The importance of malware analysts in the world today needs no introduction. With that said, the questions that one may be asked on a job interview for this position do need an introduction. The questions that one may be asked in the course of a malware analyst job interview can come from a veritable universe of questions that gauge the candidate’s worthiness. These questions can range from the broad to the intricately specific and everything in between.
This article will detail some malware analyst interview questions you can expect in the year 2018 and good idea of what you should give or will be expected to give for an answer. The questions and answers are categorized by their respective level of difficulty — Junior Analyst, Mid-Level Analyst and Senior Analyst. Read this article before you sit for a malware analyst job interview in 2018 and you will have made a good, broad-based review of the potential questions you’ll be asked.
Level 1 — Junior Analyst
The Junior level of malware analyst interview questions goes beyond the sort of “who are you” designation of questions. At this level, you may be asked questions about your general personal background and certain foundational experiences, and questions about foundational concepts and techniques that will require some detail in their respective answers.
Although this is normally the set of questions that employers rely upon when hiring malware techs, malware analysts will be faced with these questions as well.
- What Attracted you to malware analysis/working with malware in the first place?
Do not be fooled by how general this question is. This is the time to let your specific background shine and to tell them exactly why you are going down this career path. The best course of action to take would be to chain together life experiences, such as those from work or school, that led you to the interview chair you are sitting in.
How you answer this question is honestly determined by your life experiences, so review them and use the best parts of your experiences to show why this is your passion (which it would be in a perfect world).
- What certifications do you have that will help you in this role?
While this question may also be faced in the entry-level/tech-level interview questions, the application of certifications and, by extension, what they certify also applies to this level of interview question.
Malware analysts have some certification options they can use to help them in their careers — GIAC Reverse Engineering Malware (GREM), Certified Reverse Engineering Analyst (CREA) and Certified Ethical Hacking. Apply any one of these, or any other certification that you may have, to the responsibilities of malware analysts. It should be noted that you do not need a certification to work as a malware analyst, but it may help to demonstrate your potential value to the employer if you have one.
- How would you handle a malware threat on a major production server?
This answer will have to include the fact that with a production server, you will have to take it out of production to address the issue. Part of this is because of the importance of production servers to organizations. Aside from the almost guaranteed downtime of the server, the rest of the answer should stress that while malware can be as easily removed from a server as a computer (mention tools you have used), it may be necessary to restore a file or even an entire image from a backup. If the malware has already damaged files, then a restoration will be vital to solving this problem.
- Describe a tool that you can implement at the firewall level of a network which would help you analyze malware threats.
A good answer would include a powerful solution, and for this question look no further than a Security Information and Event Management tool, or SIEM. SIEMs can detect the source of malware that enters your network — the IP address of where it came from. The SIEM will then create a rule that would block traffic from the offending IP in the future.
It is the responsibility of the malware analyst to work with the security team to create and implement new policies and signatures to continuously optimize the SIEM correlation engine of whatever SIEM tool you are using.
- How high would you rank the importance of documentation with regard to malware analysis?
You are definitely going to want to let the interviewer know that not only is documentation important, but it is crucial to malware analysis. When malware threats occur, they need to be documented. This assists the malware analyst by providing a historical trail of malware so that it can be better-detected (or automatically-detected) when they appear in the future. These threats may not be well-known or new, so having a documented list of malware helps the analysts stay on top of the general malware landscape it if gets to that point. If you are asked “how would you rank the importance of documentation from 1-10,” the smart money will be on 10.
- What is threat intelligence?
Threat intelligence is how you keep abreast with changes to the malware and botnet landscape. As new malware and other malicious threats pop up, they are reported with threat intelligence engines that compile and leverage this data to help malware analysts do their dirty work. Threat intelligence can be thought of as the brain of malware analysis.
- Explain the importance of software updates with regard to malware
Software updates are a critical part of keeping a computer or system malware-free. As a matter of fact, it could be said that the most important part of Windows updates are the security updates, which contain new malware signatures captured during the last month.
Malware analysts will have to coordinate with members of an organization’s security team to ensure that software updates are performed at the organization level so that all computers and systems get their software updates.
- How important do you think thinking outside of the box will be in this role?
This is where you can show that you are quite familiar with the daily ins and outs of this role. Being a malware analyst is often three parts thinking outside of the box and one part actual knowledge. A good way to flesh this one out is to bring up experiences and events at past positions that highlight how good you are at this unorthodox way of thinking.
- What do you think about social networking sites such as Facebook?
Social networking sites are a disaster area and have no part in an information security-friendly environment. Not only do Facebook pages often infect computers and PCs with malware, social networking sites can become absurd wastes of time for the organization. Social networking is a no-go.
- What are the biggest sources of malware?
Malware is most often distributed via social networking, websites, emails, unapproved/pirate software and removable media. All of these infection vectors can be effectively controlled with proper, tight policies.
Level 2 — Mid-Level Analyst
The Mid-Level Analyst level of interview questions and answers is where the focus turns to the real-world application of malware analyst skills. At this level of questioning, candidates will be expected to answer higher-level concept questions and more hypothetical questions which demonstrate this heightened level of applied knowledge.
- What is heuristic analysis?
Heuristic analysis is a malware and virus detection method that looks for common suspicious characteristics to find new and unknown malware and virus threats. This will keep an organization ahead of the curve with the hardest-to-find threats — the unknown ones.
- What is automated analysis?
Automated analysis is another way to analyze malware. Just as when other things are automated, when you automate the analysis of malware it is done to save time. This should be done in a sandbox to mitigate or eliminate any impact on your network.
- What is dynamic analysis?
Dynamic analysis, or behavior analysis, examines malware by executing it in a controlled, monitored environment in order to observe its behavior. This is preferable to static analysis, which conducts its examination without actually running the malware. The other major benefit of dynamic analysis is that you can execute the malware without harming your network devices.
- How would you identify threats within software/programs?
The preface to this question is that your organization has encountered software with an unknown source and staff are unsure how to proceed. As a malware analyst, you would scan the software file with an antivirus program to see if it contains any hidden malware nasties. If you encounter a file that you are not sure of, compare it with current threat reports and malware blacklists to see it has been reported as a threat.
- So one of your coworkers has received a suspicious email with a PDF attachment. What do you do?
This is another of the real-world application questions that you will likely face. This is also a very common event in an organization; granted, in real-world practice you will probably only field a question like this if the security team is out for the day. Regardless, you will want to tell the coworker to not download or open the PDF file and to delete the suspicious email entirely. A good malware analyst will look to lighten their future workload by proactively taking care of issues as they arise, so they will not require actual examination of malware.
- What is process injection?
Process injection is the method that malware can use to conceal its operations within the system. The malware has to go through a certain set of functions to carry out this technique, and it is important that the malware analyst know how to identify these operations. The best way to know this is to make judgments based on previous experience and acquired knowledge.
- How important are software exploits with regard to malware analysts?
Software exploits are very important to malware analysts in the course of carrying out their roles. Software exploits have been increasingly used in recent years to sneak malware into a system because they need no user interaction and the malware’s malicious code can deliver its malicious code undetected. It goes without saying that analyzing software exploits can be very helpful for software analysts.
- So an employee informs you that their work smartphone, which they extensively use Android OS on, probably has malware. What do you suggest they do?
The first thing to do is recommend that they stop using their Android OS phone for Web searches as Android OS is peppered with software exploits. Also scan their phone for any threats, delete any that are there and recommend that the employee only visit Web sites that are work-related. Not only will this keep the phone away from a lot of sources of malware, but it will also make them more efficient employees.
- Can you name two different tools you would use as a malware analyst, with the tools being used in different phases of malware analysis?
This is a good question to further highlight your previous work experience with malware. A good example of a tool to use during the Disassembler phase is IDA Pro. Another malware analysis phase is the Debugger phase, and OllyDbg is a good example of a tool used at that phase. Whatever you pick, though, it’s smart to back up your choices of tools with stories about your experience with their real-world application.
- Can you recommend any binary analysis tools?
Yes, you most definitely can. Two good examples of binary analysis tools are Malcode Analysts Pack and PE Explorer. Mentioning either tool will show the interviewer that you know what you are talking about. And as always with talking about tools, it is a good idea to add the flourish of experience and times when you have used these tools.
Level 3 — Senior Analyst
This is it. If you have made it through the previous levels, you can expect the most difficult interview questions at this level. Don’t get me wrong, these questions will not be impossible, but you will have to dig deep to give satisfactory answers to these bad boys! So get ready, don’t let them see you sweat and get ready for the Senior Analyst level of questions.
- What is reverse-engineering of malware?
Reverse-engineering of malware consists of taking an executable and performing what has been called the “computer version of an MRI” on it. Due to the unknown nature of the executable, this work should be performed on a system or environment that is not connected to the network to minimize potential damage. This process can be painstaking, but it is sometimes the only way to understand the executable.
- What are two sources of information to look to when reverse-engineering malware to help you identify what you are reversing?
Even the best malware analysts may not know exactly what they are looking at when they are reversing a new threat. Therefore, it pays to have some sources of information to look in situations like these. To that end, two good sources of information to references are whitepapers and analysis reports. Both of these sources can be widely found online and will be invaluable to your ability to keep abreast of new changes to the malware battlefront.
- What is assembly language and why is it important?
Assembly language is the last level of human-readable code. Malware code is generally down at the operating system level, and for a human to be able to read this code it needs to be disassembled to a level that is readable to the human eye. Malware analysts will generally disassemble up to the assembly language; from there, they should know how to read and write in assembly language to analyze malware code.
- What is a rootkit?
A rootkit is a clandestine computer program that allows for continued, unauthorized, privileged access to a computer, all while hiding its presence from the computer user. Rootkits have the ability to change data reports in order to further hide their existence. While rootkits are not in and of themselves bad, they are common tools for cybercriminals.
- An employee at your organization had his password stolen and it is only his first week on the job. You discover a program on his computer named keylog.exe. What should you do?
In a case like this, where the employee has not been on the job for very long, it would be very strange for their credentials to already be compromised. The program keylog.exe is most likely a keylogger, a type of program which relays every keystroke performed on a computer to cybercriminals. This would enable someone to capture the user’s credentials. Delete the program without a doubt.
- Let’s say you need a sandbox where monitoring and control is done on the hypervisor layer. What would you use?
While there are different kinds of sandboxes, this question is specifically asking for one where control is performed at the hypervisor level. For a situation like this, you should say to use VMRay. VMRay is controlled and monitoring is performed at the hypervisor layer. This is done in lieu of hooking.
- Let’s say you had to build a malware analysis lab from scratch. What would you need, at the very least, for a foundation to build upon?
I would say that at the very least, a malware analysis lab needs environments — an analysis machine and network simulation, as well as a hypervisor. I would say start with a Windows Analysis Machine running Windows 10 and some method for network simulation — in which case I would go with iNetSim network simulation running on Ubuntu Linux. From here, the sky’s the limit after you properly set up and configure these environments. There are many, many good programs to choose from that would help you with malware analysis, too many to list, but at the very least this is what you need.
- Why is it good to have a hypervisor in a malware analysis lab?
In testing environments without a hypervisor, you need to have multiple computers running different operating systems. Hypervisors allow you to run multiple operating systems from one computer, which takes up fewer organization resources. Another good thing is that a hypervisor can run multiple tools at once, making a malware analyst’s job easier.
- Tell me about the most difficult malware case you ever had to work.
This one is the mother of all hypothetical questions. So much so that you also have to fill in the skeleton of the question, as it completely comes from past experience. Try to bring up a time when you had to reverse-engineer a tricky piece of malware or when you encountered a new/unknown threat and you ended up relying upon your natural instinct and acquired knowledge to resolve the issue.
- If you were faced with a malware situation that you did not know how to handle, where or what would you consult to help you figure it out?
This is where you can show your hand regarding your go-to sources of malware analysis knowledge. I would say that my go-to electronic source of information is GitHub, specifically this curated list of resources. If I had to choose an actual physical book, I would say The Malware Analyst’s Cookbook, which is excellent for a source. As a backup answer, I would use your friends and colleagues in the malware analysis field.
Interviews can be a frightening situation for many people. Interviews sometimes make you really search your repository of knowledge and experiences, and some people inevitably choke. This does not have to be the case if you will be sitting for a malware analyst job interview. To beat the pre-interview nerves, simply review the questions above and you will be able to tackle any reasonable line of malware analyst interview questions.
Reverse Engineering Malware, AlienVault
What Are Rootkits?, VIPRE
So You Want To Be A Malware Analyst, Malwarebytes Labs
What is Heuristic Analysis?, Kaspersky Lab
Security: The beauty of … malware reverse engineering, Network World