When it comes to interviewing a job candidate I typically have a set of questions prepared for them. With my 6 questions I try to leave them open-ended, even the more technical ones. Interviewing is a dance where the candidate should be leading. However, this is not the norm and this leaves the interviewer more vulnerable. The Interviewer will need to be more agile and be prepared for wherever the candidate takes it. This could be very difficult for the interviewer since the candidate can touch on a topic that they’re not familiar with but having a candidate that can fill a gap in your team can be a tremendous help and make your team more diverse.
These are the questions I like to give during an interview and some details on what I’m looking for when asking them.
How do you stay up to date with security?
- I’m curious what tools they use to keep up to date, or if they keep up to date at all! Keeping up to date on what is happening is huge in the security field. If a new vulnerability comes out today like shellshock, an analyst needs to be aware of it as soon as possible and needs to know what that does and what it might look like in our logs. Learning about such things weeks later might get the company compromised.
The next two questions are a continuation of the first question. I’m hoping these questions will happen organically, but if not, I’m asking them to spark more discussion.
Can you describe something in the security field that happened in the last week?
- I’m seeing if they keep up to date and are actually retaining the information that was given to you via whatever platform you’re using. To go back to making this harder for the interviewer, that means I need to keep up to date on security and be able to talk about it and ask questions.
Who is somebody that you look up to in the security field and why?
- This question gives me a feel for their level of interest in security. I’ve had answers all over the board, from Kevin Mitnick, Steve Jobs, to Malware Unicorn. As you can see, this tells me a lot about somebody and their interest. For example, if somebody mentions Kevin Mitnick, there’s a lot that one person has done. They’ve hacked corporate networks to defend them. What aspect of Kevin does the candidate find interesting? Did they read any of Kevin’s books? (Good thing I did so I can ask questions about it if needed.) If somebody says Steve Jobs without a real security reason, that can give me an idea that maybe they’re more interested in technology than security itself.
Can you give me a list of ports and corresponding services on those ports?
- Now this might seem very similar to asking “what’s port 80?” but I’m leaving it up to the candidate to lead the dance. I’m looking to see if the candidate has a good understanding of what ports even are and which they are most familiar with. If a candidate talks about 135, 139 and 445, this might indicate that they mostly worked with windows environments or maybe they give me only web ports like 80 and 443. The idea is then to give follow up questions to these answers. Also if a candidate just keeps going with ports and services, it’s safe to say they at least understand this concept as well.
Can you tell me the difference between UDP and TCP and an example of this?
- This question is typically knocked out of the park. I feel like it’s seen on exams such as Network+ or Security+ so candidates answer it pretty well. Once again I’m trying to see if they understand the basics of networking. How traffic moves is very important in an investigation as an analyst. I might even pivot to the three way handshake from here depending. I’m also looking for the candidate to use an analogy of some kind to help explain their answer.
Theoretically, give me some ways you would break into a company?
- This is one of my favorite questions and might seem abnormal for a SOC analyst position, but I find this question so interesting. Does the candidate understand the attackers methodology? How can you defend against something you don’t understand? It’s like playing chess but not understanding how the pieces actually move. So I’m interested in knowing what are some common ways an attacker tries to break into a company? What’s important to them? What are they looking for? How are they moving?
Bonus question – Do you have any questions for us?
- This is such an important question. The biggest cringe for me is when a candidate has nothing for us. I feel like this is a chance to bring up a topic that they are strong in, but was maybe not brought up in the interview. When I hear candidates ask questions about how the SIEM gets tuned or how we’re monitoring cloud infrastructure, I get excited because I know they’re interviewing us as a company, and they should! Yes, sometimes you just need a job or to break into a field, but it shows a lot of maturity to ask some great questions of the company.
These are my questions and from them I’m really trying to gauge the candidate’s interest in security and not grill them about topics they’re not familiar with. There’s no reason to make somebody feel stupid for not knowing something. Once again, they might just be weak in one area, but really strong in another, and I want to give them a chance to demonstrate that.
My advice to people interviewing: Don’t go in unprepared and just wing it. Make sure you have questions but be ready to elaborate and dig deeper on the candidates responses. To those being interviewed, my biggest tip is to do activities outside or work or school and be able to discuss and show. Also be ready to ask questions. Remember, you’re interviewing them as much as they’re interviewing you.
Editor: Emily Domedion