Looking for a career in Incident Response? Consider the DART Infrastructure Engineer role!

The mission of Microsoft Incident Response is to investigate sophisticated intrusions, contain advanced adversaries and secure the digital future. The number of cybersecurity incidents occurring around the globe is increasing day by day, and to help combat this threat, Microsoft Incident Response is expanding its infrastructure team. If you are hungry for knowledge and eager to defend against some of the world’s most dangerous Threat Actors, you’re in the right place.

When a customer is in need, Microsoft Incident Response is ready to react with a global team utilizing a “follow the sun” model at any time—day or night. This rapid response allows for real change to be enacted within minutes and hours rather than days or even weeks. In any crisis, the barriers to change need to be unlocked as part of the response, and often we are able to remove years or even decades of technical debt in a matter of weeks. As an incident responder, we know that there are few cybersecurity careers that are more rewarding and exhilarating than incident response within Microsoft, but you need to be mentally, emotionally and physically ready as  customer’s security and operations are on the line.  The purpose of this blog post is intended for you to learn the ins and outs of the life of an infrastructure specialist on our team.

Within our team there are several roles which team members fill during an incident response engagement. First and foremost, we are all hunters. We all contribute to the narrative of how the threat actor infiltrated the environment and what actions they took. Beyond that, the engagement team typically includes a team lead who directs the engagement, dedicated threat and forensic hunters who analyze collected data to identify indicators of compromise, and reverse engineers who investigate malicious code. Last but in no way least, we have i

In this job, you will go toe-to-toe with the adversary. It’s an experience that can get your adrenaline pumping and keep you constantly alert. Due to the time-sensitive nature of engagements and the potential for harm to customers, it is important to be prepared for anything. Flexibility and a strong desire for knowledge are essential. If you’re unfamiliar with something, you will learn it, and the team will help you day or night. After all, we need to move quickly and remain agile when we’re working on a threat.

While no two engagements are alike, there are a few key technologies that underpin most engagements. Infrastructure specialists are expected to build strong familiarity with each of these focus areas:

1. Identity – Specifically Active Directory and Entra ID. In today’s world, hackers don’t break in, they log in. Identity is the perimeter and important to understand.
1. Active Directory Domain Services (AD DS): Knowledge of AD is crucial. Key areas to focus on include understanding AD components, group policy configuration and precedence, securing AD, understanding privileged groups, the impact of permissions, and performing forest recovery.
2. Azure/Entra ID: Entra ID is like Active Directory, it contains numerous privileged roles. Understanding how to manage permissions using the principle of least privilege is important.
3. Entra Connect: It is the synchronization engine for identities between on-premises AD and Entra ID. It’s important to know how to build it out without relying on the express settings button.
4. Public Key Infrastructure (PKI): While it’s not mandatory to be a PKI expert, understanding how certificates can be used during an attack is beneficial. We have PKI experts within the infrastructure team, so there is support available. A couple of useful articles are What is Active Directory Certificate Services? and Recovering AD CS from Compromise.
5. Active Directory Federation Services (AD FS): As with PKI, being an AD FS expert is not required, but it is advantageous. Many customers still use AD FS, and knowing the basics, especially how tokens can be used or what can happen if the token signing certificate is compromised will be helpful. Here are some best practices for securing AD FS.
2. Defender - Microsoft Defender for Endpoint (MDE), Defender Antivirus (MDAV), and Defender for Identity (MDI) are heavily utilized during our customer engagements, regardless of any third-party products in use. We deploy Defender to gain visibility into the environment and detect potential threats that other products may miss. Given Defender’s ability to work well with third-party products, we deploy the Defender suite in such a way so as not to disrupt our customers’ existing security solutions, while still gaining the benefit of its visibility. It’s a win-win for customers.
   1. MDE: It’s essential to learn how to deploy and onboard devices, as well as manage MDE. We aim to gain visibility with Defender across as many and land Linux devices as possible.
   2. MDI: Understanding how to deploy and troubleshoot MDI installations on all supported platforms is crucial, since this provides us with valuable insight to behavioral analytics, threat actor persistence and privilege escalation attempts within an environment. Also important is knowledge of the detection and alerting capabilities related to things like password sprays, golden or silver tickets, and of course lateral movement.
   3. MDAV: It's important to know how MDAV interacts with MDE, the differences between active and passive modes, and how it functions on client versus server systems. Some of the best training available for Defender is through the ‘ninja’ training sessions While not all content is necessary, it is highly valuable.
3. Azure and Entra ID – securing the cloud platform: Threat actors often target not only Azure tenants but also AWS and GCP platforms. Understanding how to use Azure and Entra ID features to secure and lock down a tenant to remove threat actor persistence is a key component of our recovery actions. Areas to focus on include:
   1. Conditional Access Policies (CAPs): Know what CAPs are and how to configure them, as well as understanding if a configuration within a policy is treated as an AND or an OR. Evaluating and assessing existing CAPs will come with experience.
   2. Multifactor Authentication (MFA): It’s essential to understand what MFA is and how to enforce it.
   3. Azure Network Security Groups (NSGs): It’s beneficial to understand how NSGs are configured and how to restrict traffic.
   4. Entra Self-Service Password Reset (SSPR): Know the prerequisites for and how to configure SSPR.P
   5. Privileged Identity Management (PIM): Understand how to configure PIM and manage all administrative roles associated with Entra ID.
   6. Azure resources: Familiarity with various Azure resources, such as Azure Key Vault, storage accounts, virtual machines, and the ability to evaluate their security is expected, and attacks against Azure resources are increasing by the day.
   7. Intune: Knowledge of Intune and how policies can influence the endpoints as well as how to leverage the platform to roll out scripts will come in handy.  For example, we will leverage Intune to push out our tools at times.
4. Windows Platform – Windows Client and Windows Server: A strong background in Windows operating systems, including installing roles and features, using PowerShell, managing updates, and performing rebuilds when necessary, will be highly beneficial in situations that require quick thinking. Management of Windows settings at scale using Configuration Manager, Intune, and Group Policy is highly desirable.
5. Kusto Query Language (KQL): At DART, we use KQL not just for hunting, but also for reviewing infrastructure configurations. All team members are expected to contribute to hunting and research activities, so a foundational knowledge of KQL is critical. If you’re not yet familiar with KQL, the KC7 challenge site is an excellent place to start: KC7cyber.com.

    

This overview is just the beginning when it comes to the infrastructure role in Microsoft Incident Response. Alongside this, there are numerous additional areas you can specialize in, such as Linux, in particular how to deploy MDE on Linux. Another example we might run into is dealing with Microsoft Identity Manager, specifically the PAM component.

It’s not necessary to be an expert in every topic mentioned, but proficiency in at least one or more areas is preferred for prospective infrastructure specialist applicants. None of us are experts in everything, but we all excel in specific areas.

The other skills Microsoft Incident Response looks for in candidates are soft skills. Being self-aware, willing to experiment, learning from others and contributing to the success of others is critical. We always work as a team and build on each other’s success. Being able to look at the overall trajectory of an incident: where things were, where they are, and where they are going during an engagement will also help ensure success. Collaboration skills are a must and a good ability to embrace the word “yet.” (in “oh, I haven’t tried that yet”)

Pro Tip: Self-confidence and rapid decision making are essential to succeeding in incident response. Our team learns quickly, listens to responses when asking questions, understands the reasoning behind those responses, and uses that data to provide accurate information to customers. Those who are comfortable in working independently without constant oversight will be successful in an incident response role. That said, cybersecurity is a team sport, especially in Microsoft Incident Response, so strong communication skills and being capable of partnering effectively with multiple people – customers, partners, account teams, teammates, etc. – is very important.

No matter what your background is, we are looking for qualified candidates to join this exceptional team. Come prepared and be ready to gain experience that can open the door to a career full of opportunities and growth, not only at Microsoft but throughout the cybersecurity industry.

Below are to the recommended material included in this posting. People interested in joining DART’s infrastructure team and providing Microsoft Incident Response can review this material to gain a better understanding of what’s needed to be successful as a team member.

• Understanding AD components, securing AD
• Understanding privileged groups
• Securing Privileged Access
• Enterprise Access Model
• Performing forest recovery
• Mitigating Pass-the-Hash (PtH) Attacks – PtH Whitepaper
• Entra ID
• Entra ID privileged roles
• Entra ID Connect is the synchronization engine for identities    
• Recovering ADCS from a compromise
• Best practices for securing ADFS
• Training available for Defender  
  • MDE Ninja Training 
  • MDI Ninja Training 
• Learn about CAPs
• It’s essential to understand MFA
• Know how to configure SSPR
• Understand how to configure PIM  
• Practice KQL at KC7cyber.com