Interviewing Progress for Incident Response

CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
edited April 2019 in IT Jobs / Degrees
I believe I am going to go through to face-to-face interviews for a job with a very well known global IT company.  It's to manage an incident response team, going out to different global companies and reacting to their incidents.

I've been honest with the manager and said I was a bit concerned that I wasn't very knowledgable about Server/Cloud and Enterprise systems.  He said it was more attitude they were interested in and an ability to learn - which I most definitely do have and would say it's one of my best traits.

He did say during the call that the interviews aren't overly technical.  They want to ask about:

- AD (active directory)
- DC (domain controllers)
- ACL (access control lists)
- permissions
etc....

My concern is, what does this mean?  I know what these are, I don't really know how to configure it. Even searching online just brings up stuff like "Active directory is....." or some powershell to change a file's permissions.

My concern is that I am just woefully under qualified for this role

Not sure what I'm asking for, just venting really.  I will continue with the process even if I fail the interview.  It's a good job and I like the company/brand a lot.  




My Aims
2017: OSCP -
COMPLETED
2018: CISSP -
COMPLETED
2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
COMPLETED
           GIAC GREM - Reverse Engineering of Malware -
COMPLETED

2021: CCSP
2022: OSWE (hopefully)

Comments

  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    They might just ask you what your knowledge level is with these topics. To be a member of the incident response team, my guess would be that you don't need to know them inside and out, just enough to be able to resolve common incidents. A company like Microsoft most likely follows the practice of hiring for the fit and training for the role. If you're upfront about what you know and don't know, and you express some enthusiasm about learning (i.e. if you don't know what something is, ask for an explanation!), I'm sure you'll do fine.

    Best of luck to you in the interview!
    Community Manager at Infosec!
    Who we are | What we do
  • Swift6Swift6 Member Posts: 268 ■■■■□□□□□□
    Well done on landing the interview.

    Anyone who gets in a job knowing everything is not advancing.
    This is a good op for you to get learning and skilled up.
    I don't expect they would drop you in customer environments without getting you trained up first. Probably worth asking at the interviews.

    Hope it goes well.
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    Thanks guys  

    I'm really passionate on the job, particularly as I think it's a company I could have a long career with.  I was very passionate and enthusiastic on the phone so I think I did enough for the face to face  

    I'm a big believer in honesty so I did say I wasn't that familiar with server/cloud 

    He said that's in the JD as that's what their ideal scenario is but they know that no one will know everything. New team leaders get teamed up with existing ones to learn and get used to it

    I will have to do a lot of work on this I think. My only approach will probably be getting a server 2016 vm and start playing around  

    .....  

    I did think would the questions be as simple as

     "what is AD"

    or would it be complex like "how would you configure and maintain AD for a company with 20 domain controllers and multiple access levels?" 

    Better learn some powershell too and WMI as I don't know much about that either 
    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    It sounds like you have the pre-interview jitters. That's pretty normal. And hopefully that keeps you on your toes which is not always a bad thing.

    Good luck with the interviews.

  • NetworkingStudentNetworkingStudent Member Posts: 1,407 ■■■■■■■■□□
    I believe I am going to go through to face-to-face interviews for a job with Microsoft.  It's to manage an incident response team, going out to different global companies and reacting to their incidents.

    I've been honest with the manager and said I was a bit concerned that I wasn't very knowledgable about Microsoft Server/Cloud and Enterprise systems.  He said it was more attitude they were interested in and an ability to learn - which I most definitely do have and would say it's one of my best traits.

    He did say during the call that the interviews aren't overly technical.  They want to ask about:

    - AD (active directory)
    - DC (domain controllers)
    - ACL (access control lists)
    - permissions
    etc....

    My concern is, what does this mean?  I know what these are, I don't really know how to configure it. Even searching online just brings up stuff like "Active directory is....." or some powershell to change a file's permissions.

    My concern is that I am just woefully under qualified for this role

    Not sure what I'm asking for, just venting really.  I will continue with the process even if I fail the interview.  It's a good job and I like the company/brand a lot.  




    You can go through this bok and see if ti will help with understanding AD.  It's a Windows Server 101 book, and it gets you up to speed on Windows Server.  

    https://dl.orangedox.com/onKwZSVjAbbFFzBfs7




    When one door closes, another opens; but we often look so long and so regretfully upon the closed door that we do not see the one which has opened."

    --Alexander Graham Bell,
    American inventor
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    Thanks everyone.

    Confirmed that I have a 2nd+3rd stage Skype Interview.  One is more technical and one is more about general personnel type questions.

    Technical stuff I'm looking at is: 

    AD

    DC

    ACL

    Permissions

    Windows Registry Forensics

    Default Windows services like svchost, lsass, etc..

    NTFS file system structure

    POSH


    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    Thanks everyone.

    Confirmed that I have a 2nd+3rd stage Skype Interview.  One is more technical and one is more about general personnel type questions.

    Technical stuff I'm looking at is: 

    AD

    DC

    ACL

    Permissions

    Windows Registry Forensics

    Default Windows services like svchost, lsass, etc..

    NTFS file system structure

    POSH


    That's not bad! Do you have some time to do some studying before your interviews are scheduled?
    Community Manager at Infosec!
    Who we are | What we do
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    edited April 2019
    Infosec_Sam said:

    That's not bad! Do you have some time to do some studying before your interviews are scheduled?

    I think I should have some time.  They've not been scheduled yet, they say a member of their interview/HR team will contact me to arrange timings.  

    Today I was quite productive....

    • Went over my forensics a bit and refreshed myself on registry 
    • Went back over NTFS file structure
    • Went over NTFS forensic artefacts (like pre-fetch files, jump lists, etc...)
    • Set up a Windows Server 2016 VM
    • Set up a Windows 10 vm
    • Made a Forest/domain 
    • Hooked the two of them up
    • Made a group policy to stop the C drive being visible 
    • I did a few things in powershell but not much


    I will try to look more at Powershell in the next few days

    Going to look more at Azure and also some typical things like, "how to secure a windows server", and "common security issues in windows server".  Stuff like that. 


    My plan for the interview is to focus more on my attitude and my general abilities to self-study, to get a job done, etc...  I think it's always best to be honest in interviews so if there's something I don't know I will say, but will say how I'd find out .... e.g. look at docs.microsoft.com or look at syntax of a command, or something like that  
    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    UPDATE

    Been a bit weird and quite slow the process.

    Stage #1: Had a screening call with the internal recruiter.  He was happy enough and asked me to fill out out a 2-3 page question sheet about some scenarios I had dealt with and also my expected salary, etc...


    Stage #2: The main IT Director scheduled a Skype video call with me but failed to dial in.  That meant I was just sat there for ages and in the end gave up.  He re-scheduled... we had a chat and he seemed happy with my passion and answers.  It was not technical at all, was just stuff like "How would your colleagues describe you?".

    ... He also spoke about the global travel.  It is 50% of the time but anything over 4 hours is business class.  Anytime you're not travelling you WFH.  

    Stage #3+4:  This is where I am now.  I have two separate Skype video calls.  The first one was supposed to be yesterday but AGAIN, the interviewer did not dial in and I was again sat there waiting for ages.  Can't believe it's happened twice now.  Anyway, it's re-scheduled for tomorrow.

    If I get past these two video calls then I believe I will get a face-to-face or maybe even start talking about offers. 

    I've done a ton of research and to be honest, most of my answers are not at all technical or in-depth, they're just simple cyber security things like:

    - Defence in depth
    - Control of Domain Admin accounts
    - 2FA for certain accounts
    - Auditing of logs and maintaining them
    - Policies around passwords, people leaving teh company etc
    - Remove local admins of all machines
    - Do not allow remote logins of privileged accounts
    - Whitelist applications 
    - Remove the RDP functionality or at least control access to it 

    ... I also realised VERY quickly that one of the biggest threat is Pass-the-Hash in the windows enterprise.  That's probably obvious to some of you... I guess it's as big as malware, human error or malicious adversaries and social engineering.

    .............

    My main worry at present is partially the travel but also the WFH.  I'm a bit unsure how I'd cope being alone all day by myself.  It's OK for a day or two but I worry I may just lose my mind if I'm by myself all day.  I've read up and seen that this is a VERY common issue with WFH people but having a routine helps, making plans with friends or working from a coffee shop or somewhere else breaks it up.











    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    What? Two times no-show? Man, that is an immediate rant email generator for me.
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    What? Two times no-show? Man, that is an immediate rant email generator for me.
    Trust me I very nearly did.  I was more just fed up and very down to be honest.  I had spent a lot of time preparing and had taken half a day off work to get home for it and set up camera, change into smart clothes etc... 

    The no shows were by two different people  

    The first time, the big boss sent an email the next day apologising sincerely and when he spoke to me he again apologised  

    I turned my computer off and decided to give it 24 hours to calm down and Re - group. Decided to just casually say "no problem, hopefully we can Re arrange" rather than rant about it  

    Not particularly happy I guess but willing to try again

    If there's another no show, that will be a whole other matter!!! 


    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    **UPDATE**

    Had the phone interview last night.  This is the 3rd stage interview and compromises of two phone interviews - the first last night and another in around a week's time. 

    It lasted longer than I expected - around 60-65 minutes in total.  It was very easy and not at all technical which I was surprised at.  It was more about how I would deal with certain situations, a general conversation about my experience, some general "small talk" about my most useful certifications.  

    I spent about 10+ minutes asking him questions and talking more about the job role.  

    As stated, my concerns are still around the global travel being 50%.  He said they're trying to get to a stage where they will tell you in advance that weeks 2+4 you're on standby for any issues and then you know in advance to be ready rather than just ALWAYS being on the edge of your seat waiting for a call to go out somewhere.

    I'm also a bit confused how you have any type of team ethic, or know your colleagues when all 50 of them are based remotely and in multiple countries.  

    Anyway, there was nothing during the call that led me to believe that I wasn't doing well enough.  If I do well on the other phone call I'm not sure what happens next.  I don't think they do face-to-face interviews... at least they've not mentioned that.  Anyway, we'll see....














    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    ***UPDATE***

    Had another phone interview earlier in the week.  That is now the 4th interview I have had by phone, and I have one more tomorrow.  I can't imagine there will be many more, maybe a face-to-face?

    Anyway, all interviews have been VERY easy.  Only one interviewer actually asked anything remotely technical, and even then it wasn't really that difficult and I didn't even my answer was "I only know a bit about that but...." and gave some brief knowledge of it.  

    4 of the interviews have been almost no questions other than: 

    - Tell me about yourself
    - Do you have any concerns about the travelling (yes I do)
    - I see you worked at XYZ, what was that like?

    The one I had yesterday was basically just an hour long chat with no questions from him really.  Most of it was me asking questions about the job, how they operate, expectations, how they travel, the organisation etc.... 

    He said to me on the phone "I spoke with ***** about you.  We were discussing the candidates and you are definitely the front runner".  

    So it looks fairly good so far.  

    Salary

    Don't want to get ahead of myself but when I first was contacted and encouraged to apply, they asked me to fill out a 2-3 page document with personal details and a few questions on.

    Two questions were:

    1) What is your salary and package now
    2) What salary do you expect? - I put down £80k

    When speaking to one of the recruiters last week about the travelling and my concerns, he mentioned "the package is generous" and I said "what is the package roughly as I still don't know much about it". 

    He told me about the pension and said that "I can see the salary you expect and I know we can definitely reach that and maybe even 20-25% more"

    I need to think about that as the salary I expect I have realised is lower than I would ideally want.  

    Based on 20% more, that would bring it up to £96k which is definitely good enough.  I actually wanted at least 90k as I thought I may have been going in too low.

    As stated, don't want to get too far ahead but need to think about this as I am very far into this process now.  


    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    That's great news! I'm surprised that they mentioned a higher salary to you than you put on your application - I'd wait to see it on the offer before believing it. The fact that they told you you're the favorite is a pretty big deal though. You're in a pretty good spot!
    Community Manager at Infosec!
    Who we are | What we do
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    That's great news! I'm surprised that they mentioned a higher salary to you than you put on your application - I'd wait to see it on the offer before believing it. The fact that they told you you're the favorite is a pretty big deal though. You're in a pretty good spot!

    Well the more I got into the process I did start to think that the job would pay more than I had put down as a minimum expectation.  It's a huge company and involves travel, plus managing a small team on each assignment.  

    I think they mentioned the package as I was raising concerns about travel after one of the interviews.

    Me: I'm still a bit concerned about the travel.  One person said 50%, another said 75% and it broke them.  The JD says 50% and I just don't know what to expect

    Him: ................... you have to be a bit flexible but you are compensated well as the package is very good

    Me: that's another thing, I still don't know what the package is roughly, e.g. pension, annual leave, the salary, bonus, etc....

    Him: You get £7k car allowance, pension... I can see your current salary is £XXXXX. and you have put down a minimum of £YYYYY.  We can definitely reach that and probably 20% more.  

    It was something along those lines
    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    That's great news! I'm surprised that they mentioned a higher salary to you than you put on your application - I'd wait to see it on the offer before believing it. The fact that they told you you're the favorite is a pretty big deal though. You're in a pretty good spot!

    Well the more I got into the process I did start to think that the job would pay more than I had put down as a minimum expectation.  It's a huge company and involves travel, plus managing a small team on each assignment.  

    I think they mentioned the package as I was raising concerns about travel after one of the interviews.

    Me: I'm still a bit concerned about the travel.  One person said 50%, another said 75% and it broke them.  The JD says 50% and I just don't know what to expect

    Him: ................... you have to be a bit flexible but you are compensated well as the package is very good

    Me: that's another thing, I still don't know what the package is roughly, e.g. pension, annual leave, the salary, bonus, etc....

    Him: You get £7k car allowance, pension... I can see your current salary is £XXXXX. and you have put down a minimum of £YYYYY.  We can definitely reach that and probably 20% more.  

    It was something along those lines
    Oof, 75% is a huge amount of travel. 2-3 weeks per month is nuts, but if you can stomach it, it sounds like the pay reflects the work. It sounds like you have a big decision ahead of you if they extend the offer. One thing I'd suggest would be if they offer you 90k and you're still uneasy about travel, ask for 105k instead. If they meet it, that's great. If not, you have an easy out if you're not sold on the job.
    Community Manager at Infosec!
    Who we are | What we do
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    Yea it's too much - I wouldn't be comfortable with 75%.

    The JD says "50% but sometimes higher depending on incident".  The main IT director said that it was higher but they realised people had lives and it wasn't fair to have people travelling so much so they have increased the global team by quite a lot of people.  

    Travel over 4 hours is business class 
    You get a corporate card
    When not travelling you work from home

    The recruiter asked "If it was 50% travel would you feel comfortable?" - and I said yes I would. 

    I could handle travelling this week but home next week, then travelling again the week after and back.  Or travelling for 1-2 weeks but having 2 weeks at home.


    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    You should be asking for more like 130k-180k in US dollars for a job like this IMO.  Global company with 50% travel?
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    Blucodex said:
    You should be asking for more like 130k-180k in US dollars for a job like this IMO.  Global company with 50% travel?

    Yea huge global company, around 150'000 and an annual turnover of around $50 billion.  

    That equates to £103k - £141k.  I think the £100k mark is about right to be honest.  Especially based on the UK market and this is not a managerial level position but it is a "lead" position.  Slight difference.  

    Not sure how it will go as the form I filled out at the beginning has a much lower "expected salary".  However, I can justify it as that was before I spoke to anyone about the job and now I see that it's a job with greater responsibility, more tasks, greater impact etc...
    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • CyberCop123CyberCop123 Member Posts: 338 ■■■■□□□□□□
    **UPDATE***

    Had my 5th telephone interview tonight 
    More challenging than others.  No technical stuff but more about how would you handle this situation?

    Guy said he travels 70% of the time 

    Really not feeling comfortable with that amount. That equates to 3 weeks of the month that I would be travelling globally, often on a weekend.
    He did say that when not travelling it is all working from home
    This is usually downtime/time to research, or do some proactive work, test some things out.  






    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    COMPLETED

    2021: CCSP
    2022: OSWE (hopefully)
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    If you're already feeling "uncomfortable" you should go with your gut.  But if this is a major boost for your career maybe you grind it out for 6-12 months and gain the experience and brand recognition of said employer to land something more in line with what you desire.
  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    I would need a lot more than 100k to spend 70% of my life travelling for business. It sounds like the writing is on the wall here - this doesn't seem like the right opportunity for you, even as a stepping stone. 
    Community Manager at Infosec!
    Who we are | What we do
Sign In or Register to comment.