Time to DetectAverage time from breach to detection< 24 hours (industry avg was 194 days)
MTTR — Mean Time to RespondAverage time from detection to containment< 1 hour for P1 incidents
False Positive Rate% of alerts that are not real threats< 10% (high FP = alert fatigue)
Alert VolumeTotal alerts per day handled by SOCDepends on org size; tune to manageable
🎯 Interview Angle: Know the SOC tiers, SIEM vs SOAR distinction, IOC vs IOA, MITRE ATT&CK tactic names, and what threat hunting means. These come up in virtually every SOC/analyst interview.
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What is a SOC and what are its main functions?Easy
A Security Operations Center (SOC) is a centralized team and facility responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats 24×7. Its main functions:
  • Continuous monitoring: Monitor network, endpoint, cloud, and application logs for threats.
  • Alert triage: Classify alerts as true/false positive, prioritize by severity.
  • Incident response: Contain, eradicate, and recover from security incidents.
  • Threat hunting: Proactively search for hidden threats not caught by automated tools.
  • Threat intelligence: Consume and apply threat intel to improve detection.
  • Reporting & metrics: Track MTTD, MTTR, SLA compliance, risk posture.
💡 A SOC is not just a tool — it's a combination of people (analysts), processes (playbooks), and technology (SIEM, EDR, SOAR). Interviewers love the "People, Process, Technology" framework.
2What are the three tiers of a SOC and what does each do?Easy
  • Tier 1 — Alert Analyst: First line of defence. Monitors SIEM dashboards, performs initial triage, creates tickets, closes confirmed false positives, escalates real threats to Tier 2. Handles high volume, routine alerts.
  • Tier 2 — Incident Responder: Deeper investigation of escalated alerts. Builds attack timelines, performs malware analysis, correlates multiple events, contains and remediates incidents.
  • Tier 3 — Threat Hunter / Senior Analyst: Proactive threat hunting using hypotheses based on ATT&CK TTPs. Tunes detection rules, develops custom YARA/Sigma rules, leads major IR engagements, mentors Tier 1/2.
💡 In small organizations, one analyst may cover all tiers. In large orgs, Tier 3 may be a dedicated threat hunting team separate from the reactive SOC.
3What is SIEM? Name two major SIEM platforms.Easy
SIEM (Security Information and Event Management) is a platform that:
  • Collects and aggregates log data from across the environment (firewalls, endpoints, cloud, apps)
  • Normalizes data into a common format
  • Correlates events using rules to identify threat patterns
  • Generates alerts for analyst investigation
  • Provides dashboards, reporting, and long-term log storage for forensics
Two major platforms: Splunk (market leader, powerful SPL query language) and Microsoft Sentinel (cloud-native, deep Azure/M365 integration, KQL query language).
💡 Others: IBM QRadar, Elastic SIEM, Exabeam, LogRhythm. If interviewing at a Microsoft-heavy org, Sentinel knowledge is highly valued.
4What is SOAR and how does it differ from SIEM?Medium
SIEMSOAR
PurposeCollect, correlate, alertAutomate, orchestrate, respond
ActionPassive — generates alertsActive — executes playbooks
Human roleAnalysts must investigate & actAutomates Tier 1 tasks, reduces alert fatigue
Example actionAlert: "Suspicious login from new country"Auto-block IP, disable account, notify analyst
💡 Many modern platforms combine both — Microsoft Sentinel has SOAR playbook capabilities built in. Standalone SOAR: Palo Alto XSOAR, Swimlane.
5What is threat intelligence and why is it important?Easy
Threat intelligence is evidence-based knowledge about existing or emerging threats — including context, mechanisms, indicators, implications, and actionable advice — that helps organizations make informed security decisions.

Why it matters:
  • Shifts security from reactive to proactive — know before you're hit.
  • Enables faster detection by feeding IOCs into SIEM/EDR blocklists.
  • Helps prioritize patching based on active exploitation in the wild.
  • Informs security strategy at the executive level (strategic intel).
  • Supports incident response — knowing the attacker's TTPs speeds investigation.
6Explain the threat intelligence lifecycle.Medium
The threat intelligence lifecycle is a continuous process:
  1. Planning & Direction: Define intelligence requirements — what do we need to know and why?
  2. Collection: Gather raw data from open sources (OSINT), commercial feeds, dark web, ISACs, honeypots, internal telemetry.
  3. Processing: Normalize, translate, and structure raw data into usable format (e.g., STIX format).
  4. Analysis: Add context, correlate, attribute to threat actors, assess confidence and relevance.
  5. Dissemination: Distribute finished intelligence to stakeholders in the right format (executive report, tactical feed, IOC blocklist).
  6. Feedback: Stakeholders provide feedback to refine future collection requirements.
💡 The cycle repeats continuously. Intelligence without action is just data. The key is making intel actionable and getting it to the right people at the right time.
7What is the MITRE ATT&CK framework?Medium
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
  • Tactics: The adversary's goal (the "why") — 14 tactics from Reconnaissance to Impact.
  • Techniques: How the adversary achieves a tactic (the "how") — hundreds of techniques.
  • Sub-techniques: More specific implementations of techniques.
  • Procedures: Specific implementations used by known threat groups.
Uses in a SOC: Detection rule development, threat hunting hypothesis generation, coverage gap analysis (ATT&CK Navigator), red team planning, incident investigation.
💡 ATT&CK replaces the older Lockheed Martin Cyber Kill Chain for technique-level detail. They complement each other — Kill Chain for high-level phases, ATT&CK for specific techniques.
8What is the difference between an IOC and an IOA?Medium
  • IOC (Indicator of Compromise): Forensic evidence that a compromise has already occurred. Reactive. Examples: known malicious IP, file hash of malware, suspicious domain, compromised email address. Problem: attackers easily change IOCs (they're perishable).
  • IOA (Indicator of Attack): Evidence of attacker behavior/intent in progress, regardless of the specific IOC. Proactive. Examples: PowerShell spawning from Word, process injecting into lsass.exe, lateral movement via SMB. Based on TTPs which are harder to change.
💡 Modern EDR tools (CrowdStrike) focus heavily on IOAs because TTPs are durable — an attacker can change their C2 IP (IOC) but can't easily change how they achieve lateral movement (IOA).
9What is threat hunting and how is it different from traditional detection?Hard
  • Traditional detection: Reactive. SIEM rules fire alerts when known bad patterns match. Relies on signatures, rules, IOCs. Cannot detect unknown/novel threats.
  • Threat hunting: Proactive. Analysts assume attackers are already in the environment and actively search for evidence of compromise without waiting for an alert. Hypothesis-driven.
Hunting process:
  1. Form a hypothesis (e.g., "An APT may be using living-off-the-land techniques")
  2. Collect and query relevant data (Sysmon logs, PowerShell logs, network flows)
  3. Analyse for anomalies matching the hypothesis
  4. If found, escalate to IR; if not, document as evidence of coverage
  5. Create detection rules from hunt findings to automate future detection
💡 Tools: Velociraptor, osquery, Sysmon, Elastic (for data query). Hunting converts reactive SOC knowledge into proactive detection rules, raising the overall security posture.
10What is STIX/TAXII?Hard
  • STIX (Structured Threat Information eXpression): A standardized language for describing cyber threat intelligence in a structured, machine-readable JSON format. Describes: threat actors, campaigns, malware, TTPs, IOCs, vulnerabilities, courses of action.
  • TAXII (Trusted Automated eXchange of Intelligence Information): The transport protocol for sharing STIX content between organizations and threat intel platforms. Defines how to query and push threat intelligence feeds.
Together, STIX/TAXII enable automated, standardized threat intel sharing between organizations, ISACs (Information Sharing and Analysis Centers), government agencies, and security tools.
💡 Example: MITRE ATT&CK is published in STIX format. MISP (Malware Information Sharing Platform) uses STIX/TAXII for community threat sharing.
11What is EDR and how does it differ from traditional antivirus?Medium
Traditional AVEDR
DetectionSignature-based onlyBehavioural + signatures + ML
VisibilityFile-level scanningFull process tree, network, registry, memory
ResponseQuarantine fileIsolate host, kill process, rollback, hunt
HuntingNoYes — query telemetry across all endpoints
Unknown threatsBlind to zero-daysDetects anomalous behavior (IOAs)
💡 EDR examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. XDR (eXtended Detection & Response) extends EDR across network, email, and cloud.
12What are the key metrics in a SOC — MTTD and MTTR?Easy
  • MTTD (Mean Time to Detect): Average time between a breach occurring and the SOC detecting it. The 2024 IBM Cost of a Data Breach report shows the industry average was 194 days. Lower is better. Improved by better detection rules, more data sources, threat hunting.
  • MTTR (Mean Time to Respond): Average time from detection to full containment and recovery. High-severity incidents (P1) should target under 1–4 hours. Improved by automation (SOAR), clear playbooks, well-practised IR.
Other key metrics: False positive rate, alert volume per analyst, SLA adherence, mean time to escalate.
13What is a YARA rule and how is it used?Hard
YARA is a pattern-matching tool used to identify and classify malware samples based on textual or binary patterns within files or memory.

A YARA rule consists of:
  • Meta: Descriptive info (author, date, description)
  • Strings: Patterns to match (hex, text, regex)
  • Condition: Boolean logic combining strings
Uses: Malware hunting in memory dumps, scanning file systems for known malware families, EDR detection signatures, threat hunting (Velociraptor uses YARA extensively), incident response triage.
💡 Example: A YARA rule for WannaCry matches specific hex byte sequences found in the ransomware binary. VirusTotal uses YARA rules for community malware detection.
14What is Sysmon and what does it log?Medium
Sysmon (System Monitor) is a free Windows system service from Microsoft Sysinternals that logs detailed system activity to the Windows Event Log, providing rich telemetry for threat detection and forensics.

Key Sysmon Event IDs:
  • Event ID 1: Process creation (includes full command line, parent process, hashes)
  • Event ID 3: Network connections (process making outbound connections)
  • Event ID 7: Image/DLL loaded (detect DLL hijacking)
  • Event ID 8: CreateRemoteThread (detect process injection)
  • Event ID 10: Process access (detect LSASS dumping)
  • Event ID 11: File creation
  • Event ID 12/13: Registry modifications
💡 Sysmon logs are fed into SIEM. SwiftOnSecurity's Sysmon config is the community standard baseline. Essential for any organization serious about detection.
15How do you reduce false positives in a SIEM?Hard
False positive reduction is critical — alert fatigue causes analysts to miss real threats. Approaches:
  • Baseline normal behavior: Understand what "normal" looks like (UEBA) before tuning alerts.
  • Allowlist known-good: Exclude trusted processes, admin IPs, scheduled tasks from triggering certain rules.
  • Add context to rules: Instead of "any PowerShell execution", alert on "PowerShell with -EncodedCommand spawned from Word/Excel".
  • Risk scoring: Use risk-based alerting — only alert when multiple lower-confidence signals combine (e.g., unusual location + new device + sensitive data access).
  • Tune continuously: After every false positive, update the rule. Track FP rate per rule.
  • Enrich alerts: Add threat intel context to automatically score severity.
💡 "Alert fatigue is the #1 reason SOC analysts burn out and miss real incidents." — a key talking point in SOC management interviews.
16What is the Cyber Kill Chain and how does it relate to MITRE ATT&CK?Medium
The Cyber Kill Chain (Lockheed Martin, 2011) models a cyberattack as a linear sequence of 7 phases:
  1. Reconnaissance → 2. Weaponization → 3. Delivery → 4. Exploitation → 5. Installation → 6. Command & Control → 7. Actions on Objectives
Relationship to ATT&CK:
  • Kill Chain is high-level, linear, phase-based — good for understanding the attack narrative.
  • MITRE ATT&CK is detailed, non-linear, technique-based — better for detection engineering and threat hunting.
  • They are complementary: Kill Chain gives the story, ATT&CK gives the technical depth.
  • Defenders use both: Kill Chain to understand where to break the chain; ATT&CK to detect specific techniques at each phase.
17What is lateral movement and how do you detect it?Hard
Lateral movement is when an attacker uses compromised credentials or exploits to move from one system to another within the network after initial access, expanding their foothold toward high-value targets.

Common techniques:
  • Pass-the-Hash / Pass-the-Ticket (using credential hashes/Kerberos tickets)
  • PSExec / WMI / RDP to remote systems
  • Remote service creation
  • SMB/admin share access
Detection:
  • Alert on unusual admin tool usage (PSExec, WMI) from non-admin machines
  • Detect accounts authenticating to many systems in a short time window
  • Watch for SMB connections to C$ / ADMIN$ shares
  • Detect Kerberos ticket anomalies (Kerbeasting, Golden Ticket)
  • Sysmon Event ID 3 (unusual network connections from workstations)
18What is a playbook/runbook in a SOC?Easy
A playbook (or runbook) is a documented, step-by-step procedure that guides SOC analysts through the response to a specific type of security incident.
  • Ensures consistent, repeatable response regardless of which analyst handles the incident
  • Reduces response time by eliminating decision paralysis under pressure
  • Supports compliance and audit trails
Example playbook: Ransomware Response
  1. Isolate affected systems from the network immediately
  2. Identify ransomware variant (ID Ransomware tool)
  3. Notify SOC Manager and CISO
  4. Preserve memory and disk images for forensics
  5. Notify law enforcement and legal
  6. Restore from clean backups
  7. Post-incident review and policy update
💡 SOAR platforms execute digital versions of playbooks automatically — e.g., when a phishing alert fires, SOAR auto-extracts URLs, checks VirusTotal, blocks the domain, and notifies the user.
19What is VirusTotal and how is it used in threat intelligence?Easy
VirusTotal is a free online service owned by Google/Alphabet that analyzes suspicious files, URLs, IP addresses, and domains using 70+ antivirus engines and security tools, providing a community-based threat intelligence platform.

SOC use cases:
  • Submit a suspicious file hash from an alert — see if any AV vendor detects it as malicious
  • Check if a URL or domain is known malicious
  • Investigate IP addresses associated with C2 beaconing
  • View behavioral analysis (sandbox results) for unknown files
  • Use VirusTotal Intelligence (paid) to hunt for similar malware samples
⚠️ Caution: Never upload sensitive internal files or proprietary code to VirusTotal — uploaded files are shared with security vendors. Use file hashes instead of full files for sensitive samples.
20What is the difference between a managed SOC and an in-house SOC?Medium
In-House SOCManaged SOC (MSSP/MDR)
OwnershipBuilt and run by the organizationOutsourced to a security vendor
CostHigh upfront (people, tools, infrastructure)Subscription-based, lower capex
ControlFull control over tools and processesLimited customization
ExpertiseBuild your own team — hard to hireInstant access to specialists
ContextDeep knowledge of internal environmentRequires onboarding period
Best forLarge enterprises, regulated industriesSMBs, organizations without security team
💡 Hybrid model is common: in-house Tier 1/2 with a managed Tier 3 or threat intel provider. MDR (Managed Detection & Response) is an evolution of MSSP with active response capabilities.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after submission.

Progress:
0 / 25
Simulation 1 · ~4 min

Alert Triage Simulator

You are a Tier 1 SOC analyst. Classify each SIEM alert as True Positive, False Positive, or Needs Investigation.

Score: 0 / 5
Simulation 2 · ~3 min

MITRE ATT&CK Tactic Mapper

Match each attacker action to the correct MITRE ATT&CK tactic using the dropdown.

Simulation 3 · ~3 min

Threat Intel Classification

Classify each piece of intelligence as Strategic, Operational, Tactical, or Technical.

Simulation 4 · ~3 min

SOC Tier Router

Route each incident scenario to the correct SOC tier that should handle it.

🎉

Module Complete!

You've completed Module 10: Security Operations & Threat Intelligence.