Ready to Start Your Career?

Unpacking the Interview: Cybersecurity Incident Handler

Cami Ragano's profile image

By: Cami Ragano

February 11, 2021

Unpacking the Interview: Cybersecurity Incident Handler

Hacking happens. As techniques evolve and malicious actors look for new ways to compromise corporate systems, it's a matter of "when" — not "if" — companies experience a serious security incident.

To help mitigate the impact and reduce the risk of potential future compromise[1], many companies turn to cybersecurity incident handlers. These IT professionals are responsible for building an agile incident response kit and developing incident response initiatives capable of identifying, containing, and recovering from security incidents.

Many IT experts consider a career move into security-specific positions such as incident handling that offer enhanced stability, improved compensation, and the opportunity to expand their IT skillset with demand ramping up.

The challenge? DemonstratingEnsuring cybersecurity qualifications and passion for the protective process come across in what are often in-depth and wide-ranging interviews. Let's unpack the cybersecurity incident handler interview to look at common corporate approaches, key questions, and above-average answers.

The New Reactive Reality

While defensive cybersecurity measures have long been top-of-mind for organizations, the increasingly adaptive nature of infosec attack vectors has created a need for more assertive infosec practices. As a result, organizations are now searching for IT experts capable of developing proactive policies to improve reactive incident handling.

This shift prioritizes knowledge of environments and techniques favored by hackers — from advanced persistent threats (APTs) to evasion methodologies to ghostwriting and NMAP scanning. The goal? Pivoting away from purely reactive defense to a more proactive posture allows organizations to actively mitigate attack vectors at scale[2] with techniques including red teaming, penetration testing, and threat hunting. While the incident handlers' role remains firmly rooted ineffective reaction to security issues, this inclusion of proactive priorities is now making its way into interview processes with companies seeking prospective candidates. Ideally, candidates having a mix of security certifications and in-situ skills will stand out in the interview questions' evolving nature.

### Question 1: How would you handle a sudden website or application outage? This is the meat-and-potatoes of incident handling: Dealing with potential security issues are they occur in real-time.

In this case, the first step would be to assess the outage's impact and check to see if any supporting services — such as cloud providers or ISPs — are experiencing downtime. If the incident vector appears to be external, handlers would then investigate root causes and overall impacts and work backward from the point of compromise to determine the likely source.

Question 2: What are some of the most common pentesting methods?

Penetration testing forms a key component of any effective cyber defense strategy. As a result, prospective incident handlers should be prepared for questions around basic pentesting methods to ensure they have the depth of skills necessary to map and mitigate potential vulnerabilities.

Common methods include external testing, targeted internal testing, blind testing, and double-blind testing — be prepared with a brief definition and example of each:

External testing — Targeting publicly-available corporate assets such as web applications and company websites.

Targeted internal testing — Behind-the-lines testing of internal applications to simulate the impact of attacks behind the firewall.

Blind testing — Attackers are given only the name of their target and tasked with collecting as much information as possible around vulnerabilities and potential points of compromise.

Double-blind testing — Security teams have no prior knowledge of when or how simulated attacks will occur to help test on-demand incident response.

Question 3: What is an XSS attack? Explain.

Cross-site scripting attacks (XSS) remain a key concern for organizations. For example, if attackers can inject client-side scripts that are recognized and run by corporate services, there's significant potential for malicious payload damage or the installation of APTs.[3]

Common XSS attack types include:

Reflected In this case, HTTP requests cause the immediate "reflection" of malicious scripts. This is the simplest and most common type of XSS attack.

Stored Stored XSS (sometimes called second-order or persistent XSS) occurs when applications receive malicious scripts, which are then stored in website databases and sent with later HTTP requests.

DOM-based Document object model (DOM) based XSS attacks stem from vulnerabilities in client-side rather than server-side code.

Worth noting? Most questions that ask candidates to explain a complex or technical process come with a dual purpose: Ensuring candidates have the knowledge required to understand and address issues as they emerge and assessing their ability to communicate highly technical concepts to non-technical audiences such as HR team members or board members who may be on the interview panel. With IT now a line-of-business process that drives ROI, technology staff must distill complex issues into a plain language as required.

Question 4 You're a hacker. How would you attack our network?

This question is designed to determine how much prospective incident handlers know about the attacker side of cybersecurity. With many companies now prioritizing training and techniques that help staff think and act like hackers to discover IT vulnerabilities, incident handlers must describe several possible attack vectors.

While interview teams will often provide candidates with a brief overview of network environments and current cybersecurity solutions — along with a brief amount of time to study these documents — cybersecurity pros can improve their interview odds by doing research ahead of time. A quick search online can reveal valuable information about key company policies and practices and provide potential attack approaches. This improves the overall accuracy of interview responses and shows a deeper understanding of typical hacker processes — before committing to any cybersecurity attack, malicious actors conduct reconnaissance to determine the compromise conditions most likely to succeed.

It's also a good idea to complete responses to this question with recommendations for security control tools or techniques that companies could implement to reduce overall risk.

Capturing Career Opportunity

Cybersecurity incident handlers are now in demand. While qualifications such as Computer Security Incident Handler (CSIH) and CompTIA's Security+ offer great starting points along this career path[4], infosec pros are also well-served with hands-on training in advanced penetration testing, open-source collection, log correlation and analysis, and web application attack traffic PCAP analysis.

Put simply? Careers in incident handling aren't just about responding to events as they occur — they're about creating agile, evolving strategies that think outside of common defensive boxes and apply lessons learned to security operations.

Preparing for the interview benefits from the same approach: think outside the box by combining technical knowledge with improved communication skills and real-world threat solutions.

If incident handlers are going to be credited with mitigating the risk of compromise, their security initiatives' involvement needs to be noted. If an incident handler does not supply input/feedback to security operations, security operations can't learn from incidents. And if that's not happening, then incident handlers aren't mitigating any risk, only impact.

This section seems to relate to a couple of concepts but does not explicitly name any of them - red teaming, penetration testing, and threat hunting. These three things are all different, but all relate to the idea of proactively assessing a company's security posture.

While this is true, I think there needs to be a technical definition to address the 'what is' part of the prompt. The different types of XSS also have different severities and don't involve client-side scripts being run by corporate services.

The CISSP is not a 'starting point' certification. It requires 4-5 years of full-time relevant work experience. The domains it covers are also only tangentially related to incident handling.

Schedule Demo