Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,740 --> 00:00:01,700 Hello everyone. 2 00:00:01,700 --> 00:00:06,500 In this lecture we will discuss about advanced scenario based interview question. 3 00:00:06,830 --> 00:00:08,900 So why this is the advance? 4 00:00:09,200 --> 00:00:17,660 This is because in this interview, totally check your investigation part from your investigation part 5 00:00:17,660 --> 00:00:20,090 to your skills, each and everything. 6 00:00:20,090 --> 00:00:24,200 And they will get to know that whether you have worked on it or not. 7 00:00:24,200 --> 00:00:30,080 So let me start I will give you some examples, but before that, let me show you that what exactly 8 00:00:30,080 --> 00:00:33,800 the scenario is and for this particular lecture. 9 00:00:34,160 --> 00:00:41,780 So the interviewer will give you a scenario and in in between they will stop you and they will change 10 00:00:41,780 --> 00:00:42,680 the scenario. 11 00:00:44,470 --> 00:00:51,040 INTERVIEWER will try to check your skill and he will get to know whether you have worked earlier on 12 00:00:51,040 --> 00:00:52,180 it or not. 13 00:00:53,450 --> 00:00:56,960 For this type of question, you should have proper knowledge, definitely. 14 00:00:57,230 --> 00:01:01,610 And then only you can answer these these type of questions. 15 00:01:02,720 --> 00:01:09,800 And for example, we have taken maybe, I think, four questions just to show you that just the demo 16 00:01:09,830 --> 00:01:12,920 that how they can actually ask this type of question. 17 00:01:14,940 --> 00:01:17,030 Let me start with the number one question. 18 00:01:17,040 --> 00:01:22,350 So let's say I'm the interviewer and you are one of the candidates. 19 00:01:23,220 --> 00:01:30,750 So you received one of the phishing email in your organization, then how you will investigate manually. 20 00:01:31,650 --> 00:01:33,190 Now what will be your answer? 21 00:01:33,210 --> 00:01:35,220 Definitely you will. 22 00:01:35,250 --> 00:01:37,800 You will have to elaborate this answer. 23 00:01:38,490 --> 00:01:43,890 You will say you will do URL analysis, domain analysis, attachments, right. 24 00:01:43,890 --> 00:01:48,180 And you will check whether the email is spoofed or not. 25 00:01:48,210 --> 00:01:51,390 You will check the sender domain, these kind of things. 26 00:01:51,390 --> 00:01:54,000 You will check whether it's malicious or not. 27 00:01:54,330 --> 00:01:54,900 Right. 28 00:01:55,950 --> 00:02:01,590 And once you will set all these investigations, you will set all these steps, they will interrupt 29 00:02:01,590 --> 00:02:02,070 you. 30 00:02:02,460 --> 00:02:03,240 This is the what? 31 00:02:03,240 --> 00:02:05,520 The barrier question now. 32 00:02:05,700 --> 00:02:06,960 INTERVIEWER is stopping you? 33 00:02:06,960 --> 00:02:07,650 Definitely. 34 00:02:07,650 --> 00:02:09,420 Now the scenario is change, guys. 35 00:02:10,650 --> 00:02:14,010 So let's say everything is clean. 36 00:02:14,010 --> 00:02:19,560 Even the you are even the attachments, even even the email is not spoofed. 37 00:02:19,590 --> 00:02:26,610 The sender domain is also, you know, showing the perfectly clean now but it's still the email is the 38 00:02:26,610 --> 00:02:30,960 phishing one now question is that how you will confirm it? 39 00:02:31,860 --> 00:02:33,240 So here is the answer. 40 00:02:34,420 --> 00:02:38,440 See it might be happened, guys, that you are an attachment. 41 00:02:38,440 --> 00:02:39,820 Everything is clean. 42 00:02:40,240 --> 00:02:45,430 But somehow that URL is redirecting to some other pages. 43 00:02:45,430 --> 00:02:46,030 Right. 44 00:02:46,390 --> 00:02:52,570 And it might be a happen that that URL is asking for the. 45 00:02:54,090 --> 00:02:58,590 Sending you a one on one of the page in which they are asking for the credential. 46 00:02:59,100 --> 00:03:06,090 So this type of emails, this type of phishing email, generally used for the credential harvesting. 47 00:03:06,930 --> 00:03:09,210 So this this could be your answer. 48 00:03:09,810 --> 00:03:13,140 Now, again, there is a barrier question. 49 00:03:13,140 --> 00:03:15,800 Let's suppose you enter the credential, right? 50 00:03:15,840 --> 00:03:18,120 It is given giving an error. 51 00:03:18,240 --> 00:03:20,040 Then what will be your next step? 52 00:03:20,520 --> 00:03:21,600 Well, the. 53 00:03:21,630 --> 00:03:22,290 See. 54 00:03:23,200 --> 00:03:28,900 It can happen that you are just giving your credential and it is reloading again and again. 55 00:03:28,900 --> 00:03:34,930 So at least three times this is the you can try at least three and more times. 56 00:03:34,930 --> 00:03:43,120 If it is showing the same error, then you should check the the redirected URL of that URL actually, 57 00:03:43,750 --> 00:03:46,450 then check for the reputation of those things. 58 00:03:46,450 --> 00:03:49,420 And on those basis you will have to take the action. 59 00:03:50,080 --> 00:03:53,140 You will have to consider whether it's a phishing email or not. 60 00:03:53,230 --> 00:03:53,800 Right. 61 00:03:55,620 --> 00:04:00,990 No, just it's a note so her interviewer can ask more questions, right? 62 00:04:01,140 --> 00:04:02,100 Definitely. 63 00:04:02,100 --> 00:04:04,830 So you should have the whole investigation. 64 00:04:04,830 --> 00:04:09,330 You should have the knowledge of whole investigation for phishing emails. 65 00:04:10,970 --> 00:04:12,830 Now we have the question second. 66 00:04:14,510 --> 00:04:21,740 You might have seen the organization use major tech framework in their organization, but why do they 67 00:04:21,740 --> 00:04:22,460 use it? 68 00:04:23,000 --> 00:04:32,450 Though we have our antivirus EDR, SIEM and other tools out there to secure from suspicious suspicious 69 00:04:32,450 --> 00:04:33,310 activities. 70 00:04:33,320 --> 00:04:33,830 Right. 71 00:04:34,130 --> 00:04:37,460 So what is the need of that tech in your organization? 72 00:04:37,580 --> 00:04:39,910 So let's see the answer. 73 00:04:42,920 --> 00:04:43,280 Okay. 74 00:04:43,280 --> 00:04:49,910 So these type of tools, let's say antivirus ideas, can detect the suspicious activities. 75 00:04:50,210 --> 00:04:57,620 There is no doubt but organization use attack framework framework just to map out the characteristics 76 00:04:57,620 --> 00:05:02,540 and specific tools used in attack across the major tech frameworks. 77 00:05:02,570 --> 00:05:08,450 And it helps the SOC team assesses the current effectiveness of the existing security measures and the 78 00:05:08,450 --> 00:05:09,470 impact of the attack. 79 00:05:09,920 --> 00:05:17,660 So basically, whatever the security we have in our organization, it actually checks all those measures 80 00:05:17,660 --> 00:05:25,140 of whether this kind of let's see if there is some some technique different technique in the might attack. 81 00:05:25,160 --> 00:05:32,600 So whether our SOC team or against the security measures are enough to face those issues or not. 82 00:05:33,620 --> 00:05:34,160 Right. 83 00:05:34,670 --> 00:05:39,660 Whether we we are blocking we are just denying those traffic or not. 84 00:05:39,680 --> 00:05:42,470 So this is what just a framework. 85 00:05:42,470 --> 00:05:49,310 Framework, just to check the you can see the existing security measures and that how it can be impact 86 00:05:49,310 --> 00:05:50,690 on us. 87 00:05:52,790 --> 00:05:59,570 Now attack allows defenders to assess whether they can defend against a specific ETB or you can say 88 00:05:59,570 --> 00:06:00,350 apt. 89 00:06:00,500 --> 00:06:00,850 Right. 90 00:06:00,860 --> 00:06:03,740 And common behaviors across multiple threat actors. 91 00:06:05,210 --> 00:06:12,560 Question thought we have when you move the NFC cards from one PC to another, PC, does the MAC address 92 00:06:12,560 --> 00:06:13,850 get transferred as well? 93 00:06:13,880 --> 00:06:18,530 Definitely, because the Mac address is in that and I see card actually. 94 00:06:18,740 --> 00:06:20,810 So it is going to change. 95 00:06:20,810 --> 00:06:21,980 But why? 96 00:06:21,980 --> 00:06:30,470 It is going to change, as I said, because we are changing the NFC card and Mac address is already 97 00:06:30,470 --> 00:06:35,060 encoded in that and I see card that that's the reason. 98 00:06:35,810 --> 00:06:36,860 Now last question. 99 00:06:36,860 --> 00:06:38,600 We have very important one. 100 00:06:39,890 --> 00:06:46,430 Mainly, this is the most asked questions basically for the scenario based question. 101 00:06:46,790 --> 00:06:53,450 So the question is, have you ever worked on any malware cases in your previous organization? 102 00:06:54,140 --> 00:06:56,210 So definitely you might we have bugs. 103 00:06:56,210 --> 00:06:58,610 So in my case, I worked on it. 104 00:06:59,180 --> 00:07:07,790 I worked on many of the like like emotet ICD idea, ICD ID, many ransomware as well, a lot of phishing 105 00:07:07,790 --> 00:07:15,230 emails as of now, I think maybe more than six or 7000 emails I have already investigated. 106 00:07:17,690 --> 00:07:18,020 Okay. 107 00:07:18,050 --> 00:07:20,760 Now, very question is that tell us how Emotet work. 108 00:07:20,780 --> 00:07:25,490 So you have to tell each and every thing that how actually that malware. 109 00:07:25,520 --> 00:07:30,070 Or maybe it depends on you that on which our case you have worked. 110 00:07:30,080 --> 00:07:31,970 Right, so you have to elaborate it. 111 00:07:32,600 --> 00:07:37,220 Now the next question will be, can you explain this malware in the form of cyber culture? 112 00:07:37,340 --> 00:07:40,730 Now here, what does what does it mean? 113 00:07:40,760 --> 00:07:42,350 It means what? 114 00:07:42,350 --> 00:07:53,150 Actually, the interviewer wants you to just elaborate or you can say, explain the text of in the 70 115 00:07:53,180 --> 00:08:00,440 stages of cyber kill chain and which stages like that, how or how it will be. 116 00:08:00,620 --> 00:08:06,290 First part like recommends second part weaponization, delivery, exploitation, installation, command 117 00:08:06,290 --> 00:08:09,400 and control, and then action on objectives. 118 00:08:09,410 --> 00:08:17,900 So you have to just correlate your malware or whatever the attacks you have worked go to correlate with 119 00:08:17,900 --> 00:08:23,120 these seven stages of cyber kill chain, for example, like Emotet. 120 00:08:23,330 --> 00:08:25,810 Emotet generally comes through phishing email, right? 121 00:08:25,820 --> 00:08:34,820 So in that sense, definitely I'm going to gather the information of the, you know, recipient means 122 00:08:34,820 --> 00:08:38,360 the user where I have to send the email. 123 00:08:38,390 --> 00:08:39,020 Correct. 124 00:08:39,050 --> 00:08:43,100 Now, weaponization is that I will attach the file. 125 00:08:43,100 --> 00:08:50,240 I will do each and everything, whatever I have to, you know, attach in the email body, the deliveries 126 00:08:50,240 --> 00:08:54,980 that I will send that email to the user. 127 00:08:55,430 --> 00:09:02,630 And exploitation is that once the user is going to click on that attachment, that is directly going 128 00:09:02,630 --> 00:09:03,530 to install. 129 00:09:04,040 --> 00:09:08,120 Once it will install, install, I will get the command and control. 130 00:09:08,120 --> 00:09:13,130 And after that I can, you know, is to seal the data. 131 00:09:13,130 --> 00:09:18,320 I can steal each and everything is still the password is still the confidential datas different different 132 00:09:18,320 --> 00:09:19,220 things even. 133 00:09:19,700 --> 00:09:22,210 You know, I can drop other malware too. 134 00:09:22,220 --> 00:09:25,880 So this is how I correlate these things, right? 135 00:09:25,910 --> 00:09:33,440 I hope this, these four questions are enough to just to tell you that how actually these advanced you 136 00:09:33,440 --> 00:09:39,050 can say scenario based question as in the during the interview but why take care. 12662