In the cyber security space, we can sometimes take for granted some of the less technical aspects of the job, often until it is too late. A great example of this was in one of my first more senior technical positions, when I was suddenly asked to be the technical resource in an interview. The normal resource was sick, and I was the only one available. All told, I had, maybe ten minutes to prepare, and of course my go-to was to Google “threat hunting interview questions.” What I got back was less than helpful.
What I noticed is that most of the “questions” being posed were for recruiters or human resources personnel. Now, there is nothing wrong with HR or recruiters, but the questions they ask are often more about screening out whatever the opposite of “low-hanging fruit” is. They often lack the technical knowledge, or even the chaotic experience of working in a SOC, to really ask meaningful questions. That is why I sat down with a number of our senior threat hunters to compile a list of some of the questions they have used – and the rationale behind them – during the hiring process.
Setting the Mood
Before we get into the actual threat hunting interview questions, it is definitely worth talking about the atmosphere of a job interview. All of us have inevitably been on the other side of the table many times being interviewed. I think it goes without saying that it is sometimes an uncomfortable atmosphere, and that can bring up the worst feelings of inadequacy and doubt in a candidate, and generally not helping the interview process. This is why one of the most important things to do right at the beginning of the interview is help to break the ice and put everyone at ease.
One of the best ways I have found to do this is to ask fun and disarming questions, and one of the best that I have heard is:
What are 3 things you would make sure to have or take when dealing with a zombie apocalypse?
To the untrained eye, a question like that might seem ridiculous. But it really isn’t. Questions like that one can reveal a lot about the potential candidate (including creativity, prioritization, humor, and even maybe some interesting anecdotes) while also establishing that this isn’t a ‘ties and cufflinks’-style interview. So, before getting into the weeds – try diffusing the tension in the environment first, allowing everyone to be just a bit more relaxed. Now, with the atmosphere set, let’s dive into the questions!
Opening Threat Hunting Interview Questions
When starting an interview for a cyber security position, it is important to get perspective who the candidate is and how they think. That is why, unanimously, the first of the threat hunting interview questions that was asked by all of our senior hunters was some variation of:
What sources of information do you regularly go to in order to stay current on security, learn new things and keep up on current trends and new threats?
This type of question is multi-faceted. Not only does it let you know how “deep” a candidate goes (do they rely entirely on surface-level content like CNN, or are they regular contributors to obscure sub-reddits or blogs?) but it also helps to assess if the candidate is still actively learning and staying engaged, and can highlight how passionate they are about the field. A follow up to this question was also popular amongst our team:
What has piqued your interest or caught your attention recently from those sources?
This helps validate their answer, and it also highlights their depth in the field. Once you know the candidate is indeed passionate about the field, and that they seem to have a good depth of knowledge, it is time to start getting some background with these threat hunting interview questions.
Background Threat Hunting Interview Questions
One of the first threat hunting interview questions a lot of our threat hunters wanted to ask candidates was in what capacity they have worked in security before and test their awareness regarding how well the situation went using the question:
What role did you play in a security related incident or security related control/detection engineering, and what challenges and successes did you face?
Everyone in an interview is expecting to explain how great they are, but it can take a great candidate to understand the weaknesses in the process as well as in their response to that incident.
Another great open-ended threat hunting interview question that was suggested was to inquire about what the candidate thinks they know “best.” This allows you to see where an individual may be strongest, but also where they may need further training:
From a technical side, what do you have the best understanding of as it relates to any topic and what stuff scares you the most?
Now, this next one in our list of threat hunting interview questions may seem deceptively simple, but it was suggested with a good reason:
Can you explain to me how your computer gets to say google.com?
While such a threat hunting interview question might seem trivial to answer, it allows you to fully grasp a candidate’s understanding of some networking and demonstrate the ability to logically walk through each step in the process as well as communicate that to another person. Threat hunting often can involve explaining complex topics to a layman, so being able to communicate clearly is critical.
The next question is a bit more technically focused, but it does give the candidate the advantage of being open-ended in nature:
Taking a recent threat you're familiar with (malware, actor, attack, etc), describe a behavior employed by the threat and how you could hunt for it
This type of threat hunting interview question not only allows you to test a candidate’s understanding of threat hunting, but it also offers another opportunity to dig into a candidate’s depth of knowledge. Is the attack or adversary behavior something common? Or more current?
Persistence is perhaps one of the most common behaviors exhibited by an actor, and every threat hunter should be able to give a few examples:
Walk me through how an attacker could establish persistence, and how you may hunt for the associated activity
Having the candidate explain some of the different methods of persistence can show you their general threat hunting knowledge, however diving in even further to test how they could hunt for that behavior will reveal quickly if they know how to apply that knowledge.
Another of our popular threat hunting interview questions looks at a topic that everyone in the cyber security profession should know: terms like true positive and false positive. It may seem straight forward, but it is better to be safe and confirm that they understand what these terms mean:
In the context of performing a threat hunt, what would you consider a false negative, false positive, true positive or benign result to be?
One of the most important (but too often overlooked) elements of threat hunting is translating a successful hunt a more robust overall security posture. After all, hunters shouldn’t be finding the same thing over-and-over again. A question to address that is:
Is it possible to convert a threat hunt into a detection? If so, walk me through your thought process for doing so.
Conclusion
The less-technical elements of threat hunting – like interviewing candidates – can sometimes seem unimportant, right up until they don’t. These top 10 threat hunting interview questions can help put a new candidate at ease, delve into their thought process, and hopefully find your hunt team the perfect new member!
And if you are a new threat hunter angling for your kick at the can, check out some of our great threat hunting workshops where you can learn all about threat hunting techniques and earn credentials that you can list on your resume!