Are you gearing up for your first interview, nervous and unsure of what questions are coming your way? I feel you. During my first interview, I was a nervous wreck. And guess what? I still am anytime I interview. These are normal concerns for most people.
In this blog, you will find some of the most common questions I have seen during interviews for the Junior Soc Analyst role. Many of these I have asked myself while interviewing candidates.
Instead of just providing an answer you can memorize, I will give you the reasons behind the questions. I encourage you to spend time researching the questions on your own. Before the interview, you should understand the topic well enough to discuss it more than surface level with the interviewer. They will be probing to see if you actually know what you are talking about. I promise 😊.
Interviews are a chance for you to shine in front of your future employer. You have worked hard to get your degree, certification, or both. But don’t relax just yet. We don’t want you stumbling across the finish line.
They aren’t looking for people who have just memorized answers (though I am sure you have done plenty of that). They are looking at how you use the knowledge you have gained.
This leads me to say, the point isn’t to get every question right per se. Instead, the questions are meant to see how you think through problems.
So let’s dive in.
All of these questions will be at the CompTIA Security+/SSCP level. This is the bar for entry-level positions.
1. Explain DNS
Variations of this topic typically come up during an interview. They may ask it like, “Say you type in “google.com” into your browser. Explain how the browser resolves the domain name and provides you with the right page.”
This question is pretty solid. DNS is the backbone of the internet. If you don’t understand how it functions at the most fundamental level, you need to research right meow.
Besides the internet using it, many attacks rely on the technology to be successful. Fast fluxing domains, cache poisoning, domain fronting, etc.
By understanding this topic, you can reason your way through logs you are seeing and perhaps uncover an attack.
2. Name Ports and Services
Another general question. If you think about it, all network traffic is some sort of protocol and/or service. They want to know if you have any memorized and if you understand how services work.
While asking this question, they may Segway into others such as: “what’s the difference between UDP and TCP traffic?” and “What is a 4-way handshake?”.
Whether the SOC relies on network traffic heavily or not, you need network fundamentals.
When you analyze network traffic in a SOC, the protocol isn’t always specified. Sometimes attackers like to masquerade their traffic as something else. For instance, if you are looking at a device connecting to a normal workstation over port 88, something is amiss. Kerberos services shouldn’t be running on a workstation.
This is just one example, but similar scenarios occur often.
You should have at least a handful memorized and understand the protocol. This will help you in your day-to-day life in the SOC, and your interviewer may ask you to explain the service.
Start with web, ftp, telnet, ssh, imap. Pop3, imap, Kerberos, netbios, etc. This list from getcertifiedgetahead.com should get you started.
3. What is a SIEM?
An evergreen question. This is the tool you will be using every day, and it would serve you well to look it up to get a basic understanding.
Most interviewees have no idea what this is. I encourage you to stand out during this question. Not only know what a SIEM is but have used one.
An example of this tool is Splunk. It is one of the popular SIEMs that I have seen in many Infosec shops. They offer a free fundamentals course if you are interested in playing with it called Splunk Fundamentals 1. TryHackMe also provides a couple of rooms that cover its use; Splunk 101 and Splunk2.
Before you run off and take the entire Splunk course, don’t waste time just yet. It covers many things that aren’t helpful unless you will be using it. You need to focus on the broader InfoSec world.
Instead, hop in TryHackMe for a couple of hours and follow the available lab guides. Just getting your hands dirty will suffice for now. You should be able to talk about SIEMs and how the tools are used in cyber security. And impress them that you went out on your own to find a SIEM to play with.
Your interviewer wants to know if you are familiar with a tool you will be using. Most candidates won’t. This is a chance for you to stand out.
4. How do you stop a malware outbreak?
Malware is the plague of the modern world. And you will be dealing with it regularly.
The interviewer is looking to see if you generally understand how malware spreads, infect systems and stay persistent. You will often be asked several questions related to malware.
Warning, you will get negative interview points if you say, “run anti-virus.” This doesn’t work in the enterprise environment as a solution, and realistically it doesn’t work at home either.
Check out Lenny Zeltser’s talk at RSA, Practical Malware Analysis Essentials for Incident Responders, for more information on malware analysis. Some of the information may be a bit advanced. Stick with it. I think he does a great job covering some of the common techniques you are likely to use at a junior level.
In addition to the video, do some research into incident response. Microsoft has a decent page on the process called “Incident response process.” Your answer should align with the incident response process with bits of malware analysis thrown in.
After watching the video and learning about incident response, you should be about to score some major points on this topic.
5. What is a hash?
Hopefully, you covered this in class or during your certification studies. Unfortunately, the reality is you have probably forgotten. Most people completely miss this question.
Hashes are simply unique ways to represent data. We use them in two primary use cases in infosec: to store passwords and see if two files are the same. I know. I said I wouldn’t give you the answers. But there it is.
Don’t worry. I still have additional study material for you. Check out the article “What is a Hash Function in Cryptography? A Beginner’s Guide” for more information. Please forgive all their annoying popups. It was the best resource I found at the time. Let me know if you have any others.
Be prepared to also explain the difference between hashing and encryption. They are both under the topic of cryptography, and either could be asked.
Because this is often seen in infosec, your interviewer wants to know if you know what it is. Be prepared to answer this well to score some more major points.
6. What do you like about cyber security?
Wow, an easy question. Not really.
Most people choke on this straightforward question because, my friends, you can’t really fake passion. Well maybe you can if you are a serial killer. But for ordinary people, you will put off an aura of you don’t really care and just need a job.
Look inside yourself. Why did you go to school for 2 or 4 years? Why did you spend months to study for that certification? Why do you think you can spend the next 20 or 30 years in the career field?
Surely at one point, you thought infosec was awesome and you were motivated every day to learn more.
This question is to see if you are passionate about the field. You need to meditate on why you entered the field of study and let them see your passion.
You can prepare something for this question ahead of time, but please don’t sound like a robot when answering. You probably won’t get the job.
Instead, be sincere in your answer.
I only say prepare because some people completely freeze when they are caught off guard. Take me, for instance. I am not good at thinking on my feet. Before an interview or a speech, I practice, and then I practice answering questions that I anticipate may come.
It’s not because I am not good at what I do. Sometimes my brain just doesn’t want to produce a good answer out of thin air.
I have seen this question completely destroy candidates. Who wants to hire a downer when the rest of your team loves what they are doing?
To throw in some personal experience. Honestly, I have decided not to go with candidates because they seemed super blah about cyber security. I love infosec, and I only work with others who love it too!
7. What was the last thing you studied independently?
Believe it or not, most people finish their degree or certification, then stop learning. Most companies aren’t looking for those types of people.
Infosec is an ever-changing landscape. It just never stops morphing.
Therefore, businesses are looking to hire people who invest their time into continuously broadening their skill set.
Many of the resources in this blog count as studying. You are welcome, and when you are done, keep going. TryHackMe is my favorite place to send people to learn Blue Team skills. Go there and dive right in.
Related Page: Infosec Analyst Training Program
When answering this question, talk through what resource you used, why you used it, and what you learned. You will score major interview points here if you talk in depth about one topic you learned independently.
8. Do you have any questions for us?
Inevitably your interview will end with this question. Did you know most people end the interview without asking anything?
Your interviewer wants to make sure you are actually interested in the job. What better way to show interest than to ask a few well thought out questions?
These are just some samples but ask things you care about.
What will make this place a definitive no for you? What would make this place awesome?
I do have a caution. Don’t ask too many probing questions.
Some places are very cautious about their customers, technologies and business process. If you ask a bunch of questions you really don’t need to know to accept a job, they will think you are a spy. Or at least leave a negative image of yourself. We don’t want to do that. Instead, you want to amaze them and stand out in a positive way.
Let me see if I can clarify what I mean by probing questions. Questions like what SIEM do you use, who are your clients, how many employees do you have, what type of firewall do you use, what type of building access do you have, what is your direct phone line? If you think I am kidding, people ask some bizarre stuff in an interview.
My point is you want to stand out with your questions, but you don’t want to seem like a sketchy creep.
If you take the time to research these questions, you will rock your interviews. Remember to relax and enjoy talking with someone that is in the industry you are going into.
Take notes about anything you missed and research it further. You will most likely be conducting interviews with multiple companies. Learn from each one and continue to improve until you get your job.
The great news is that all of this knowledge is practical for a job in infosec. Trust me, you are not wasting your time on useless knowledge here.
Go forth and conquer my friends. If you have any suggestions on questions to add, please let me know. And if you crushed your interview because of this post, definitely let me know.