Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

4 hiring tips for building a cyber threat intelligence team

Here are four things to keep in mind when interviewing candidates to join your cyber intelligence team

Katie Nickels
Originally published . Last modified .

There are few duties more important to a manager than hiring. A new job can change someone’s life, and a new hire can change a team. While no one has all the answers about how to make good hires, we wanted to share some hiring and interviewing insights that has worked for us on Red Canary’s Intelligence Team. We hope some of these best practices we’ve learned will help other teams in their hiring, whether for a cyber threat intelligence (CTI) team or not.

1. Nail down your vision before adding to the team

If a hiring manager knows where the team is going, they can better plan for the right people to get there. Though team direction can change quickly, it’s helpful to have a rough idea of key initiatives a team plans to undertake in the coming months and years. Once you know these initiatives, you can plan ahead to ensure you have the right team members who will rise to meet the challenge.

Here is an example of a partial annual plan for a CTI team and what a manager might consider:

Q1: We plan to create a new weekly written product line.

  • Hiring consideration: Right now my team has predominantly malware analysts who don’t enjoy writing, so I need to look for a strong writer with my next hire.

Q2: We plan to evaluate threat intelligence platforms (TIP) and choose the best one for our team’s requirements.

  • Hiring consideration: I need to look for someone with experience with a TIP or experience doing structured requirement analysis.

Q3: We plan to add threat hunters as a key consumer and push procedure-level threat intelligence to them.

  • Hiring consideration: I should try to look for someone with threat hunting experience to help us better serve these new consumers.

A theme in all of these hiring considerations is that it’s important to realize what skill sets and backgrounds would help build a more well-rounded team. For CTI teams in particular, adding different perspectives is crucial to producing quality intelligence assessments, as it can help reduce cognitive biases like groupthink.

2. Set expectations with thoughtful job descriptions

Having clear and accurate job descriptions can be helpful to set expectations for team members. This isn’t easy to do, especially on a team where members might have different focus areas like CTI teams often do. As you write position descriptions and conduct interviews, working with your Talent or HR team is helpful to make sure you’re going about it as fairly as possible.

Here is the format Red Canary uses when writing job descriptions:

  • Who We Are and What We Believe In: These sections describe what Red Canary overall stands for and what our core values are.
  • Challenges You Will Solve: This section provides a general summary of the challenges the team faces and how this position will help with solving them.
  • What You’ll Do: This section provides details on the day-to-day duties of the position.
  • What You’ll Bring: This section provides the qualifications and experience a candidate should bring to this role. We describe any non-required qualifications as “preferred.”

The designation of qualifications as required or preferred is a crucial decision point for a hiring manager, and it’s a responsibility to take seriously. Some candidates, particularly those in underrepresented groups, might self-select out of applying for a job if they don’t meet every requirement. By marking non-required qualifications as “preferred,” you’ll decrease the chance of missing out on an awesome candidate. One question that can help determine if a qualification is really required is “If I found an amazing candidate who had everything but this qualification, would I still hire them?” If you would hire them without that qualification, it isn’t really required, so you may want to make it preferred. Differentiating preferred requirements is particularly important to be inclusive, and having diverse backgrounds on teams is crucial for team success, especially in CTI.

To help clarify expectations for roles on our team, we created two new positions, Malware Analyst and Intelligence Engineer, to add to our existing Intelligence Analyst role. While Intelligence Analysts are expected to do more writing and product creation, Intelligence Engineers are expected to write more code. Though we still have room for overlap, making these specific role expectations clearer has helped candidates better determine if the role is right for them as well as prepare new team members for success. While that breakdown works for our CTI team right now, you could break down CTI roles and expectations in many different ways: by region of the world, by a strategic versus tactical approach, by role in collection or production, etc.

3. Give candidates a little homework

There’s debate in the community over giving candidates homework. In our experience, we’ve found it’s beneficial for both the candidate and the hiring team to have the candidate work through some type of assignment. When done well, assigning a task to a candidate to work through at home gives them a sense of the type of work the team does, and it also helps the hiring team understand how the candidate would do that work. At the same time, it’s important to be respectful of candidates’ time, so we aim for assessment questions that take no more than a couple hours to respond to. We regularly hear from candidates that they enjoyed working through the questions, which also leads us to think this is worthwhile.

In cooperation with our Talent team, we strive to ensure our homework questions directly relate to the qualifications for the position. We base our questions directly on the day-to-day work the position requires. For example, one of our Intelligence Analyst duties is to review detections to determine if they contain behaviors associated with a known group or malware family. Therefore, we provide some sample behaviors and indicators and ask candidates to try to identify the malware family present and the methodology they used to reach that conclusion. We also try to include some open-ended questions to get a sense of how candidates think through analysis, as this allows candidates to bring in different perspectives and experience.

4. Ask each candidate the same core questions

After a candidate applies, we review their answers to the assessment questions (if we include those in the initial application) and their qualifications to decide whether to move forward with interviews. In determining who will be on each interview team, we consider diversity in all forms, as having different interviewer perspectives and backgrounds helps us keep potential biases in check.

Another guiding practice is to create a list of the same “core” interview questions we ask to all candidates, so that we can compare them based on the same standard. Though we also allow time for questions personalized to each candidate’s unique background, we’ve found that asking a number of the same questions to each candidate helps reduce some of our biases as we compare.

For example, if I ask three candidates an open-ended question of “Tell me about the Diamond Model,” I might get the three following answers:

  • Candidate 1: It’s adversary, victim, capability, and infrastructure. (End of answer)
  • Candidate 2: I can’t remember the four parts, but let me tell you about why it matters to structure data as you’re doing analysis… (Continues answer)
  • Candidate 3: I don’t know the Diamond Model, but I’ve used MITRE ATT&CK, which is made up of tactics, techniques, and procedures. We used it to structure detection analytics and map adversary behaviors. (End of answer)

Depending on what qualifications we’re looking for, we might find one answer more compelling than the others. In the above example inspired by a real interview, we were impressed by candidate 2, who gave a detailed, thoughtful answer about using models that helped us understand their strong analytic thinking skills.

In closing

It’s not easy to hire new team members, but it’s arguably a manager’s most important responsibility. By following some of the guidance in this post, we hope you’ll feel empowered to make better hiring decisions for your team.

 

Intelligence Insights: December 2024

 

Storm-1811 exploits RMM tools to drop Black Basta ransomware

 

Intelligence Insights: November 2024

 

Stealers evolve to bypass Google Chrome’s new app-bound encryption

Subscribe to our blog

 
 
Back to Top