Microsoft Detection and Response Team (DART) AMA

I think for most of us, it's figuring out a balance of how many hours to work a day during an incident as we will be going on for days when a customer is breached. We are humans, the customers defenders are human and sometimes someone needs to make the call on "Hey, we need to call it a night and give people rest!". Luckily, DART Leads are great at communicating to customer sponsors on the rotating and rest part of the incident.

Probably one of the biggest challenges for me is there is almost ALWAYS something interesting going on and you want to be involved in all of it. So sometimes you have to take a pass on that one thing to give yourself time to take a breath.

One of my biggest challenges was learning how to deliver good or bad news to a customer on their worst day. Ransomware may sometimes be less sophisticated then APT type activities, but the emotional drain and intensity is much higher. Learning how to speak clearly and accurately in these situations was a learning curve, but now its something I get excited about.

I would say one of the biggest challenges is lack of historical logging. If logs are not collected centrally, local logs might only contain a few days' worth of data. This makes it really difficult to determine what happened during an incident. Increase logging for critical systems to at least 6 months, longer if you have the storage space, and consider centralized logging to prevent threat actors from wiping logs on systems they have control over.

Prior to the pandemic, our team generally operated in on-site response model. It has been an adjustment to transition to an all-remote delivery model. Keeping organized and focused and creating better communication and documentation systems was key.