Job hunters who are searching for an information security analyst job have several factors working in their favor. First, it’s no secret there’s a shortage of talent in the information security industry; everyone’s pretty familiar with the stat that there were one million cybersecurity job openings in 2016. Second, information security analyst jobs consistently rank high amongst those opportunities, partially because the career path for information security analysts offers a good trajectory for growth. The position was ranked #7 in the best technology jobs and #3 in the best jobs in 2016. The bottom line: there are a lot of options, and plenty of potential.
Interview Questions, Answers & Advice
This post is the second in a two-part series on how to get a job in information security. In the first part, we covered how to get into information security if you’re new to the industry. Now, we’ll focus on two of the most important parts of landing a job in any industry: preparing and interviewing. The following advice is based on what I’ve seen as a hiring manager in charge of finding world-class information security analysts for Red Canary’s Security Operations Center (SOC).
A reminder to my fellow geeks who are already in information security: I encourage you to read and share this post and the one before it. The more we can do to increase the volume of talent in our industry, the better.
A Skill Every Information Security Analyst Job Hunter Should Have: OSINT
Part of applying for an information security analyst job (or any job, for that matter) is doing your research on the company and team. Open-source intelligence (OSINT) and its use is an important skill, so put it to use before you even submit your resume. Research the company and understand what they do, how they do it, what is important to them, who the people are. The amount of information that can be found about a person or organization on the Internet anymore is astronomical. Even those dedicated tinfoil hat wearers have some presence on the Internet or in the InfoSec community.
Putting forth this effort is critical for two reasons. First, you should know the background and expectations for the team you are looking to join. Second, it makes the conversation much more productive if you can talk intelligently about the company and ask good questions. If I have to explain more than once what the role and company are about, the interview is already over. But if I have someone come out of the gate asking good questions about the team and the company, my interest is piqued. It shows me you are really interested in this job for its own merits, not because you are resume spamming every company or job within a keyword search.
Pre-Interview Dos and Don’ts for Information Security Analyst Jobs:
- DO: Put your investigative skills to work! Research the company and the people in the organization
- DO: Have a solid understanding of what the company does and be prepared to ask smart, informed questions
- DON’T: Spam your resume to every company that shows up based on a keyword search and expect good results
During the Interview: Know What You Don’t Know
One of the most common questions I receive after turning down an information security analyst job candidate is: “What could I have done/said better?” If you have to ask this question, chances are you don’t have a solid self-awareness of where your skills are limited. As you look for a job, you should be very clear on what you do and don’t know. No matter how long you have been in a field or industry, you do not know it all. Understand where you are strong and be able to speak to that. Even better, know where you are lacking and be upfront about it.
Let’s say an interviewer asks you about a specific topic—for example, the inner workings of an operating system from a forensic artifacts viewpoint. If you have not spent a significant amount of time on the specific OS in question, say that. Do not guess or make something up.
One caveat: if it is an open-ended question, be prepared to say “I don’t know, but….” I love that response to open-ended questions. When doing technical interviews, we’re trying to push the boundaries of what someone knows. This is helpful to understand how you think and work through a problem. Can you systematically work through the information given to try to infer meaning? Do you ask follow-up questions to gain a better understanding of the problem or question? I always tell people: I can teach you basic knowledge on a subject, but I cannot teach you how to think. Often it is more important for someone to be able to think through a problem systematically, including knowing how to quickly gather the details they do not know.
Interview Dos and Don’ts for Information Security Analyst Jobs:
- DO: Show you can systematically think through problems
- DON’T: Try to Google your answers on the fly!
- DON’T: Guess or make something up if you don’t know the answer
Information Security Interview Questions and Answers
So for those actually following the advice to do their homework (or for those hiring managers doing your own interviews), here are a few Red Canary family favorites…
How did you prepare for this interview?
This question is pretty straightforward, but also very telling of how interested a candidate is in a particular role and how much homework they did on the company. It also helps us to frame and understand how well our recruiting efforts are going. Did the candidate come in through a friends and family referral, something interesting we posted somewhere, or maybe a social media reference? This is also one of the best opportunities for a candidate to make a solid impression and balance any technical knowledge gaps.
As the attacker, what actions are you taking? Or, depending on the role, as the responder what are you looking for?
These questions are open-ended. There is no specific right answer, but there are definitely some wrong answers. These are intended to be open enough that even if a candidate cannot recall specific commands, they can walk through the steps and actions. It also helps us to gauge how much exposure they have had in different aspects of security and leads to deeper questions depending on their responses.
What are the first commands and actions you would take after initially compromising a host?
This is a key question, whether you are red team, blue team, purple team, rainbow sparkle team, whatever. You should really know what it looks like when an attacker lands. What are they likely to do? How do you identify a hands-on-keyboard attack vs something automated? What operating systems are you familiar with? Does this look different on those systems—and if so, how?
How would you move laterally after initially compromising the first host machine?
This builds on the previous question so we can dig a bit deeper. The answers here will vary significantly depending on familiarity with different operating systems and applications. This will also vary based on someone’s background and experience. Someone who has been heavily focused on forensics for corporate investigations may have a very different view from a career exploit developer or pentester. Again, the goal is not to get it right; it’s to be able to walk through the concept and have sound explanations for the decisions you made. However, there are once again definitely wrong answers.
What operating system changes or built-in tools would you use to make sure your access persisted through a reboot?
This question helps to dig a bit further on how familiar someone is with different operating systems. There are some obvious simple answers if you know the basic inner workings of any of the popular operating systems. Whatever answer someone gives, they’d better be able to back up the logic. This is a great question for any number of security backgrounds, and also a great opportunity to see how well someone more junior knows the basics. If you came from a sysadmin or helpdesk background, you should know this too.
In as much detail as possible, how would you build the ultimate botnet? Include the purpose of your botnet, command and control communications, and how you would avoid detection.
This question is a team favorite. I cannot take credit for coming up with it, but it’s one of the best overall questions we have in our standard toolset. There are many different avenues this takes and therefore many opportunities for someone to really get creative and show where their strengths are and how they think through issues, as well as to really have a deep conversation. It’s also a lot of fun for security people to play bad guy and poke holes in all the ways the bad guys should have done it.
At the end of the day, the whole interview process comes down to two points: preparation and honesty. If you are actually prepared, we should know pretty quickly if the job is a mutual fit. And if you are honest, then we should be good to move forward. A big part of my interview process is about finding smart people I want to know and share ideas with. So even if I don’t have an opening now, I still run through interviews because eventually, I will have an opening or know someone else who does.
I once had a manager tell me, luck is half preparation and half opportunity. The opportunities will come; it’s on you to be prepared when they do.