Interview Guide - Cyber Defense Analyst

5mins - interviewer reviews CV without interviewee interaction. 20-40mins - Interview 10-20mins - interview and resume ‘debrief’

Watch the clock? You might not need/want to ask all or any of these questions.

Italics - something you could read or paraphrase. Bold - things you could dig into with a follow up question. To “help” them answer. First 3 are soft, last 3 are built from the technical job tasks. For more sample interview questions one of my favorite resources: Download a sample

“Thank you for interviewing with me today. Here at Blue Titan Cyber we use a behavioral interviewing style. I’ll be asking a series of questions about experiences you’ve had and how you handled them. We want to be sure that every person we hire has the same qualities that have made us so successful. There will be times when I will ask you for more information, and don’t worry, that’s normal. I will be taking notes - please don’t let it distract you. The way we’ll do it is, first, I’ll ask you some questions, and then I’ll answer any questions you might have of me. When you’re done with your questions, we’ll finish up. I’m excited you’re here - let’s get started.”

1. “[At first job on resume] Tell me about a time where your communication with others - type, frequency, with whom, about what - helped you build rapport or create better relationships and outcomes?” a. How did they learn about the other person? Were their exchanges based on respect, or simply getting an outcome? Did they continue the effort? Did they only do so to get a result, or do they show a pattern of always working at relationships? 2. Describe a situation when you have successfully managed multiple projects or tasks simultaneously. a. What planning or scheduling did they do to address the workload? Did they simply react to changes, or did they proactively stay on top of issues? Did they communicate reactively, or did they see this as normal professional responsibility and handle it well? 3. Tell me about a time when you needed to follow instructions accurately. How did you ensure that your work was correct? a. What did the candidate do to ensure they understood the instructions? Did they write them down, or ask questions? What steps did they take to ensure that the work didn’t get off track? Did they do anything to make sure the final product was what was expected? 4. Other: build out or expand on the softer interview questions; the non-technical questions

5. This job requires constant learning to solve new problems. Tell me what your problem solving approach is. How have you communicated that to your team? a. Ask about knowledge and skill areas below. Do they have a standard approach? Are they able to communicate to allow others what they have learned? Do they define each situation before running off to research? What rules do they always apply, if any? Can they learn in a group/team? 6. Tell me about your methods for assessing and escalating incidents. How do you measure your success in this area? a. How complex was the incident? How many details were there? Did they have a clear way of keeping track of the details? What was their approach to managing multiple, conflicting priorities and projects…did other work slide during an incident? 7. Tell me about your methods for isolating and removing malware.. How do you measure your success in this area? a. How complex was the malware? How many details were there? Did they have a clear way of keeping track of the details? What was their approach to managing multiple, conflicting priorities and projects…did other work slide during an incident?

Cyber Defense Analyst < PR-CDA-001 <Cyber Defense Analysis < Protect and Defend Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.

Tasks Develop content for cyber defense tools. Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. Provide daily summary reports of network events and activity relevant to cyber defense practices. Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information. Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. Isolate and remove malware. Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Knowledge Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge of cyber defense and vulnerability assessment tools and their capabilities. Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists). Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). Knowledge of incident response and handling methodologies. Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). Knowledge of network traffic analysis methods. Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Knowledge of collection management processes, capabilities, and limitations. Knowledge of front-end collection systems, including traffic collection, filtering, and selection. Knowledge of the common attack vectors on the network layer. Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

Skills Skill in developing and deploying signatures. Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort). Skill in using incident handling methodologies. Skill in using protocol analyzers. Skill in reading and interpreting signatures (e.g., snort). Skill in performing packet-level analysis. Skill in conducting trend analysis.

Abilities Ability to analyze malware. Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. Ability to accurately and completely source all data used in intelligence, assessment and/or planning products. Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).