Part 2 – Acquiring Talent in Information Security
This is a continuation of Part 1 – Acquiring Talent In Information Security.
Assessing New Prospects
Being able to discern the ones who “can talk the talk” from who can “walk the walk” is a challenge, but with the right tools we can greatly speed up the interview process and find high quality prospects. Within cyber security, and in IT in general, there are many who can talk their way around the interview table, but might not possess the practical skills for the job. There is a big difference between talking about e.g. hacking techniques and exploits than being capable of executing such attacks in practice.
Instead of going the traditional route of doing only interview questions, a better approach is to put your prospects in front of a keyboard and see what they are made of; practical testing. I have assessed candidates with practical tests for several years now, and with tremendous success. In many cases the practical testing can be done before even meeting the candidate, saving both parties the possible costs of travel and out-of-office drawbacks.
How does it work? You must have a setup with vulnerable infrastructure the candidate can work on, and ideally have varying levels of difficulty for different tasks they should work on. Consider what you would see in a Capture-The-Flag (CTF) challenge online or at a security conference, except here you don’t necessarily need a scoring server, a simple word document to keep track of solutions could suffice.
My suggested approach to this type of interviewing is:
- Send email to the candidate describing what they will be doing. Allow them to prepare, and make sure they are ready to tunnel tools through SSH to the target infrastructure you have set up. Set the date of the assessment perhaps a few days ahead; in my opinion, evenings are fine. Make sure to tell the candidate that you expect them to be doing screen sharing.
- Once the day of the assessment is happening, make sure you have a proper collaboration platform up and running, supporting both camera, voice and screen sharing. Let your candidate share their screen, provide them with credentials to the vulnerable infrastructure (e.g. a CTF environment), a lists of tasks neatly summed up in a word document, and watch how they perform. From now on, every observation you can make is crucial. Observe:
- how fast they are on the keyboard;
- how versatile are they are in Linux, or their preferred operating system?
- can they connect to the target infrastructure successfully? Did they seem prepared to do this, and did it seem like it was child’s play to connect and tunnel tools; or perhaps it seemed like a foreign activity?
- Hopefully they will get stuck on something and you might see how well they troubleshoot. Do they open the manual? Google? Bing..?
- Once you are confident the candidate have access and know their objectives, it’s time to disconnect from the collaboration platform and let them work a bit on their own. I recommend at least a couple of hours, but it would depend on the tasks you have them doing. Instruct them to reach out if they have questions, are stuck or otherwise need guidance in progressing through the challenges. It will be interesting for you to observe if the candidate will ask for suggestions and advice early, not at all, or perhaps when it’s too late to complete further tasks.
- When there’s an hour or so left of your appointment, connect back with the candidate with voice, camera and screen sharing enabled. Let them walk through some of the challenges they have solved before you observe them trying to solve their current challenge they’re stuck on. See if you can hint and probe them with tidbits of information to see how well they respond to it. Do they have that curious drive of not wanting to give up? Wanting to solve it? Or are they dead fish in the water already, exhausted after an exuberating session of hands-on hacking? That is after all what they would likely be doing every-day as a penetration tester.
The above approach is a great way for both candidates to show off what they’re made of, and for you to try weed out the talkers and find the doers out of the dozens who apply to your positions.
Developing, Hosting and Deploying Hacking Challenges for Interviews
One approach is to outsource this part of the interview process to someone who has the necessary experience and know-how to get going (Disclaimer: River Security has aided companies in this process before). Access to easily set up hosting environments is within reach for most companies as the public cloud domain is well established and mature. Many cloud providers support hosting applications where the source code is simply hosted on GitHub and any code pushed to GitHub will be automatically be deployed as an online service which can now be used for assessing talent.
If you already have penetration testers on your payroll, many of these will be thrilled when asked to develop a hacking challenge for someone else, and most penetration testers will not shy away from a little bit of scripting, development and setting up vulnerable services; they will probably have loads of ideas from previous experience on how to make some interesting challenges for a new potential colleague of theirs.
If you can not develop it yourself, consider using one of the many online hacking platforms to assess your prospect on. Many of these will have write-ups already made for them, so do your best to assess if the candidate has googled a solution and if they can really talk their way through the solutions.
How should you go evaluating new prospects during your first virtual or in-person meeting? What types of questions should you ask in order to understand how well they understand the craft and capabilities? For the sake of brevity, this section will only contain the technical aspects of assessing someone, not personal issues, e.g. if they are a proper fit for your team.
You want to probe out that the candidate has the desire, discipline, and dedication to break into the penetration testing industry. Desire is most easily spotted, but discipline and dedication require more scrutiny. Knowing what to probe for allows you to tailor specific questions to find out more.
Here are some ideas for questions you might want to ask:
Questions for determining desire:
- Which steps have you taken to ensure you could land a job as a penetration tester?
- How do you stay on-top of the latest of the industry?
Questions for determining dedication:
- In which ways to you contribute back to the community? Any blogs, source-code repositories, or other things you share?
- What is your own methodology for finding vulnerabilities across a set of different services?
Questions for determining discipline:
- What steps do you take to ensure you uncover as many vulnerabilities as possible?
- What motivates you when you can’t find any vulnerabilities?
This post will not go into technical interview questions, but let us know if you would want to see an article on that too.
With these two blog post I hope to have showed you ways to identify talent, even if the person does not necessarily have the required number of years of experience, or otherwise does not fit the square we try to fit them through; the individual might just be a circle!
Did you like this blog series? Anything else you would like to hear about? Tag us on Social Media:
- Twitter – https://twitter.com/rivsec
- Facebook – https://www.facebook.com/rivsec/
- LinkedIn – https://www.linkedin.com/company/river-security
This article is written by Chris Dale, Principal Consultant and Founder of River Security and SANS Certified Instructor. He has many years experience developing and building penetration testing teams and has hired dozens of people. Here is Chris’s take on acquiring talent within the Information Security industry.
You can follow Chris on Social Media here: