As systems move into the cloud and are increasingly exposed to the Internet, incident responders are becoming more necessary in the corporate world. If you are pursuing this line of work, you will need to familiarize yourself with the kinds of questions that you can expect during the course of an interview.
There is no perfect way to prepare for such an interview, as the questions that could potentially be asked are varied and different for each role at different companies. Therefore, the questions that we have put together will touch on some general fields as well as some more technically specific ones.
What follows is a general set of potential questions that you could face if you were to apply for an incident responder role within a company, as well as a basic guide to framing your answers. There are no guarantees that any of these questions will come up, but the more practice you give yourself, the better your chances are of answering correctly and impressing your potential employer.
Questions and answers have been listed from the lowest level of difficulty to the highest. The questions ratchet up in difficulty as we progress, but the general structure and content of each one should be useful to you as part of your preparation for that dream job interview. Use this content as additional practice material before your first job interview in 2019 and give yourself some extra ammunition for your answers. Good luck!
Level 1 — Junior Incident Response Tech
At this level, your employers are looking to see how well you grasp the macro-level concepts of the job role without necessarily bogging you down with too many technical questions. You will be tested on your understanding of the job role, how it fits in with the incident response planning of the department and how your position helps to facilitate the rest of the team’s next actions. Your background and career history will play a big part in testing your suitability for the position, so don’t be afraid to talk about yourself if the question leads you there.
That is not to say that there are no technical questions potentially headed your way, but always be prepared to give a holistic explanation of your job role so that you are not blindsided if that line of questioning comes up.
- Why do you want to work as an incident responder?
Questions like this can sometimes come as a surprise in an interview, especially if you were getting ready to dazzle the interviewers with technical answers and not general ones like this. This is a great opportunity for you to spell out your career path so far and how your experiences in previous roles led you to where you are now.
Don’t be afraid to highlight some of your achievements, either. The interviewers will be looking at what kind of work you have done that actually fits in with the role you have applied for. Keep your answers relevant to the role and don’t go off on too much of an unrelated tangent.
- What do you think that this role requires from you?
This question could be asked in just about any interview and is by no means an incident responder-specific question, but it is definitely one that needs a careful answer. Your interviewers are looking to find out if you have the right expectations of the work you are going to do, and what the role actually requires from you.
Be sure to mention that incident response requires quick and careful actions, as you are normally the first person to work on the problem. Mention that you look at resolving the issue as quickly as possible while minimizing further damage, but that you are just as concerned with documenting the circumstances around the failure for later analysis and inspection.
- How would you handle an outage on operation-critical systems such as data links between sites?
The first thing to check is that the backup link is fully functional and that business operations are working as expected. Tell them that the multiple systems that need to communicate must all be checked, and that it is business as usual for your applications and services. Once the extent of the affected service’s impact has been quickly assessed, you can proceed with the actual investigation and incident response into getting the service back up and running.
Mention that you would test the link, check that the hardware is responding and that the line services were active. If it is found to be hardware-related, then the correct teams would be dispatched as necessary. If it is a service provider that is offline, then you would coordinate with them to resolve the issue as quickly as possible.
- What kind of security breaches would you be on the lookout for?
This question seeks to test your knowledge of cybersecurity-related breaches, so think of the most common ones that you are likely to deal with.
One common example is SQL injection. Mention how it runs on a server, and how an attacker can use it to run other commands through this exploit that could potentially give them further access to the network. You might also mention man-in-the-middle attacks, DDoS, or cross-site scripting as well. Just make sure that you brush up on your explanations before your interview.
- Why would you check file changes on a system, and how would you compare them?
There are a few reasons why files might have changed in unexpected ways, especially if you are not aware of any legitimate processes running on the target machine. You can mention that malware, viruses or unauthorized access all have the potential to cause changes in files.
Mention that using an MD5 hash is one of the most common ways to show that a file has changed, especially since the metadata of a file (which includes access and creation data, as well as ownership) can be edited by malicious code or a skilled intruder.
- What document would you need to restore a system that has failed?
The correct document to look for when recovering from a serious system failure would be a disaster recovery document. This document outlines all of the steps and considerations that you should take when looking to restore a failed system.
- What is port scanning and why would you use it?
Port scanning is a process that scans a computer or server and checks to see what communications ports are currently open, closed or active. Many network protocols use a designated port number in order to communicate, so looking at open ports will give an incident responder clues about the applications that are running in the background.
Port scanners are used in situations where the incident responder is trying to troubleshoot why an application is not working as expected, or as a means to test if there are unauthorized connections to a server or computer. Port scanners are commonly used and give incident responders a greater view of the network state.
- Are you a team player or do you prefer to work alone?
For junior positions, it is almost always the case that you will be joining a team of other incident responders and cybersecurity professionals. The chances are high that you will be required to fit into an existing team, so showing your willingness to cooperate with others will go a long way to help show that you are suitable for the role.
Don’t be afraid to let the interviewers know that you are also perfectly happy to work on your own when required, as there are projects that get given out in any position that will sometimes only require one person to work on it.
- What is a cybersecurity incident?
Being able to explain what you consider an incident is very important, because you are the one that is responsible for responding to them as certain conditions are met. You shouldn’t need to give an overly-detailed response, just a clear and concise explanation.
You could think of an incident as something like a breach in a system’s safety measures and security policy that either brings a system down or affects the way that it operates in a negative way. Another way to classify a cybersecurity incident is as unauthorized access or attempts to access a system or to the data of a system, such as a hacking occurrence or an attempted hack.
- How do you decide how to respond to a given scenario?
There are a few ways that you could answer this question, because it is very open-ended. The truth is that it’s probably there so that the interviewers can see how you would react in a given situation.
Be sure to mention that the Incident Response Policy would be the main guide for how you would conduct the incident response activity, and that your actions would fall in line with the best practices of the organization.
Level 2 — Mid-Level Incident Response Engineer
At this level of interview, candidates are generally expected to answer more technical questions and have much more real-world experience. This is where your theoretical knowledge and higher-level technical concepts will be delved into and tested. Some of the more basic questions from the first level of interview questions could be thrown in for good measure too, so be on your toes.
- What are HIDS and NIDS?
As a more senior incident responder, you will be familiar with different kinds of detection systems and which ones are used in specific scenarios. You should know that a Host Intrusion Detection System (HIDS) runs on servers and computers, while a Network Intrusion Detection System sifts through network traffic and sniffs out anomalies and other suspicious behavior.
- What is Automated Incident Response?
Automated Incident Response systems help to reduce the time taken by engineers to identify a threat and isolate it by performing automated tasks that would normally take a long time to complete. These examples include log file analysis and collating data from seemingly-disparate and unrelated sources. These technologies are becoming more common, so having some knowledge of how they work will be a plus in the interview.
- What is SIEM?
Any incident responder worth their salt knows what a Security Information and Event Management system is, so this question should be a no-brainer if it comes up in the interview. All a SIEM does is aggregate data from multiple sources and compile them into meaningful information. Depending on the software, they can also detect potential or ongoing threats and block access, depending on how the environment has been configured and how the rules have been set up. Showing basic SIEM knowledge is essential for this level of interview, so be sure to brush up on your knowledge ahead of time.
- How would you detect incoming threats?
First, you would identify that suspicious or strange activity has been confirmed via the SIEM or through other sources such as firewall logs or alerts. Once confirmed, you then outline the basic steps of checking logs and documenting your findings as you progress. Specify that the Incident Response Policy document would dictate the proper response, as well as the correct escalation procedures. It is important to show the interviewers that you understand that the role of an incident responder is to act in concert with the team, and not to go off on a solo investigation without informing everybody else about a potential threat.
- How do you stay up-to-date with the latest information security developments relating to incident response?
Feel free to share the different sources that you use with the interviewers. Think about the different forensic/information security resources such as blogs, forums, newsletters and social media sources that you lean on when you are researching or learning about new threats. Be sure to put across the fact that you are always looking to learn more and evolve professionally.
- What operating systems are you familiar with?
At this level, you should ideally be proficient in Windows and Linux/Unix environments. Some organizations have a mix of different operating systems, and knowledge of how these systems are vulnerable to exploits is really important. Each operating system stores information in different ways, and log files are stored differently as well. Make sure that you are honest about your proficiency (or lack thereof) early on so that there are no false expectations.
- How important are system-wide security and vulnerability assessments?
Vulnerability assessments are an ongoing process that never ends, which is why there are usually daily, weekly and monthly checks that need to be done across the different systems within an organization. Most of these checks are done via the SIEM, but some need to be checked manually. Researching issues and staying current with news and updates is essential if you are going to keep up with malware and hacking developments.
- How important are documentation and procedural responses?
The interviewers are looking to see if you understand how important the procedures and documentation steps of the organization are. Be sure to mention how procedures need to be updated, and that each document must keep a version number to show when last the document or procedure was updated or revised. Document contributors and authors must also be acknowledged so that the document history is properly managed and understood. Explain that the procedural responses are vital because they determine how each scenario is dealt with.
- What are some of the steps that you take after an incident?
This process goes by many different names: postmortem, root cause analysis, learning review, post-incident review and more. You can give a brief outline of the kinds of information that you normally include in such reports, like the services that went down, who they affected, how long the downtime was experienced, who helped with the response and how the issue was eventually fixed.
Preventative actions are also a part of post-incident reports, so be sure to mention that the best way to prevent such things from reoccurring is to show what worked in the response plan and what didn’t. The response plan can then be updated accordingly.
- What are some of your professional achievements or major projects that you completed?
This is your time to dig deep and think about all of the impressive things that you have accomplished over the years. Perhaps you were tasked with researching a solution to a new threat, or maybe you were the response lead during an incident — anything that highlights your strengths will show the interviewers that you have what it takes to fill the role.
Level 3 — Senior Incident Response Engineer
These are probably some of the toughest interview questions that you will have to face if you are pursuing your incident response career through to its logical progression. Candidates at this level are expected to be experienced and well versed in all aspects of the incident response, as well as cybersecurity scenarios and best practice — so they can expect to field a few tricky questions.
People in the position of Senior Incident Response Engineer are likely to lead a team in times of an active incident, so don’t be surprised if the questions lean towards team interactions and management as well. Team leads are also expected to be the technical go-to during times of an active incident, so technical questions are heavily weighted on the high end of the scale. Let’s take a look!
- What is a pentest and what processes would you include?
Pentesting is a skill that you will need to have in your arsenal if you are hoping to get to this level of incident response. Not only is it important for understanding how an attacker is getting through your defenses in times of an active incident, but it is also really important for postmortem briefs where you will need to recreate the incident with similar techniques to the attacker.
The answer to the question is very open-ended, so expect more specific protocol-related derivatives of this line of questioning. The interviewer will probably paint a picture of a specific incident where certain behaviors are detected on your monitoring setup, requiring you to investigate. Be prepared to describe the tools and uses that each of them is needed for, as well as some personal experiences of how you have leveraged your pentesting abilities in the past to thwart an attack or investigate the aftermath of such an attack.
- What pentesting methods are there, and which are you familiar with?
You probably won’t need to recall all of these methods verbatim, but any experience that you have with each one will be a plus. The most common pentesting methods are external testing, blind testing, double-blind testing, and targeted internal testing. If you have experience with any of these, great. If not, then make sure you let them know which ones you are most proficient with.
- How would you describe your communication style?
Communication at this level of incident response is critical if you are going to be leading a team of people, especially during a crisis. The interviewer is looking to find out how you deal with communication between yourself and the different departments in the organization, such as Human Resources, Legal and the C-suite executives.
Equally important is your communication skills with your team as you will be driving communication and action from each of them, and in some cases across multiple regions. You might have to elaborate on your cultural understanding between countries if you are going to head up a multinational response team for larger organizations. The key thing to show is that you can communicate well and that you understand who needs to be informed and updated, all while you drive the threat response.
- What incident response team-based events have you overseen or participated in, and what did you learn?
This is a good chance for you to speak about some of your past experiences either as a team member or team leader. Talk about the problems you faced and the techniques that were used when trying to isolate the problem. Be sure to mention the different phases of your response, such as containment, preservation, eradication, recovery and postmortem. Explain what you need to do for each step, and how past incidents that you were part of were broken down into each of these different phases.
- What are some mistakes that you have made in the past? How did you learn from them?
This is a good place to be honest about some of the errors you might have made earlier in your career, or a simple mistake from just last week: You need to decide how relevant the example is that you are giving to the interviewers.
Obviously, you don’t want to paint yourself as being reckless or incompetent, so keep things limited to mistakes that you made where you were able to learn from and rectify the situation. Perhaps you once locked yourself out of an appliance such as a router or network switch, or lost comms to a device after making a bad configuration change.
Explain how you worked around the problem and then made sure that you didn’t let it happen again. Interviewers are looking for honesty here, so be sincere and think about some of the learning experiences that you have had over the years and have one or two examples ready for them.
- What is a cross-site scripting attack?
This is a big talking point, as the vulnerability has been exploited by hackers for quite some time already. Make sure that you are familiar with all of the basic elements that make up an attack of this nature ahead of time, and make sure that you can explain what the attack is so that it makes sense even to the non-technical people that may be sitting in on the interview.
Make sure that you explain the essence of the attack, showing that you understand it properly. Mention how it is a client-side attack that injects malicious scripts and code where the script is interpreted and run by the server. This allows the attacker to gain access to the machine or to inflict damage via a malicious payload. We went through a few of these in this article here, so take a look before your interview and brush up if you need a refresher on any of the finer details of this and other web app vulnerabilities.
- You’ve been given the chance to build your own CSIRT. What would you need?
This is a fun question to answer, as it is quite open-ended. Roles that require managerial and planning experience might want to see how you envision the role of the CSIRT (Computer Security Incident Response Team) within an organization. The answers that you give will depend on the size of the organization, the budget for the team, how the department fits in with the SOC (Security Operation Center) and CERT (Community Emergency Response Team), and if there are any overlapping responsibilities between the teams. You can also make suggestions for threat intelligence systems and other tools that you would recommend.
- What is an APT and how would you effectively deal with one?
Advanced Persistent Threats are usually groups of cybercriminals that gain access to a network and remain hidden while stealing information or jeopardizing systems. Traditionally this was the work of state-sponsored cyber-divisions that would attack international targets, but this has become a more localized threat in recent years. The availability of tools and the growing number of skilled attackers has made these types of incidents far more common than they were before, though they are still relatively rare.
Dealing with this kind of threat requires an intelligent threat response system in conjunction with a team of threat hunters to actively and routinely investigate the environment for suspicious behavior and anomalies in the system logs. Proper security audits must be carried out routinely to establish if any intrusion attempts have been made, whether successful or not.
- Tell us about the most difficult incident that you have ever had to respond to.
This kind of question lets you sculpt the answer to fit the narrative of the interview up to this point, because you would have an idea of the requirements of the role. Draw from your past experiences and mention something that relates to some earlier questions, and don’t be afraid of going into details about the processes that you followed, as well as the outcomes. This is a great opportunity for you to showcase the skills that you have, and how they would be applicable to the company that is interviewing you.
- How do you deal with a technical situation that you cannot figure out on your own?
There is no shortage of potential incident response resources, both internal and on the Internet. The first port of call would be your internal playbook and policy guides. These would assist with determining the next course of action given a specific set of failures and outcomes.
Next would be policy frameworks and your department’s incident response plan. Failing that, you could lean on other members in your department that have more direct experience with a specific threat, or if it seems to be more of a specialized issue, then you could look at collaborating with another department to get to the bottom of the problem.
You want to show both your willingness to get your hands dirty tackling the problem while showing restraint with regards to spending too much time on a bad solution. Time is critical in this line of work, so you want to make sure that you are able to walk that fine line between the two approaches.
- Bonus Tip: Learn as much about the company as you can prior to the interview
Learn and figure out as much as you can about the company that you are interviewing for ahead of your appointment for the interview and find out about what their key business is. Think logically about what services they would have and try to reasonably assess what their key security concerns might be. This will help you to look like a much better candidate when asked any company-specific questions that could potentially come up as you will be showing keen interest in the organization, which always impresses a potential employer.
Not everybody handles interviews very well, in fact, job interviews can be downright stressful, especially when you have a face-to-face panel interview. Try to remember that you are not alone in your discomfort, as there are plenty of people out there who have had to sit through a grueling interview process in order to land that dream job.
And don’t forget that practice makes perfect. If you want to go further than these thirty questions, we invite you to check out Skillset.com, which has more than a hundred thousand practice questions related to various certifications. As many of these certs will factor into tech industry roles, this is a quick and easy way to find more prompts to work from. Their list of cert-related questions includes PMP, CISSP, CEH, CHFI, Network+ and Security+.
Finally, remember to answer honestly and to prepare as best you can prior to the interview. Good luck and stay calm — you’ve got this!