Interviewing Staff
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 3 within the ATT&CK-based
00:00
>> SOC assessments training course.
00:00
>> In this module, we're going to talk about how you can
00:00
synthesize a full ATT&CK-based SOC assessment,
00:00
going beyond smaller technical analysis
00:00
towards something that really looks
00:00
at the SOC as a whole.
00:00
This module has one primary learning objective.
00:00
After the module, you should be able
00:00
to put together the pieces to form
00:00
a full ATT&CK-based SOC assessment and help a SOC
00:00
orient its operations towards
00:00
adopting a threat and form defense.
00:00
In addition, we have several secondary objectives.
00:00
After this module, you should be
00:00
able to prepare, conduct,
00:00
and interpret the results from SOC interviews.
00:00
Additionally, you should know how to
00:00
choose a heatmap style,
00:00
as well as type to deliver results.
00:00
You should also be able to aggregate
00:00
heatmaps and interview results together.
00:00
Lastly, after this module,
00:00
you should understand the importance and
00:00
types of recommendations for assessments.
00:00
With that, I will now turn it over to Clem,
00:00
who will talk to us
00:00
>> about how to conduct SOC interviews.
00:00
>> Hello. Welcome to MITRE ATT&CK Defender,
00:00
>> Assessments and Engineering.
00:00
>> Lesson 3.1, interviewing staff.
00:00
The objectives of this lesson are
00:00
to understand why interviews are important.
00:00
Be able to prepare and
00:00
>> conduct interviews with SOC staff.
00:00
>> Know how to process findings after an interview.
00:00
In this lesson, we will
00:00
introduce the different types of interviews,
00:00
discuss the structure and preparation of the interview,
00:00
show you how to conduct the interview,
00:00
and describe post interview activities.
00:00
The ATT&CK assessments are technical assessments
00:00
usually focused on gap analysis of the data collection,
00:00
sensor grid and analytics.
00:00
Not everything is captured in
00:00
documentation manuals or dumps have configurations.
00:00
It is also important to
00:00
>> understand the SOC's environment.
00:00
>> How is the SOC organized?
00:00
What is the business model?
00:00
What processes are in place?
00:00
What are technical or
00:00
operational constraints to be aware of?
00:00
This section will explore how interviews can be
00:00
used in conducting an assessment and
00:00
provide some suggestions and guidelines to help
00:00
the assessor team avoid common pitfalls.
00:00
There are four phases of the interview process.
00:00
First is to identify the type of interview to conduct,
00:00
next is to prepare the interview,
00:00
then one conducts the interview,
00:00
and finally, you process the interview findings.
00:00
One type of interview is to
00:00
gather context or to frame the engagement.
00:00
This is typically done with
00:00
perhaps the CISO or a SOC manager, or the project lead.
00:00
In that interview, we'll
00:00
discuss the background for the project,
00:00
the goals, the organizational context,
00:00
and the priorities for the engagement.
00:00
The outcomes of that interview are to set expectations,
00:00
define focus, identify deliverables.
00:00
In technical interviews,
00:00
one then of course talks to technical staff,
00:00
shift leads, and various subject matter experts.
00:00
In these interviews, you'll discuss things
00:00
such as network and IT architecture,
00:00
threat landscape, operational processes and procedures.
00:00
Common outcomes for these interviews are
00:00
tool usage, technology deployment,
00:00
threats, detection details, operational constraints,
00:00
and pain points that SOC staff may encounter.
00:00
Preparing the interview; who to talk to you?
00:00
SOCs of course come in different shapes and sizes.
00:00
Smaller SOCs tend to have staff who wear multiple hats,
00:00
larger SOCs tend to have staff
00:00
>> who have one clear focus.
00:00
>> Depending on the focus of the engagement,
00:00
consider interviewing SOC Manager,
00:00
Tier-1 monitoring staff, possibly shift leads,
00:00
Tier-2 analysts and or
00:00
subject matter experts such as in malware or forensics.
00:00
Cyber threat Intel analysts,
00:00
red teamers and cyber threat hunters,
00:00
SIEM administrators and engineers.
00:00
You may also want to consider
00:00
talking to groups outside of the SOC as well,
00:00
such as the network firewall team,
00:00
desktop support, IT server
00:00
administration in Cloud services management.
00:00
These groups may well have important insights.
00:00
If some functions are outsourced,
00:00
you may want to interview representatives
00:00
from those service providers.
00:00
Preparing for the interview: covering logistics.
00:00
When conducting the interview,
00:00
one typically has one person assigned to lead
00:00
the interview and ask
00:00
all the different questions and focus the conversation.
00:00
It's important to have
00:00
at least one designated note-taker.
00:00
Other subject matter experts, of course,
00:00
bring in as needed,
00:00
but try not to gang up on the interviewee.
00:00
In-person or remote? Ideally you'd
00:00
conduct the interviews all in-person.
00:00
However, that is not always practical,
00:00
particularly in days of COVID.
00:00
In-person or remote?
00:00
It is good to conduct interviews
00:00
in-person or at least have
00:00
one person present with the interviewees.
00:00
If you must do it all remotely,
00:00
try to make use of your webcam if you can.
00:00
As you know, people get tired and SOCs are very busy,
00:00
so respect their time and your own energy levels.
00:00
Typically 45 minutes to 90 minutes per session
00:00
for each team suffices
00:00
and be sure to take breaks in between sessions.
00:00
Preparing the interview: setting it up.
00:00
Coordinating and scheduling.
00:00
It's good to identify a customer point of contact who
00:00
can help you work the details of scheduling.
00:00
You may also want to get admin support
00:00
from your side for a large engagement.
00:00
>> Provide read-aheads for interviewers and interviewees.
00:00
It's good to do an initial data request if possible.
00:00
If available, obtain a copy of CONOPs,
00:00
org chart, role descriptions, etc.
00:00
Send along interview questions
00:00
beforehand for the interviewees to digest.
00:00
Prepare yourself beforehand.
00:00
Build a list of questions you want to ask,
00:00
but feel free to explore topics as they emerge.
00:00
If the interview is conducted in-person,
00:00
you may want to have one or two days available and
00:00
a dedicated conference room for a drop-in.
00:00
Conducting the interview. Should you
00:00
interview one or multiple staff members?
00:00
On the one hand, one can learn from
00:00
inter-team or intra-team discussions.
00:00
On the other hand, one strong personality
00:00
can tend to dominate a conversation.
00:00
Things to keep in mind, for example,
00:00
bosses in the room may stifle free conversation.
00:00
You may notice disagreements between
00:00
contractors or contractors and staff.
00:00
Whatever the case, make sure to
00:00
present yourself as an ally.
00:00
Conducting the interview, what to expect.
00:00
Organizational attributes.
00:00
Some organizations may be more
00:00
compliance oriented versus threat oriented.
00:00
Larger organizations with more discreet teams
00:00
maybe siloed or disconnected.
00:00
Ops may have a limited view of
00:00
the greater organization, IT infrastructure, etc.
00:00
Smaller organization SOC staff may wear
00:00
multiple hats and be resource-constrained.
00:00
Technology. There may be
00:00
inconsistent deployments of sensors.
00:00
You may find there are incomplete collection
00:00
of data from different sources.
00:00
There maybe different monitoring requirements for
00:00
different business units or parts of the architecture.
00:00
Not all components may be fully
00:00
integrated or monitored by the SOC.
00:00
The organization may be transitioning
00:00
to new products or solutions.
00:00
Conducting the interview, bias and perspective.
00:00
In terms of biases, understand
00:00
that both interviewers and interviewees have them,
00:00
and try to understand the perspectives
00:00
of the teams you talk to,
00:00
as well as your own perspectives and biases.
00:00
Try to remain neutral, particularly when interviewees
00:00
have differences of opinion among themselves.
00:00
Try not to ask leading questions
00:00
or promote favorite solutions.
00:00
Conducting the interview, starting off.
00:00
If available, perhaps have
00:00
the main POC at the organization perform introductions.
00:00
If not, do the best you can
00:00
and remember you're on their side.
00:00
Capture the attendees and their roles,
00:00
share with the interviewees your understanding of
00:00
their function or the technology in question and
00:00
>> that you want to confirm what you've learned so far.
00:00
>> Identify gaps and strengths that they know of,
00:00
and drill down into deeper topics. Asking questions.
00:00
Work off the list of prepared questions when you can.
00:00
You may find that you need to reframe
00:00
questions for a particular groups context.
00:00
Beware different organizations may use different terms,
00:00
or even different teams may
00:00
use different terms in the same organization.
00:00
This may be evident when people talk past each other.
00:00
Try to capture local jargon and terminology.
00:00
You may skip some questions if they are less
00:00
relevant to the particular team you are interviewing.
00:00
When there's disagreement or ambiguity,
00:00
probe further to identify the source or
00:00
understand the competing viewpoints.
00:00
Sample questions. Describe a recent incident.
00:00
How was that handled end-to-end?
00:00
What is your team's role in this event?
00:00
What first triggered response?
00:00
What we're follow-on activities?
00:00
Describe how new analytics are rolled out?
00:00
In other words, how they're developed,
00:00
tested, documented, etc.
00:00
What are the pain points you encounter in process X?
00:00
What would you like to see automated?
00:00
Be direct, ask specifically
00:00
about ATT&CK techniques and tactics.
00:00
For example, what events or analytics
00:00
would lead to detecting data exfiltration?
00:00
Post interview hot wash, what to produce.
00:00
Assessor team should write up and compare notes.
00:00
Do this as soon as possible
00:00
while they're fresh in your mind.
00:00
Notes maybe cleaned up and captured formally as
00:00
an appendix or source material
00:00
>> for narrative in a report.
00:00
>> Capture conflicting reports or opinions
00:00
>> between different teams or
00:00
>> between regular staff and management.
00:00
>> Try to capture those and understand their perspective.
00:00
Pursue follow-up questions to help get to ground-truth.
00:00
Specifically identify ATT&CK related tidbits.
00:00
Are there any strengths? Any particular gaps?
00:00
This is useful when compiling the final report.
00:00
Post interview hot wash, typical outputs.
00:00
Typical outputs include
00:00
>> end-to-end process descriptions,
00:00
>> perceived strengths and gaps and capabilities.
00:00
Operational constraints, such as it is very
00:00
difficult to change a
00:00
particular configuration in our environment.
00:00
Priorities for threats, TTPs, or technical focus.
00:00
Follow-on data requests, for example,
00:00
if additional sensors or data sources are identified.
00:00
Additional insights into the enterprise architecture
00:00
>> and practices such as connectivity or outsourcing.
00:00
>> Which tools are really used versus shelfware.
00:00
Summary and takeaways. Interviews are important,
00:00
not everything is captured in documentation.
00:00
Interview process has four main steps.
00:00
Figuring out the type of interview you want to run,
00:00
preparing the interview, conducting the interview,
00:00
and processing the interview findings.
00:00
There are two main types of interviews,
00:00
context and technical.
00:00
When preparing, identify the teams,
00:00
create questions, and iron out logistics.
00:00
Be prepared when conducting the interview,
00:00
but remember to be flexible.
00:00
Always capture interview notes as
00:00
soon as possible after the interview.
00:00
Thank you. Next up,
00:00
communicating using ATT&CK heatmaps.
Up Next
Similar Content
