Professional development

Top 31 threat-hunting interview questions and answers for 2019

Ravi Das
April 11, 2019 by
Ravi Das

In this article, we will examine the top thirty-one interview questions that could be asked of you as an applicant for the position of threat hunter. The purpose of this article is to get you as prepared as possible so that you can land that threat-hunting job you’ve wanted for so long. Remember, threat-hunting requires a unique skill set in order to be successful. Use this article to prepare for that next interview!

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Level 1 questions

1. Why do you want to become a threat hunter? Is it the money that attracted you to this position?

Obviously, many cybersecurity professionals apply for positions once they see the high salary levels that they can command for a particular role. But remember, the recruiter is wanting to see that you are attracted to this position not just from the standpoint of money; if this is the case, that is a huge red flag to them, as they know you will not stay for a long time. They want to know that you will be around for quite some time and be a dedicated employee. This is because they will be also making a substantial investment in you, in order to bring you up to speed on the security requirements of the organization.

Probably the best way to answer this question is to frame your answer according to how the company can benefit from your skillset. Tell them that you have a burning desire to help others and your company to fend off cyberattacks, but above all you also want to help protect their brand in the eyes of their customers.

2. What makes your threat-hunting skill set different from the other candidates that we have looked at?

In this kind of question, you need to really elaborate on your threat-hunting skills. It would be best to summarize your experience and give any success stories that you have from your various threat hunts. For example, what kind of malware or risks did you mitigate? It would be beneficial if you could put this into a written portfolio summarized into bullet points so that the recruiter can see this at a quick glance. Not too many candidates do this, so this will help you stand out from the rest of the candidate pool.

3. What are the needed skills in order to be a successful threat hunter?

It is important to keep in mind that becoming a successful threat hunter is in many ways different than other cybersecurity positions. For example, not only do you need a relatively strong quantitative background, but you need to have exceptional qualitative skills.

This is what the recruiter is trying to determine if you have this by asking this particular question. For instance, not only must you have very keen eye in order to find unseen trends in the information and data that you collect, but you must be able to break that down to a level that your client can understand as well. You must also have the ability and patience to work long hours — but most importantly, you must have that all-important investigative mind in order to thoroughly complete a threat-hunting exercise.

In terms of the latter point, explain to the recruiter how your thought process on the steps you would take to conduct a threat-hunting investigation. It is important not to go into too much detail, as there will obviously be time constraints involved. Be brief in your thought process, but remember, it must have a logical flow to it.

4. How do you deal with a difficult team member?

Many times, team members can be difficult to work with difficult to work with. The success of a threat-hunting exercise often depends largely on the collective and collaborative efforts of the entire team.

In this question, the recruiter will probably ask you a specific scenario in which there could be difficulties reaching a consensus with your other teammates. For example, there may be risks out there in their organization that you want to further investigate but the client is demanding and wants something else checked out.

Perhaps the best way to answer this question is that you should offer the client different options as to what should be investigated and what you think is important. But remember, it is the client that has the final say-so in what will be examined as they will be signing the documents that lays out the statement and scope of work. If you step out of these bounds without prior client approval, you put not only yourself but the business or corporation that you work for at grave risk for a major lawsuit.

5. What is threat hunting?

You can be guaranteed that this will be one of the first questions that will be asked of you. The recruiter is not just looking for a memorized, textbook answer; rather they are examining to see if you can give a simple explanation if asked, especially by your client. A possible answer is:

“Threat hunting is the process of seeking out adversaries before they can successfully execute an attack.” (Source)

This answer, while very broad in nature and scope, is succinct and to the point. You basically want to phrase it in such a way that the bottom line (or the primary goal of it) is to literally “hunt down” imminent cyberthreats and mitigate them before they execute their malicious payload and cause widespread damage to the IT infrastructure.

6. What is the difference between threat hunting and other prevention- and detection-based methods?

In this kind of question, the recruiter wants to make sure that you have a good understanding of how threat hunting is different from other methodologies, and why it is so important to their particular organization.

A good answer here would be to state that threat hunting is very much a proactive security methodology that makes use of sophisticated analytical tools such as artificial intelligence and machine learning. The threat-hunting process starts with formulating a specific hypothesis in which the catalyst for this was some kind of alert, assessment or even the results of a penetration test. This hypothesis will then be tested by using the abovementioned tools to search for this potential cyberthreat.

7. What is the primary difference between threat hunting and threat detection?

Although these two sounds very similar, they are actually very different. The answer here is threat hunting is geared towards the potential determination of cyber-related threats at the earliest stages possible. With threat detection, an actual cyberthreat has been found and all efforts are dedicated to mitigating it.

8. What are some of the benefits of threat hunting?

Obviously, the main benefit of threat hunting is that you are taking a proactive stance to see what potential threats are possibly lurking within your IT infrastructure. But it is important to keep in mind that the recruiter is trying to test if your understanding of threat hunting goes deeper than just the obvious. In order to prove your level of expertise, you could mention some statistics such as the following, garnered from a recent survey:

  • Clients reduced their attack surface by at least 75%
  • 59% of respondents felt that threat hunting greatly improved their incident response timing
  • 52% of respondents found cyberthreats via threat hunting; otherwise they would not have been detected by other means

(Source)

9. What are some of the drawbacks of threat hunting as compared to similar processes?

Of course, threat hunting has its flip side as well. This is very important in communicating to the client, as they should not be given the impression that each and every potential threat will be detected. The recruiter who is interviewing you wants to make sure that you fully understand this. A good answer here would be to state that (once again, citing a few stats will show your expertise):

  • From the same survey as mentioned previously, 88% of the clients polled felt that their threat hunting processes needed some serious improvement
  • 53% of the respondents felt that their threat-hunting processes were too transparent to the outside world
  • 56% of the respondents felt that the threat-hunting process takes too long, and is still very cumbersome

10. What makes your cert different than the others that are other there?

In the world of IT certification today, there are tons of certs that one can get. While you should strive to get a cert related to the cybersecurity career you aspire to, in the end you can really choose to get any cert that you want to get.

In the field of threat hunting, there is a premier cert that is known as the “Certified Cyber Threat Hunting Professional” (or CCTHP). If you have this cert, or are at least planning to get it, you need to specifically bring this out in your interview. For example, you need to tell the recruiter that in the field of threat hunting, this is the premier cert to have. This cert demonstrates that you have top-level expertise in threat hunting, as it covers five very specific domains that include the following:

  • The goals/objectives of threat hunting
  • The methodologies and techniques that are specifically utilized
  • How to hunt for network-based cyberthreats
  • How to hunt for host-based cyberthreats
  • The tools and technologies that are used in threat hunting exercises

Level 2 questions

11. What is the primary difference between threat hunting and penetration testing?

These two types of security methodologies are often used together; but in reality, they are totally different. Although the ultimate goal or outcome of both of these is to unearth any unknown cyber-based threats or risks, penetration testing involves trying to break through an organization’s lines of defenses. You are trying to see how far you can go in, without being detected. In other words, with penetration testing, you are taking an outside-in approach. But with threat hunting, this is much more of an inside-out approach.

For example, you are taking the assumption (or more specifically, the hypothesis) that an adversary could already be lurking within your IT Infrastructure. Thus, you are taking steps to ascertain that. If your hypothesis is indeed confirmed, you then will try to mitigate them so that they can’t get in again.

12. Is threat hunting just devoted to finding internal cyberthreats, or does it involve more than that?

In this kind of question, the recruiter is trying to determine the depth of your threat-hunting knowledge. The answer to this is yes, you are trying to find them, but there is much more involved than that.

For example: With the information and data that you have collected, one of your responsibilities is to sift through it and determine any unseen trends with the analytical tools that you have on hand. With this, you should also be able to ultimately create various models of the future cyberthreat landscape, which will be indicative of what potential cyberattacks could look like down the road.

13. What happens if I don’t find anything in the threat-hunting exercise that I have just engaged in?

Yes, it is theoretically possible to not find anything at all and to prove that the hypothesis was false. Was this a complete waste of time, then? Not at all. There is a very good chance that you will discover other kinds of security vulnerabilities which you thought never existed before.

Suppose that your threat hunt reveals something else, such as that there is an abnormally large amount of bandwidth being used by other employees of the company. You report this to your CIO or CISO, and they want more analysis done. Further investigation reveals that many of them are using the FTP protocol to back up their work-related files. This would obviously be a complete violation of your security policies, and as a result, you have discovered that “Shadow IT” is clearly evident in your company. (Shadow IT is when employees use non-authorized IT tools to conduct work-related duties.)

14. What is the ATT&CK framework?

This is an expansive threat-hunting methodology that stands for “Adversarial Tactics, Techniques and Common Knowledge.” It was developed by the Mitre Corporation and has been around for quite some time.

The basic premise of AAT&CK is to further break down cyberthreats into a multipurpose classification scheme so that you can compare the information and data that is available to what is actually happening in the cyber-environment of your organization. This is actually more of a knowledge base, and much more detailed information on it can be seen here.

15. Should I just pick any random area of the ATT&CK framework to start my threat-hunting exercise?

While it is very important for the threat hunter to have an overall open mindset, they should not just randomly pick something off of it and start looking around. Rather, you need to first analyze the log files (as well as the respective warnings and alerts) to see what trouble points exist. You also need to make sure that you have the right access permissions and privileges for those resources in which you need to conduct your threat hunt. For example: Don’t search for account manipulation adversaries if the access permissions and tools are not in place first.

In other words, it is first very important to determine what you want to achieve from your threat hunt. This is best accomplished by first formulating your hypothesis, as described earlier. It is important to keep in mind that a threat-hunting exercise should be viewed as a scientific experiment: You are collecting information/data in order to prove or disprove your hypothesis. Be resourceful and use the other security technologies that you have on hand to further substantiate your hypothesis.

16. Where does one draw the line between threat hunting and incident response?

Like penetration testing, there can be confusion between these two, so it is important to keep in mind the literal meaning of these terms. For instance, threat hunters “hunt” for the adversaries that could be potentially lurking from within the IT infrastructure and to confirm their existence. The incident responders do just exactly that: They respond to cyberthreats once they have been alerted to that fact and use the resources that they have at their disposal to mitigate them.

It’s usually the incident response team that the threat-hunting team turns to first. The threat-hunting team should not be called upon to specifically mitigate a cyberthreat; rather, they should have the ability to work closely with the incident response team to share their expertise in order to contain it.

17. Should I move from left to right when using the ATT&CK Framework while executing my exercise?

Really, in the end there is no specific order in which to move in ATT&CK. In other words, don’t feel that you have to address each and every cyber-related issue in the framework, and above all, don’t feel overwhelmed by it. Use the ATT&CK as a support anchor for your hypothesis and start from there. If you don’t have a hypothesis at first, start your threat-hunting exercise where you feel that your high-risk and first impact areas are in your IT infrastructure, then work from a top-down approach from there.

While speed is important is important in threat hunting, addressing issues in an incremental and accurate fashion is equally important. But if you feel that you must take a macro-level approach when first assessing the cyberthreat environment, give serious consideration to using the Mandiant Cyber Attack Lifecycle. More information on this can be seen here.

18. As we know, one of the ways a cyberattacker can launch their specific threat vectors is through privilege escalation. What should a threat hunter look for in these instances?

There are different kinds of variables to look out for, but most importantly, a threat hunter should first look into any known gaps or weaknesses that currently exist within the IT infrastructure of an organization. In this instance, making use of an EDR solution (which can be viewed as a subset of threat hunting) would be the most beneficial technique.

A threat hunter should pay a lot of attention to File Integrity Monitoring (or FIM for short) on those IT systems (for instance, servers) where the integrity of files should not be changing. If there are any suspicious changes to the files, a history of employee logins must be examined for any types of anomalous behaviors. You should also watch for any systems that have been misconfigured, as this is another backdoor for the cyberattacker.

19. Should a threat hunter just conduct their exercise in one part of an infrastructure, or should they be examining multiple areas?

Yes, a threat hunter and the team should be examining different areas. Just because you have formulated a specific hypothesis, it doesn’t mean that you should look in just one area. Rather, in order to get a comprehensive view of your IT infrastructure, the threat hunter needs to examine other areas. This includes the normal everyday IT systems, the virtual machines, your servers and even your production environment; make sure that in these instances, that you have the appropriate backups in place.

20. What is the value of threat hunting if a business or corporation already has automated tools in place?

There is a popular automated tool known as CB Response. It helps to keep an eye on any intrusions an organization 24/7/365. But systems like these can only provide information and data that is fed into it from the various intelligence feeds that you are currently make use of. Ultimately, it takes human intervention and a keen eye to further investigate the alerts and warnings that these systems provide. It is only through this process can one truly determine if a cyberthreat is imminent or if there really is a threat actor lurking in your system.

21. What are the two primary types of threat-hunting exercises?

The two are as types are as follows:

  • On-Demand Investigation Mode: In this mode, threat hunting is used by IT security teams to investigate any suspicious or anomalous activities after they have been detected. Once the incident has been specifically identified, it is then passed to the security operations team for deeper investigation and recommendations for containment and recovery
  • Continuous Monitoring or Testing Mode: In this model, the security operations team is continuously monitoring and/or testing their security posture by conducting various penetration testing exercises. This is in order to proactively identify and investigate any suspicious events

This newer type of approach may be initiated by the business entity itself; or it can be outsourced to a Managed Security Service provider.

Level 3 questions

22. Can you describe the five parts of the threat-hunting maturity model?

There are five steps that are involved, and they are as follows:

  • HMO — Initial: At this stage, the organization is 100% dependent on the use of automated tools (such as SIEMs and other anti-malware/spyware software packages) in order to provide a warning and alert system
  • HM1 — Minimal: The organization is still heavily dependent on the use of automated threat tools (as described above), but the IT staff is at least doing a minimal amount of information and data collection
  • HM2 — Procedural: There is more human intervention involved than in the last step, but the organization is still dependent on using threat-hunting procedures that other entities have created; they have not yet crafted their own set of procedures
  • HM3 — Innovative: At this stage, the organization has created a minimal set of threat-hunting procedures on their own and are even employing a small number of threat hunters to track down any potential adversaries
  • HM4 — Leading: The organization has now reached a point where they have crafted their own complete set of threat-hunting procedures and even incorporated the use of automation into them

23. How would you specifically describe data leakage?

In technical terms, especially as it relates to that of the threat hunter, data leakage can be defined as the separation and/or the departure of a data packet from the place where it was intended to be stored.

24. For the threat hunter, knowing the potential sources of data leakage is a very crucial first step in formulating an observable hypothesis. Can you tell me the top sources of data leakage?

They can be broadly categorized as follows:

  • Employee error (this could be unintentional or stem from an inside attack as well)
  • Any unforeseen technological glitches from within the IT infrastructure
  • Server, workstation or wireless device misconfigurations
  • A Web-based application that was developed internally in an organization, but it was created using insecure source code
  • Inadequate security controls that have been put into place at the organization

25. What factors (or rather, pieces of information/data) would you consider when formulating a hypothesis that a data leakage incident is occurring?

I would look specifically at the following:

  • Any risk profiles that have been created
  • Any sort of impact and severity chart that relates to critical systems
  • Any incident workflow diagrams that have been previously created (especially in the wake of previous cyberattacks that may hit the business or the corporation)

26. What are other roles that the threat hunter could be expected to take on?

In this kind of question, the recruiter wants to ascertain that you are fully aware of other job titles that are involved heavily in threat hunting as well. The three types of threat-hunting roles are as follows:

  • Tactical Hunting: These individuals are heavily involved with examining the network infrastructure of an organization. They primarily work at security operations centers (also known as SOCs) and spend time confirming any sort of unusual behavior and adversaries that are trying to break through the lines of defense
  • Operational Hunting: These individuals spend much of their time trying to closely examine the operating environment of the corporation or business, focusing on both internal and external threats
  • Strategic Hunting: These kinds of individuals are heavily involved with addressing the cybersecurity needs of the C-suite. For example, they report the results of threat-hunting findings to the C-suite in an easy-to-understand and comprehensible format, with a primary focus on providing advice on risk management-based decisions and the possible Return On Investment (ROI) on investing in newer types of security technologies

27. Suppose you have been asked by your CIO/CISO what kind of threat-hunting tools your team plans to use. He or she is not interested in tools that are developed in-house; rather, they want a list of available commercial products. What would you recommend that they invest in?

People often tend to become creatures of habit, especially in cybersecurity, and like to stick to using the same tools repeatedly. The recruiter is trying to see if you can break away from this kind of habit by testing your knowledge of the threat-hunting tools that are out there and can be easily deployed in your organization. As of now, the top six threat-hunting tools are as follows:

  • Sqrrl
  • Vectra Cognito
  • Infocyte Hunt
  • Exabeam Threat hunter
  • Endgame
  • DNIF

28. Can you briefly describe the four most widely-used threat-hunting techniques?

They are as follows:

  • Searching: This is probably the most basic form of threat hunting. With this technique, you are trying to support your formulated hypothesis with information and data from a very specific set of defined search criteria
  • Clustering: This is more of a quantitative, statistically-based approach to threat hunting. With this technique, the threat hunter is attempting to “cluster” similar datasets from a much larger, aggregate pool of data. In these situations, machine learning (ML) and artificial intelligence (AI) are the tools used to accomplish this task in an effort to find the hidden or unseen trends in these datasets
  • Grouping: In this scenario, the threat hunter is looking at different (or unique) artifacts that have been discovered and identifying them based on the same set of criteria that was used to formulate the original hypothesis
  • Stack Counting: This another type of statistical technique. In this case, the threat hunter ascertains the total number of occurrences of a certain dataset by closely examining any sorts of outliers that may exist

29. Apart from the ATT&CK threat model, what are some other threat-hunting models that can be used?

In this question, the recruiter is trying to gauge your understanding of other models that can be used to meet the threat-hunting needs of your organization. While the ATT&CK Framework is a very popular one, there are others as well, such as the following:

  • Lockheed Martin’s Cyber Kill Chain
  • Fireeye’s Attack Lifecycle
  • Gartner’s Cyber Attack Model

30. How do you define Endpoint Detection and Response (EDR)?

While you have already answered that it is important to analyze multiple environments in the entire IT infrastructure, the threat hunter will also be called on to examine certain parts of it, especially the endpoints.

A definition of EDR is as follows:

“Endpoint detection and response (EDR) provides visibility into activity occurring on the network and endpoints by continuously monitoring activity for behavioral patterns that appear to be suspicious or anomalous. Data captured provides rich contextual information related to a threat to enable more efficient, prioritized remediation.” (Source)

In other words, you and your team are trying to determine if any potential security risks exist where one point starts and where the other point ends within in your entire IT infrastructure.

31. What are three important characteristics of an effective threat-hunting tool?

You described the top 5 threat hunting Tools in a previous question, but this is a follow up question to see what makes them so top of the breed. These products should contain, at the  minimum, the following characteristics:

  • It must contain logs, such as Windows events logs, EDR logs, antivirus logs and firewall/proxy logs
  • It must have a SIEM (Security Information and Event Management) system. It must be centrally located in the tool for easy access and be able to correlate all sorts of information and data in real time
  • A robust analytics engine, such as one that is machine learning- or AI-based. It should be very effective in helping you and your threat hunting team find that “needle in the haystack”

Conclusions

Overall, this article has examined in detail thirty-one threat-hunting-related questions that a recruiter could potentially ask you. Remember, being an effective threat hunter takes a unique blend of a very sharp mindset plus quantitative and qualitative skills. If you would like to see more potential interview questions and answers related to threat hunting, click here.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

  1. What is threat hunting? The Emerging Focus in Threat Detection, Digital Guardian
  2. Endpoint Detection and Response, Bloor Research
  3. Threat Hunting is the New Black in Security: Report, Infosec Island
  4. Certified Cyber Threat Hunting Professional (CCTHP), Infosec Institute
  5. Threat Hunting 101: You Asked, We Answered, Cybereason
  6. What is Mitre's ATT&CK framework? What red teams need to know, CSO
  7. Technique: Account Manipulation, Mitre
  8. Q&A: Visibility, Testing Critically Important for Hunting, Red Canary
  9. Cyber Attack Lifecycle, IACP
  10. The Threat Hunting Reference Model Part 1: Measuring Hunting Maturity, Sqrrl
  11. Top 12 Information Security Analyst Interview Questions & Answers, CareerGuru
  12. Threat Intelligence Analyst – The Detective, CyberVista
  13. Top 5 Threat Hunting tools for Q1 2017, FireCompass
Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.