Breaking Into the CTI Field: Demystifying the Interview Process and Practice Interview Questions

Hello friends. Following on the SANS webcast I hosted the other day, “Intelligently Developing a Cyber Threat Analyst Workforce” and coming on the backdrop of reading Katie Nickel’s excellent blog post on how Red Canary recruits CTI talent, I decided to write a blog post focused on assisting aspirant CTI analysts on how to break into the field and prepare for CTI job interviews. If you are interested in determine what pay bands look like for CTI roles, I suggest you read Rob Lee’s blog “What to Expect When Interviewing at Dragos: Lessons Learned for You and Other Employers”. Similarly, if you are interested in what can be expected of you working in one of these roles, I have highlighted what we look for at Mandiant in this blog post, “Introducing the Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework Blog”. Katie touches on this in section 2 of the Red Canary blog.

Hat tip to @threathuntergrl and @Lawsecnet for feedback and peer review on this blog prior to publishing it.

Demystifying the Interview Process

A good starting place for this blog is to explain how most organizations approach interviews. For most CTI jobs, there are several rounds of interviews with each one designed to determine whether the applicant meets a certain criteria — whether that is base knowledge, specific abilities, or cultural fit. While recruiters don’t typically advertise what each interview round hones in on, what I have come to learn is that it is often a linear, sequential process with the first one as an initial screening to determine whether your expectations of the role, culture, and compensation structure align with what the organization is looking for. You should expect all of your responses to be recorded by the recruiter then sent over to the hiring manager for review to make a determination on whether you will proceed to the next round.

The ordering for rounds 2 and 3 can sometimes be flipped based on hiring manager preference. With that in mind, the second round interview will likely be with the hiring manager. Part of the hiring manager’s job during this interview is to ensure the recruiter provided you with a proper understanding of the position, often going into specifics about what you will do in the role beyond the wavetops information the recruiter has at his or her disposal. In a way, this interview gives both the hiring manager and the interviewee a chance to feel each other out, understand team and cultural fit, and make a cursory determination on whether your background, experience, knowledge, and abilities align with what is needed in the particular role.

Most of the questions you will be asked during this round likely will be behavioral-based like “how would you approach …”, “tell me about a time when you…”, etc. There’s only a few ways to ask those type of questions. What the hiring manager is trying to determine is whether you exhibit good judgement, are self-aware, and socially aware, especially if the role involves engaging with others outside of the team of which most of the CTI roles do. Assuming the hiring manager was satisfied with your answers, he or she will poll the team to determine availability to interview you as part of the third round interview.

During the third-round interview, the team will be looking for knowledge, skills, and abilities to perform the job role and cultural fit to determine how you, as an addition, will or will not work with the existing personalities on the team or part of the larger organization. This interview is often more in-depth than others, which will help the organization vet your depth and experience across often multiple areas. In some cases, the panel may reach out internally to find someone within the organization to sit in on the panel that has a background or knowledge base comparable to yours. I’ll provide two examples of this since it may seem opaque and overly general the way I’ve just described it:

• For folks trying to transition from the military, law enforcement, or intelligence community to the private sector there are things you legally are not allowed to say, but having someone sit in on your panel with a shared background allows that individual to read between the lines of what you, the candidate, is trying to convey about how your experience would fit in this role and asking appropriate probing questions that the other panelist may not know to ask based on your responses. In this way, the individual acts as a translation layer, which more often than not works in the interviewees favor.
• For interviewees that claim to have expert level knowledge or some baseline knowledge in a particular area, the panel may not be equipped by members of the team to gauge level of depth. As such, they may ask around to see whether someone inside the organization can support. The goal here isn’t to ask the “gotcha” questions, but to gauge where your knowledge or skills lie versus where you believe they lie. Just because you don’t have the certain depth does not exclude you from getting hired. Instead, it allows the hiring manager to understand any gaps and create a roadmap to get you smart on during onboarding. However, intentionally misrepresenting your capabilities can and likely will be held against you. So be honest and don’t lie about any gaps you may have. There are tactful ways to approach this during the interview to include “I’m sorry, I haven’t had the chance to <build widget>, but if that is something that is expected of me, I would be happy to learn should I be provided the opportunity”. A word of caution: that answer suffices for one, maybe two questions tops.

Before the organization comes to a decision whether to extend you an offer or a polite declination, you may be asked to provide an example of work. This could come in the form or choosing a topic of relevance then delivering a short presentation (15–20 min) to a panel of expert; answering a series of research questions; or synthesizing information from a provided packet and creating a finished intelligence product for a particular audience defined in the instructions.

One of the better resources I have come across online that describes the multiple stages of an interview is from Google, located here and this fantastic compendium non-Googlers pulled together on how to prep for the various phases of an interview.

Practical Interview Advice and Understanding Job Role Nomenclature

Skills are transferable. You do not need to have 10 years of experience and hold 8 various vendor certifications to be considered for a CTI position. Two of the most frequently sought out traits for analysts are the ability to think critically and communicate effectively. Katie Nickel’s has written extensively about entry points into the field and success stories from those without cyber security degrees in her blog, “FAQs on Getting Started in Cyber Threat Intelligence” under the “How do I get into the field of CTI?” section, so I’d recommend checking that out.

One area that extends on Katie’s discourse is that some roles do have various requirements associated with them. There is no standard naming convention that denotes what an individual in CTI is supposed to know or skills and abilities they are supposed to have, which makes it sometimes vexing when looking across various job openings. There are, however, a variety of commonly used job titles that are designed to give you an idea of what you can expect of the role. Here’s a non-exhaustive listing of them:

• Strategic threat analyst
• Threat context analyst
• Technical threat analyst
• Cyber espionage analyst
• eCrime analyst
• Intrusion analyst
• Threat researcher
• Threat hunter
• Hunt analyst
• Intelligence engineer
• Detection engineer

Each of these job will post at a certain level/grades/classifications with certain responsibility and expectations for each. What I have observed in organizations using a scale of junior, <title>, senior, or principal or <title> I, <title> II, <title> III respectively. There are others, certainly, but these are the ones I have often come across.

Each of these will have specific required and desired qualifications and will vary based on role, employer, and needs at that particular point in time when the organization has floated the job vacancy requirement. I have attempted to enumerate all of the knowledge, skills, and abilities requirements in the Mandiant CTI Analyst Core Competencies Framework.

• Hat tip to Jeff Curran for helping me compile the descriptions of the two type of analysts we look for when hiring at Mandiant.

One more practical tip: when answering questions, be explicit, concise, and comprehensive with your answers. Understand that your response in aggregate paint a picture of who you are and may be the only opportunity you have beyond your resume to present yourself to a prospective employer. If I pose a multi-part question, I am expecting you to respond to each of the parts of the question that I ask, not answer two of the four. While perhaps not intentional, if you don’t answer those other parts, it can be viewed as lacking attention to detail and attention to detail is a critical trait for most analysts as we work with and are required to remember quite a bit of information.

Practice Interview Questions and What Employers are Really Testing You On

Interview questions by design attempt to gauge your level of familiarity with a particular topic or to gauge how you would respond to a specific situation. The specific answers allow an employer to make a determination as to whether you have the required skills to hit the ground running or would need training, mentoring, or self-study to operate at the expected as described in the job posting. Likewise, the behavioral-based questions are a useful gauge for employers in determining how you approach problem solving skills, your emotional intelligence, maturity, and cultural fit. Implicitly, your responses also reflect self- and social awareness, assisting employers in determining cultural fit. The latter is a more important measure in 2nd and 3rd round interviews than in an initial screening.

With that in mind, I’ve pulled together a listing of about 25 CTI-centric questions to assist in interview preparation organized by category. Note: I am intentionally not providing answers to these because, if you are motivated and don’t know the answer, you will take the time to research them to build your knowledge base — a key trait that analysts share.

Generic Interview Questions:

• Can you tell me about yourself, experience you have in the field, and any particular subject matter expertise you have in CTI?
• What would you self-assess to be your greatest strength(s) and how would that align with the organization’s vision and team’s mission based on our conversation?
• What makes you interested in this role working at <organization>?
• In your opinion, what is the role of CTI and how can it help organizations? Can you explain to me why organizations should consider investing in developing a cyber threat intelligence capability and instances where it might not be appropriate for them?
• When we think about CTI, we often bucket analysis into support at the strategic, operational, or tactical level. Based on this grouping, which do you often find yourself often supporting and can you provide us with examples? How comfortable would you be supporting one of the other forms of intelligence analysis categories?
• Can you explain some of the motivations behind cyber operations and how we assess what they are?
• Can you tell us about a recent cyber security vendor report or cyber security related news article you read. What was the primary message they were attempting to convey, its significance, and at least one interesting tidbit you found in it?
• What are some industry trends you have observed forming over the past 12 months?
• Can you name a CTI framework you are familiar with, explain what it is, why it was created, what problem it allowed the CTI community to overcome, and how you could or have applied it in your existing workflow?

Understanding IT concepts, Threat Concepts, CTI research, and Cyber Security Controls and Processes:

• Can you describe the properties of a public IP address — irrespective of IPv4 or IPv6, how it is provisioned, and any limitations we should consider when attempting to correlate it to previous adversary infrastructure or when taking defensive actions?
• What is an appropriate security action to take internally if we detect malware is communicating with a public AWS IP address?
• What is the significance of the NTDS.dit file? If an adversary was able to steal it, what could they do with the data stored in it and what security action would that require the organization take?
• Can you explain the patching process, how it works in enterprise environment, and how this relates to risk exposure and cyber risk?
• Living off the land (LOTL/LOLBINS/LOLBAS) is a trend that the cyber security industry is observing malicious cyber actors use with increased frequency. Please explain to us what living off the land operations entail, an example of such living off the land capability, and an example of an actor group and how they use living off the land techniques.

Research, Analytic Tradecraft, and Problem Solving:

• Please explain why different vendors use different names for what appears to be the same intrusion sets and how you have used these different names in your previous or current job role.
• Being able to discern the quality of data sources is an important function of a CTI analyst. To that end, how do you judge the credibility of different vendor’s reporting when crafting finished intelligence?
• Can you define the types of indicators of compromise (IOCs) that exist, walk me through strengths and limitations for each, and describe how you could enrich and pivot against the various types. Name the tools or data sets you would use during the enrichment/pivoting process.
• What is your workflow when you come across a suspicious IOC?
• When creating a piece of finished intelligence, how do you decide what to write about? What data sets did you evaluate, how did you enrich the data to bring to light the broader context, and what tools did you use to support this effort?
• The team has determined that an adversary group we are tracking is using the same 10 permutations within its URI naming convention. What would you do to write a simple signature to detect whether we have seen any of our other systems within the environment communicating with them? Likewise, how would you write a signature to detect additional URI naming conventions that have been observed by use likely by this malicious actor?

Adversary Operations:

• Does an adversary need to know a user’s password in order to leverage their credentials to move laterally on an enterprise network?
• Please describe the construct of a nation-state cyber program to include the different dynamics between teams, roles, and responsibilities. How could each of these assist in attribution analysis or provide investigative leads for a CTI analyst?
• While observing a suspicious file execute in a sandbox you see that it generates a GET request to google.com then issues repeated sleep commands. Could this file be malicious? Can you make a guess as to why it performed these actions?
• Most cyber groups we follow conduct cyber operations for the purpose of espionage. Please explain what data staging and exfiltration are, what they would look like on a victim’s network, and heuristics or artifacts that we could hunt against to discover this type of activity.

Concluding Thoughts

My goal in writing this blog is to enable the next generation of practitioners to join our ranks in a field where there is no shortage of work that needs to get done. For those of us who have been in this field for some time, we have lived through the evolution of technology, shifts in the security landscape, changes in the way adversaries approach cyber operations, and more, meaning we incrementally built on a base foundation. No one person has a comprehensive knowledge base of all-things CTI, instead, that base knowledge is developed and refined over time.

I have talked with many peers at varying levels in a variety of different roles and a consistent theme is that we all feel like imposters at times and that is alright. Understanding the limitations of your own knowledge — being self-aware of those limits — enables us to plan accordingly or to identify complimentary individuals that we can lean on. CTI is a team sport for a reason. In addition to creating a study plan to help fill some of those knowledge gaps, I cannot understate how important it is to find good mentors. I have several peer mentors and peer mentees. Some of these are internal to where I work, others are part of communities of interest I am in, and others are in completely different fields and roles to provide me with an outsider’s perspective.

This is a field where we continue to learn and need to adapt in response, integrating that new knowledge into our decision calculus. We all have the same or similar starting points and as a result we have empathy and are willing to do what we can to help each other develop. Hopefully, the content in this blog post was able to assist you. Please feel free to reach out with any questions or comments.