Event banner
Event details
57 Comments
- What are some of the challenges you face on the DART team?
- I think for most of us, it's figuring out a balance of how many hours to work a day during an incident as we will be going on for days when a customer is breached. We are humans, the customers defenders are human and sometimes someone needs to make the call on "Hey, we need to call it a night and give people rest!". Luckily, DART Leads are great at communicating to customer sponsors on the rotating and rest part of the incident.
eolsonMicrosoft
Probably one of the biggest challenges for me is there is almost ALWAYS something interesting going on and you want to be involved in all of it. So sometimes you have to take a pass on that one thing to give yourself time to take a breath.- DaveSchrockOne of my biggest challenges was learning how to deliver good or bad news to a customer on their worst day. Ransomware may sometimes be less sophisticated then APT type activities, but the emotional drain and intensity is much higher. Learning how to speak clearly and accurately in these situations was a learning curve, but now its something I get excited about.
- What does DART think about Pineapple on Pizza?
- DaveSchrockThis is a highly debated topic across the team. Some people are outright offended we even mention the thought of pineapple on pizza. Most of these people are located in Central Europe. Others are all about it and thrive on pushing the limits of the ordinary. There is no wrong answer here, as we will always order more than one pizza
rpeckhamPineapple tastes great with pineapple. There's nothing better. Unless it's on pizza! I'd pick it off and eat the pineapple solo.- richarddavis2197Pineapple + Jalapeno FTW
- What does DART look for in new applicants? What tips does the team have for applicants and those interviewing?
kshitijkPassion for the subject matter (read: hunting adversaries, solving puzzles, helping customers) and willingness to learn (teachability and a self-starter mentality). Demonstrating critical thinking and storytelling skills also goes a long way!- eolsonThe best piece of advice I have ever been given by someone (who happened to work at Microsoft at the time) was to be yourself. You are what got you this far. It's okay to not know something and acknowledge it. I would rather someone not know than to make it up. If you put it on your resume, make sure you are ready to talk about it!
- That is great advice!
ICYMI: We put out a new blog. Check it out: Part 1: LockBit 2.0 ransomware bugs and database recovery attempts - Microsoft Tech Community and Part 2: LockBit 2.0 ransomware bugs and database recovery attempts - Microsoft Tech Community.
- Trevor_Rusher
Community Manager
Welcome to the Microsoft Detection and Response Team (DART) Ask Microsoft Anything! This live hour gives you the opportunity to ask questions directly to the DART team. Please post any questions in a separate, new comment thread. To start this off on a friendly note, please introduce yourself on this post and tell us where you're logging in from!- kshitijkKshitij here from California!
PetitoheadAnthony here from Colorado!- Andreae from Dallas, Texas - yeehaw! Go get 'em Dart!
- What recommendations does the DART team have regarding WSL2 detection logging for malicious activity and system hardening?
- richarddavis2197Hi Nate, Pretty much the same as any Linux environment: minimize unnecessary services, harden accounts, etc. I know in September of 2021 there was a Russian malware variant that used a Linux loader (compiled Python) to inject into Windows processes -- it was quickly added to Defender and is now detected.
- Thanks Trevor,\nVery keen to hear how the DART Team get a handle on things from the outset - especially blocking Legacy Auth, Conditional Access and the like.\nRegards, Dave C
- eolsonOur primary goal is to find persistence in the environment, but sometimes we do take action based off indicators we are tracking. When we consider it, we look at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#identify-legacy-authentication-use and work with our customers before asking them to disable it if that was related to the incident. Similar discussions happen around Conditional Access. Take a look at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common and the Conditional Access templates (Preview) for some nice templates for commonly used policies. Conditional Access policies are something you want a little bit of planning for if you are going to impact a large user base. But for privileged accounts, it's something I would recommend turning on as soon as possible.
- eolsonWe also talk to our customers about having a solid incident response plan/playbook they can execute. Think about things like application dependencies, service accounts, teams you may need to talk to in order to accomplish a task like turning off external access to the internet for example.
