I have conducted easily over 100 interviews during my career, almost all of which have been technical, and I have seen some great and terrible actions from both sides of the table. In this post, I want to cover off a few hints, tips and tricks that will help candidates and employers to get more out of their interview experience.

There are many sites out there offering questions and answers at varying levels of depth. I am hoping that by reading this you don’t just get the answer, but an understanding of why it is being asked in the first place. This knowledge benefits both the interviewer and the candidate.

We will focus on technical interviews for this post, with some fun horror stories added to make sure you keep reading!

Let’s get some personal annoyances out of the way early:

Memory Tests

I have a shocking memory, so I hate asking people to recall data, as I think it adds very little value. For example, asking for specific port numbers for applications (which is silly anyway, but I digress), or asking for Event IDs.

Ask yourself ‘What understanding does the candidate need to demonstrate?’

Using my one of my examples above, let’s try to make a better question by looking at what we need the candidate to demonstrate:

• List the ports associated with <insert network application here>

Chances are you are trying to see if the candidate has experience with monitoring networks and understands that certain common network applications may be vulnerable, or mis-used for attacks. So how about instead asking

• Can you talk me through some common network applications, specifically any that can be mis-used by an attacker

This is an open-ended question that passes the power to the candidate, they can now answer to their strengths and may even have some good examples of a time when they caught a Zone Transfer going to a workstation, or how they spotted lateral movement over SMB using PSExec with legitimate credentials. It can also be built upon by the interviewer to dig out more details and to push the limits of the candidates technical knowledge.

Which is much better than answering “Port 443 for SSL assuming no proxy in use”

Gatekeeping

No one likes gatekeeping, stopping someone based on silly requirements. What am I talking about? These questions:

• Tell me about your home lab?
• What Cyber stuff do you do in your spare time?
• Do you have a blog?
• What language do you code in?

If you are asking these questions, there is a good chance you are (unintentionally) gatekeeping. I have asked the first two questions in interviews previously, until it was pointed out to me that the security industry has changed, and we need to change with it.

We no longer purely need the uber geeks who live, eat, sleep and breath ‘Cyberz’, you don’t need to know a coding language to provide value to this industry.

It is OK to employ someone who sees this as a job and not a lifestyle.

The Technical Interview

I will skip the standard interview etiquette, as that has been done many times and isn’t specific to the security industry. All I will say is be on time and be professional.

A quick caveat to these questions is that my background is blue team, I will try to keep the questions as neutral as possible, but it wouldn’t be very professional of me if I didn’t recognise my own bias.

And now for the part you all scrolled down to (damn you!)

Questions!

I will put down notes to some of these questions as I go, they are not meant to be definitive answers, but should be research prompts and talking points depending on which side of the table you are. Some questions may have answers, but it’s my blog, my rules.

I have also added “Other discussion points” as ideas for what else can be talked about. These aren’t required and are more for if the candidate is stuck, or absolutely annihilating your questions.

These answers/talking points assume the interview is for a highly technical role, and not a management, or less technical position.

Where do you go to get information on vulnerabilities/exploits or to keep up to date with security?

This one is not gatekeeping, it is making sure the candidate knows where and how to get information. For example if a new vulnerability is found a SOC analyst would need to know what software is effected, how to detect any potential attack as well as understand if something is a false positive.

A pentester would need to know more in-depth information on how the vulnerability works to build an exploit, or look for proof-of-concept exploits to use as a baseline

A ‘bad’ answer for a technical person would be to simply state a news site. If someone is applying for a technical role and answers “The Register”, or worse yet “Instagram” (yes someone said Instagram to me once) without going into context as to why then these are bad. Not because the source is poor or disreputable, but because they are designed to be easily consumed at a less technical level.

Answering with “I get high level information from The Register, then follow the source links, or further reading links to get in-depth technical data” is much better.

• Other discussion points:
  • CVE scores.
  • POC code use.
  • Reliability of blog posts/news articles

What is the difference between an ‘exploit’ and a ‘vulnerability’

This is a base level question in my mind, we talk about these on a daily basis and I would expect a technical candidate to understand the difference between them. Explaining it can be tricky, so don’t mistake someone struggling to find the right words with not understanding.

If the person is really struggling try asking pointed questions like “If I left a window open on my house, would that be considered a vulnerability or an exploit?”

You can change this around to something more like “If my window lock was found to be defective….” as that’s technically closer to being a ‘vulnerability’.

• Other discussion points:
  • CVE Scores.
  • POC Code use.
  • Is the misconfiguration of a system a vulnerability?

Encoding vs Encryption. What are they and in which order would you apply them to a file

This can be separated into two questions, as the second half can push people into thinking they are for files only.

Encoding: The candidate could talk about sending unencoded data across the network and the restrictions that would need to be put in place to stop the data accidentally being interpreted as a command by the application. SMTP being a prime example, and its use of Base64 for attachments.

Encryption: The candidate should talk about how encryption protects data and can only be unencrypted by a the intended owner, or key holder. Talk about the different types of ‘key’ whether that be a password or a public/private key pair. Try not to get too bogged down in specific methods of encryption unless it is part of the role.

• Other discussion points:
  • SSL vs HTTPS.
  • SSH Certificate handling.
  • Tools to decode (CyberChef).

What is the difference between an IDS and an IPS and which is better?

IDS stands for Intrusion Detection System, IPS is Intrusion Prevention System. The acronyms do give a big clue to the answer, but if this is a junior role you can talk instead about if prevention is better than detection. The easiest answer is to say “yes of course”, but what happens if the system is not finely tuned and you are flooded with False Positive preventions?

This can lead into business risk acceptance conversations, or stay at a technical level

Often the difference between IDS mode and IPS mode is a tick box on the device itself. If you are talking Network based IDS/IPS then you can also discuss if the device is in-line or mirrored. Most systems are in-line now, but historically the risk was deemed too great and security products where given a copy of the traffic rather than being able to manipulate the traffic directly.

• Other discussion points:
  • True/False Positive/Negative.
  • Network architecture and sensor placement.
  • Business risk and risk acceptance.

Which is better, network based security or host based?

There are a few “it depends” style answers to this question, my typical go-to on this is that all network traffic needs to originate from somewhere and is being sent somewhere. Meaning host based is superior. However, not all host based technologies work on all devices (think printers, or routers). Meaning if you purely chose endpoint you may be blind to someone attacking a device that can’t have host based monitoring.

A good candidate will explain that this shouldn’t be one or the other, but how to implement BOTH network and host based security. This naturally leads into ‘Defence-in-Depth’ models where no single security product should be relied upon. Even users are considered part of model; with the right training and support, users can report when something isn’t right.

• Other discussion points:
  • How to monitor for lateral movement.
  • How to secure ‘non-standard’ devices SCADA/IOT etc.
  • Defence in depth.

What is the difference between a Vulnerability Assessment, a Penetration Test and a Red Team Engagement?

This is less about the dictionary definition of each of these, but instead the understanding of depth. A VA will typically be very superficial and some security products will ignore it as noise.

A penetration test (pen test) is often done from a position of strength, meaning the tester may have been given an account with a high level of privilege and are testing a specific target. The scope of a pen test varies massively, but it is important to understand that these are done in a controlled and deliberate manner.

A Red Team Engagement, or a Black Box test are more akin to what an attacker would look like and have the highest potential risk for a business. However, they also provide the most accurate picture of how an attacker would get access to the environment. These are also the types of engagement where physical access may be attempted to the customer site.

A non-technical customer may use these terms interchangeably, but as a security professional, we need to understand there is a difference. Even if they do overlap on a Venn diagram.

• Other discussion points:
  • Value provided by each of these engagements
  • Detection options for someone with physical access
  • Scope creep and out of scope detections

What are the different ‘families’ of HTTP response codes and give some common examples? Also explain which could indicate an attack or preparations for an attack?

Informational responses (100–199)
Successful responses (200–299)
Redirection messages (300–399)
Client error responses (400–499)
Server error responses (500–599)

The above is from the Mozilla Developer blog, and is a memory test, which we have already said we don’t like. So instead, make this list a bonus answer, but provide it to the candidate if needed and get them to explain which could indicate an attack, or recon, and why.

There are a couple of options on this one, and it is mostly based off context. For example seeing a ‘404 Not Found’ response to a request is nothing of real interest, but if there are thousands of them from the same IP address, then something weird might be going on.

Same if you are seeing a ‘500 internal server error’ on your database server, this may be an IT related problem, or someone may be attempting to compromise that server.

You would need to be looking at the log files and looking into more detail around what was actually being requested.

• Other discussion points:
  • Webshells
  • ‘Low and slow’ attacks vs ‘smash and grab’
  • Weblogs

Can you list some artefact locations, or methods, that an attacker or malware would go to maintain persistence on a host?

This question is a borderline memory test, however it is important for both Red and Blue teams to understand in order to do their job well.

Registry, Services, Scheduled Tasks, LNK Files, Startup Folder, and WMI are the most common ones. and can each be broken down. You can also talk about user initiated persistence like rogue accounts, or infected removable media devices. There are also Kernel level attacks like Rootkits or BIOS tampering/replacement.

This is less about getting a whole definitive list, and more about understanding why persistence is used. For a defender, seeing that malware re-infect, or the attacker popping back up means that something has been missed. For an attacker if the victim reboots the host, or applies patches, how will they get back onto that host?

• Other discussion points:
  • Persistence via the network (WMI/Active Directory/Remote Accounts)
  • Windows Registry in general
  • Asking the ‘first place’ the candidate would look for persistence

Explain, in your own words, how a DoS attack would work. Specifically how the attacker would hide their identity and how they could ensure a larger payload was received than was sent?

Most people are aware that a Denial of Service (DoS) attack is generally about sending too much data to the victim in order to overload the system. But less people understand how this is achieved. For example there was a vulnerability in a web server (I forget which one, sorry) where if data was put into the initial GET request it would cause excessive load on the webserver, meaning this required very small amounts of data to be sent and didn’t need a huge botnet or other forms of Distributed Denial of Service methods.

The less subtle types of DoS is a Distributed Denial of Service (DDoS) attack. This typically means overwhelming the target with ‘legitimate’ data.

The attacker may also used a reflected and amplified attack. For example you could send a DNS request to a server with a spoofed source IP meaning the response would go to your victim (who you spoofed). This is a reflective attack. The amplification comes in the type of DNS request you would send, for example a DNS request with ‘any’ as an argument will provide all DNS names at that level. Meaning the response will be larger than the request.

Any service that uses UDP and provides a response larger than the request can be used in a reflective amplification DDoS attack.

• Other discussion points:
  • Ways to detect if your systems are being used as amplifiers
  • Mitigations against DoS attacks
  • Which services should be publicly and anonymously accessible

What are the limitations to using ‘atomic’ IOCs (IP addresses, host names etc) and what can be done to overcome these limitations?

IOCs like IP addresses, domain names, file hashes are by their very nature historical, or backwards looking. Meaning that we are only looking at what has been seen before. They are also trivial for the attacker to change.

Instead identifying ways to look for the Tactics, Techniques and Procedures, or TTPs of the attacker allows us to look forward and proactively detect a new attack.

If asked this in an interview, respond by talking about what the attacker does that is less likely to change. What tools do they use, and what artefacts are left behind when they use them. Does the attacker favour a particular persistence method? Or do they put their tools into a specific folder? These types of indicators are still subject to change, but are less likely. If the attacker needs to use a different tool each time they attack, they will run out of tools very quickly. Instead they may iterate their current tooling, which will give an indication of timeline.

Everything an attacker does can and should be noted. If it’s relevant enough it can then be turned into an indicator and used against them.

For more advanced teams there is also the ‘Indicator of Attack’ which is looking at commands or actions taken to see if they constitute a malicious act. For example ‘whoami’ alone is a weak IOA, however ‘whoami’, ‘locate nc’, ‘ip addr’ and ‘netstat’ all being run in short order certainly raises the suspicion level.

• Other discussion points:
  • Retroactive hunting for IOCs
  • Threat Intelligence methodologies
  • Sharing of TTPs responsibly

If you were to ping Google and watch the response on your host in a network capture tool, such as Wireshark, whose MAC address would be seen as the ‘sender’?

This one is a bit of a mind twister, but basically we are seeing if the candidate understands networking. The sender’s MAC on the return trip would be the last ‘hop’, or last routing device.

A basic switch does not have a MAC address for each port, but a router would have.

The answer that a lot of people typically give is “It would be Google’s MAC address”. Which is incorrect, it would be Google’s IP address, but not their MAC address.

We aren’t going to talk about load balancers or any other type of device here, as this is a thought experiment question, rather than a network architecture question, we use ‘Google’ as it requires no explanation, but feel free to swap this with something more unique to the role if needed.

• Other discussion points:
  • Other information in the packet
  • How the TTL field can help identify the OS of the attacker
  • Other network tools such as Tracert

If you were to hack into a company, how would you do it?

Depending on the role this can be made simpler or more difficult. For a junior role, you would say that no patching is done and every user is a Domain Admin. This is checking to see if the candidate has a base level understanding of what tools could be useful.

For more senior levels, throw in a fully patched environment and escalate difficulty as needed if the role is for a pen-tester.

Dig into each step only if where appropriate for the role you are interviewing for. For example a junior SOC Analyst most likely doesn’t need to know which command line arguments are needed to make Mimikatz work, especially if the SIEM only collects Windows Event Logs.

Typical answer at a basic level would be to look for publicly facing, exploitable, systems such as websites or exposed RDP servers. You could also start with a phishing attack or other social engineering attacks to get that initial foothold.

From here following something like the ‘Cyber Kill Chain’ would give you the process, and looking at pen-test tooling such as the Metasploit Framework, Nessus or Mimikatz to name just a few.

• Other discussion points:
  • Objectives of an attacker
  • What if this was an inside threat?
  • Exfiltration of data and how to detect it

If malware is seen attempting to execute on a host, talk about what actions you would take?

This one is a little ‘woolly’ by design, it is open ended in the sense that the obvious route to take is to remediate the host. However we said the malware was blocked.

Questions should be asked at this point; what details do you have? For example, if this was blocked from the user’s downloads folder the chances are this is a quick chat with the user and delete the file, did it run from a temp directory? If so which one? Was it associated with a Zip file, Outlook, Web Browsing?

Understanding how the malware got on the host in the first place is more important in this scenario than removing it. This gives the opportunity to talk about forensic artefacts like Alternate Data Streams to see where a file was downloaded from, LNK files if this was a masquerading as a document.

There are very few questions that give you insight into the analytical mind, so when a question like this is presented it is important for both sides to understand why it is being asked and probe into the possibilities of the answer.

• Other discussion points:
  • What if it wasn’t blocked?
  • When should a host be re-imaged vs remediated
  • Is there ever a time when malware should be allowed to run?

Question ideas

We have gone through a number of questions (I was aiming for 10, then I stopped counting). We could continue infinitum with these questions and we could even take each question and spin it a different way, but let’s face it. No one wants to read that much!

So instead I will drop some questions below that you can use in interviews, or lookup answers for. All I will say is try to keep in mind the point of this post; to understand WHY you are asking or being asked these questions. Rather than just simply dropping “answer = this”

• If you were to steal data from a company without being caught, how would you do it?
  • How would you mitigate this if you wanted to catch yourself?
• Talk about why we use hashes for files
• Talk about password hashing and how they help prevent password cracking
  • What is a rainbow table and how can it be mitigated?
  • Are rainbow tables still a viable option for an attacker?
• Give some examples of how you could prove a user (opened a file || executed an application)
• What is the NTDS.dit file?
  • Which registry hive would you need if you wanted to steal this and crack it?
  • How would you mitigate the theft of this file?
  • How would you steal this file as it is always locked?
• Talk about methods of lateral movement and how to detect them from a host and network perspective
• If a system cannot have security patches applied, how would you mitigate the risk to this system?

Conclusion

Interviews are a way to ensure the right person is being put into the right job. This works for both the candidate and the employer. This is why the correct questions are critical, they need to be relevant to the role in order to tick both of those boxes.

Look at what you ask your candidates and make sure you are asking the right question

Just to make you feel old, “i, Robot” was released in 2004. 18 years ago…. if you got this reference, you are old like me. Congratulations 🙂