Interview Guide - Exploitation Analyst

5mins - interviewer reviews CV without interviewee interaction. 20-40mins - Interview 10-20mins - interview and resume ‘debrief’

Watch the clock? You might not need/want to ask all or any of these questions.

Italics - something you could read or paraphrase. Bold - things you could dig into with a follow up question. To “help” them answer. First 3 are soft, last 3 are built from the technical job tasks. For more sample interview questions one of my favorite resources: Download a sample

“Thank you for interviewing with me today. Here at Blue Titan Cyber we use a behavioral interviewing style. I’ll be asking a series of questions about experiences you’ve had and how you handled them. We want to be sure that every person we hire has the same qualities that have made us so successful. There will be times when I will ask you for more information, and don’t worry, that’s normal. I will be taking notes - please don’t let it distract you. The way we’ll do it is, first, I’ll ask you some questions, and then I’ll answer any questions you might have of me. When you’re done with your questions, we’ll finish up. I’m excited you’re here - let’s get started.”

1. “[At first job on resume] Tell me about a time where your communication with others - type, frequency, with whom, about what - helped you build rapport or create better relationships and outcomes?” a. How did they learn about the other person? Were their exchanges based on respect, or simply getting an outcome? Did they continue the effort? Did they only do so to get a result, or do they show a pattern of always working at relationships? 2. Describe a situation when you have successfully managed multiple projects or tasks simultaneously. a. What planning or scheduling did they do to address the workload? Did they simply react to changes, or did they proactively stay on top of issues? Did they communicate reactively, or did they see this as normal professional responsibility and handle it well? 3. Tell me about a time when you needed to follow instructions accurately. How did you ensure that your work was correct? a. What did the candidate do to ensure they understood the instructions? Did they write them down, or ask questions? What steps did they take to ensure that the work didn’t get off track? Did they do anything to make sure the final product was what was expected? 4. Other: build out or expand on the softer interview questions; the non-technical questions

5. This job requires constant learning to solve new problems. Tell me what your problem solving approach is. How have you communicated that to your team? a. Ask about knowledge and skill reas below. Do they have a standard approach? Are they able to communicate to allow others what they have learned? Do they define each situation before running off to research? What rules do they always apply, if any? Can they learn in a group/team? 6. Tell me about your methods for conducting authorized penetration testing on enterprise network assets | new or updated applications. . How do you measure your success in this area? a. Do you use a repeatable methodology? How complex was the target? How many details were there? Did they have a clear way of keeping track of the details? What was their approach to managing multiple, conflicting priorities and projects…did other work slide during an incident? 7. Tell me about your methods for conducting independent in-depth target and technical analysis including target-specific information (including OSINT) that results in access.. How do you measure your success in this area? a. How complex was the target? How many details were there? Did they have a clear way of keeping track of the details? What was their approach to managing multiple, conflicting priorities and projects…did reporting get in the way, did other work slide during reporting? 8. Other: build out or expand on more technical interview questions; OSINT could be its own line of questioning?

Exploitation Analyst < AN-EXP-001< Exploitation Analysis < Analyze Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.

Tasks Conduct and/or support authorized penetration testing on enterprise network assets. Perform penetration testing as required for new or updated applications. Apply and obey applicable statutes, laws, regulations and policies. Perform analysis for target infrastructure exploitation activities. Collaborate with other internal and external partner organizations on target access and operational issues. Conduct analysis of physical and logical digital technologies (e.g., wireless, SCADA, telecom) to identify potential avenues of access. Conduct independent in-depth target and technical analysis including target-specific information (e.g., cultural, organizational, political) that results in access. Identify gaps in our understanding of target technology and developing innovative collection approaches. Monitor target networks to provide indications and warning of target communications changes or processing failures. Produce network reconstructions. Profile network or system administrators and their activities.

Knowledge Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). Knowledge of front-end collection systems, including traffic collection, filtering, and selection. Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems. Knowledge of website types, administration, functions, and content management system (CMS). Knowledge of implants that enable cyber collection and/or preparation activities. Knowledge of common networking devices and their configurations. Knowledge of evasion strategies and techniques. Knowledge of how Internet applications work (SMTP email, web-based email, chat clients, VOIP). Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, http). Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection). Knowledge of scripting Knowledge of strategies and tools for target research. Knowledge of target intelligence gathering and operational preparation techniques and life cycles. Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.). Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Skills Skill in identifying gaps in technical capabilities. Skill in analyzing traffic to identify network devices. Skill in creating and extracting important information from packet captures. Skill in creating collection requirements in support of data acquisition activities. Skill in interpreting compiled and interpreted programming languages. Skill in interpreting metadata and content as applied by collection systems. Skill in navigating network visualization software. Skill in recognizing and interpreting malicious network activity in traffic. Skill in researching vulnerabilities and exploits utilized in traffic. Skill in target development in direct support of collection operations. Skill in using databases to identify target-relevant information. Skill in using non-attributable networks. Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction. Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Abilities Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. Ability to accurately and completely source all data used in intelligence, assessment and/or planning products. Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists. Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products. Ability to collaborate effectively with others. Ability to expand network access by conducting target analysis and collection to identify targets of interest.