Interviewing Staff

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:01
Welcome to Module three. Within the Attack based Stock assessments training course in this module, we're going to talk about how you can synthesize a full attack based stock assessment, going beyond, you know, smaller technical analysis towards something that really looks at the sock as a whole.
00:17
This module has one primary learning objective.
00:21
After the module, you should be able to put together the pieces to form a full attack based stock assessment and help us socks orient its operations towards adopting a threatened form of defense.
00:31
In addition, we have several secondary objectives.
00:35
After this module, you should be able to prepare, conduct and interpret the results from from sock interviews.
00:42
Additionally, you should know how to choose a heat map style as well as type to deliver results.
00:48
You should also be able to aggregate heat maps and interview results together, and lastly, after this module, you should understand the importance and types of recommendations for assessments.
00:59
With that, I will now turn it over to Clem will talk to us about how to conduct sock interviews.
01:06
Hello, welcome to my to attack defender
01:10
assessments and engineering
01:11
less than 3.1 interviewing staff.
01:21
The objectives of this lesson are to understand why interviews are important,
01:26
be able to prepare and conduct interviews with Socks staff
01:30
know how to process findings after an interview.
01:37
In this lesson, we will introduce the different types of interviews,
01:41
discuss the structure and preparation of the interview,
01:44
show you how to conduct the interview
01:46
and describe post interview activities.
01:53
The attack assessments are technical assessments usually focused on Gap analysis of the data collection, sensor grid and analytics.
02:00
Not everything is captured in documentation, manuals or dumps of configurations.
02:07
It is also important to understand the socks environment.
02:10
How is the sock organized?
02:13
What is the business model
02:15
Processes are in place,
02:16
what our technical or operational constraints to be aware of.
02:22
This section will explore how interviews can be used in conducting an assessment and provide some suggestions and guidelines to help the assessor team avoid common pitfalls.
02:34
There are
02:36
four phases of the interview process.
02:38
First is to identify the type of interview to conduct.
02:43
Next is to prepare the interview.
02:45
Then one conducts the interview,
02:46
and finally you process the interview findings.
02:54
One type of interview is to gather context or to frame the engagement.
03:00
This is typically done with
03:01
perhaps the CSO or sock manager or the project lead.
03:07
In that interview,
03:08
you will discuss the background for the project,
03:12
the goals,
03:13
the organizational context
03:15
and the priorities for the engagement.
03:19
The outcomes of that interview are to set expectations.
03:22
Define focus, identify deliverables
03:28
in technical interviews.
03:30
One then, of course, talks to technical staff, shift leads and various subject matter experts.
03:38
In his interviews, you'll discuss things such as network and IT, architecture,
03:42
Threat, landscape,
03:43
operational processes and procedures.
03:46
Common outcomes for these interviews are tool usage,
03:51
technology deployment threats, detection details,
03:54
operational constraints and pain points that sock staff may encounter.
04:02
Preparing the interview. Who to talk to
04:06
stocks, of course, come in different shapes and sizes.
04:10
Smaller socks tend to have staff to wear multiple hats.
04:13
Artur socks tend to have staff who have one clear focus.
04:20
Spending on the focus of the engagement. Consider interviewing
04:24
Sox manager
04:26
Tier one Monitoring staff Possibly shift leads
04:30
Tier two analysts and or subject matter experts such as in malware or forensics.
04:34
Cyber threat into analysts,
04:38
Red teamers and cyber threat hunters
04:41
seem administrators and engineers.
04:47
You may also want to consider talking to groups outside of the sock as well,
04:51
such as the network firewall team desktop support,
04:56
IT server administration
04:58
Cloud Services Management.
05:01
These groups may well have important insights.
05:04
If some functions are outsourced, you may want to interview representatives from those service providers
05:14
preparing for the interview
05:15
covering logistics.
05:18
When conducting the interview. One typically has one person assigned to lead the interview
05:26
and ask all the different questions and
05:30
focus the conversation.
05:32
It's important to have at least one designated note taker.
05:38
Other subject matter experts, of course,
05:41
bring in as needed.
05:43
But try not to gang up on the interviewee
05:50
in person or remote.
05:53
Ideally, you'd conduct the interviews all in person.
05:58
However, that is not always practical, particularly in days of covid
06:03
in personal remote,
06:10
in person or remote.
06:12
It is good to conduct interviews in person, or at least have one person present with the interviewees.
06:21
If
06:23
you must do it all remotely, try to make use of your webcam if you can.
06:31
As you know, people get tired and socks are very busy, so respect their time and
06:38
your own energy levels, typically 45 minutes to 90 minutes
06:44
per session for each team suffices and be sure to take breaks in between sessions.
06:55
Preparing the interview, setting it up,
06:57
coordinating and scheduling.
07:00
It's good to identify a customer point of contact who can
07:04
help you work the details of scheduling.
07:09
You may also want to get admin support from your side For a large engagement.
07:15
Provide Rita heads for interviewers and interviewees.
07:17
It's good to do an initial data request if possible.
07:21
If available. Obtained a copy of Con Ops, work chart Role descriptions, et cetera.
07:29
Send a long interview questions beforehand for the interview is to digest.
07:36
Prepare yourself beforehand.
07:39
Build a list of questions you want to ask, but feel free to explore topics as they emerge.
07:46
If the interview is conducted in person, you may want to have one or two days available and a dedicated conference room for a drop in
07:57
conducting the interview.
08:00
Should he interview one or multiple, uh,
08:03
staff members?
08:05
On the one hand, one can learn from inter team or intro team discussions.
08:11
On the other hand, one strong personality can tend to dominate a conversation.
08:18
Some things to keep in mind.
08:20
For example, bosses in the room may stifle free conversation.
08:24
You may notice disagreements between contractors or contractors and staff.
08:31
Whatever the case, make sure to present yourself as an ally
08:37
conducting the interview. What to expect.
08:39
Organizational attributes.
08:43
Some organizations may be more compliance oriented versus threat oriented,
08:48
larger organizations with more discrete teams. Maybe siloed or disconnected
08:54
ups may have a limited view of the great organization
08:56
IT infrastructure, etcetera.
09:00
Smaller organizations, socks staff may wear multiple hats and be resourced constrained
09:07
technology.
09:09
There may be inconsistent deployments of sensors.
09:11
You may find their incomplete collection of data from different sources.
09:16
There may be different monitoring requirements for different business units or parts of the architecture.
09:22
Not all components may be fully integrated or monitored by the sock
09:28
organization, maybe transitioning to new products or solutions
09:33
connecting the interview, bias and perspective
09:37
in terms of biases.
09:39
Understand that both interviewers and interviewees have them
09:43
and try to understand the perspectives of the teams you talked to, as well as your own. Perspectives and biases
09:50
try to remain neutral, particularly when interviewees have differences of opinion among themselves.
09:58
Try not to ask leading questions or promote favorite solutions.
10:05
Conducting the interview. Starting off
10:07
it's available.
10:09
Perhaps have the main POC at the organization perform introductions
10:13
If not, do the best you can. And remember, you're on their side.
10:18
Capture the attendees and their roles.
10:22
Sheriff The interview is your understanding of their function or the technology in question,
10:26
and that you want to confirm what you've learned so far,
10:30
identify gaps and strengths that they know of
10:33
and drove down into deeper topics.
10:39
Asking questions.
10:41
Work off a list of prepared questions when you can,
10:43
you may find that you need to reframe questions for particular groups. Context
10:48
beware.
10:50
Different organizations may use different terms,
10:54
or even different teams may use different terms in the same organization.
11:00
This may be evident when people talk past each other.
11:03
Try to capture local jargon and terminology.
11:07
You may skip some questions if they are less relevant to the particular team you are interviewing.
11:13
When there is disagreement or ambiguity.
11:15
Probe further to identify the source or understand the competing viewpoints.
11:24
Sample questions
11:28
describe a recent incident.
11:30
How was that handled and to end What is your team's role in this event?
11:33
What first triggered response?
11:35
What will follow on activities?
11:39
Describe how new analytics are rolled out.
11:43
In other words, how they're developed, tested, documented, et cetera,
11:48
What are the pain points you encounter in process X?
11:52
What would you like to see? Automated
11:54
Peter Wrecked, asked specifically about attack techniques and tactics.
12:00
For example, what events or analytics would lead to detecting data? Exfiltration
12:09
Post interview. Hot wash. What to produce.
12:13
Assessor Teams should write up and compare notes.
12:16
Do this as soon as possible while they're fresh in your mind.
12:20
Notes. May be cleaned up and captured formally as an appendix or source material for narrative in a report,
12:28
Capture conflicting reports or opinions between different teams or between regular staff and management.
12:35
Try to capture those and understand their perspective.
12:39
Pursue follow up questions to help get to ground truth.
12:45
Specifically, identify attack related tidbits.
12:48
Are there any strengths, any particular gaps?
12:52
This is useful when compiling the final report.
12:58
Post Interview. Hot Wash. Typical outputs.
13:03
Typical outputs include
13:03
and to end process descriptions,
13:07
perceived strengths and gaps in capabilities.
13:09
Operational constraints
13:11
such as it is very difficult to change a particular configuration in our environment.
13:16
Parties for threats, https or technical focus
13:22
follow on data requests. For example, if additional sensors or data sources are identified,
13:28
additional insights into the enterprise architecture and practices such as connectivity or outsourcing.
13:35
Which tools are really used versus shelf, where
13:39
summary and takeaways
13:41
interviews are important.
13:43
Not everything is captured in documentation.
13:48
Interview Process has four main steps.
13:50
Figuring out the type of interview you want to run.
13:54
Preparing the interview, conducting the interview and processing the interview findings.
14:01
There are two main types of interviews.
14:03
Context and technical.
14:05
When preparing, identify the teams, create questions and iron out logistics.
14:11
Be prepared when conducting the interview. But remember to be flexible,
14:16
always capture interview notes as soon as possible. After the interview,
14:24
Thank you.
14:24
Next up. Communicating using attack heat maps.
Up Next