Microsoft DART Incident Response (IR) Internships
Blog Series - Part 1- Zena’s Intern Experience
‘Every day, new generations of security experts join Microsoft. They bring fresh ideas that help us address the security challenges of tomorrow.’
The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft's Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator - and experience it first-hand with our team of IR threat hunters.
This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.
Zena’s experience as an intern
Zena initially did not think she was interested in incident response (IR). Rather, business and finance held her interest. But she had a hidden passion for computer science, which she explored in school. She also enjoyed unraveling mysteries and cared deeply about people. With this combination of interests, she attended a DART “Tech Talk” at her university, where she learned about DART and the investigator internship. Finding that what she heard aligned with all her interests, she decided to apply to and later participate in the 12-week summer experience.
Intern Zena
It started with an attack. I’ve always enjoyed computer science. My interest in cyber security peaked because of an incident at a hospital where people I know worked. The attack lasted for a few days, causing doctors, nurses, and the rest of the staff to scramble to maintain the health of their patients. Fortunately, they did a fantastic job, but it was scary and impacted everybody.
There is a little hero in all of us. We hear about an attack on a company, institution, or service, but we rarely hear about the people who fought it or those who were impacted. The attack at the hospital could have ended very badly, but it didn't. Being able to help understand, shorten, or stop an attack felt like something I wanted to do.
Anxiety was high. I know a fair amount about computers, but I’m no PhD. When I joined the internship, it felt like I was leaving college sports and heading for the pros. Everything would be faster, bigger, and more intense because the stakes are higher. But unlike any sport, there is no game clock - and no losing. No matter how long it takes, you must win when responding to an incident. And you can’t drag your heels either because there is a ticking clock.
Reaching full potential. Microsoft is true to its new corporate vision of empowering people to reach their full potential. That started before the internship with the interview process, which involved several steps. Each one gave me more insight into the internship experience and boosted my confidence.
Being different is a good thing. A few things struck me about the experience that was different from others. From the start, the internship kept me engaged and thinking. It was also remarkably diverse. We touched on many aspects of cybersecurity, incident response, and forensics. We moved around the Microsoft campus, from meeting rooms to lecture halls to labs—and even worked remotely or used a common space to collaborate on projects. There was a great deal to learn. Most of it was technical, but there was also professional development, such as the best way to communicate effectively with customers.
Inspecting artifacts – I could do this all night. I spent many nights, after hours, looking for subtle indicators. What made it so interesting is that, by the time a threat or attack gets to DART, it has likely bypassed a gauntlet of other safeguards. That means it’s probably novel or very well disguised – it may have mutated or is obfuscated. In many cases, a threat actor is aided by someone who did not know they were helping a bad actor. I didn’t expect that investigating past and present threats would be so interesting and intense. You start to hone your instincts and learn how to use all the Microsoft tools like AI. My technical knowledge also soared as I continued to become more proficient at inspecting the data and tracking the actions of bad actors.
Teamwork is huge. If there is one thing that surprised me, it’s the teamwork behind forensics and threat hunting that makes it work. Bad actors work in teams, and their members have specialties like social engineering, navigating networks, obfuscation, data encryption, exfiltration, and so on. The same is true about threat hunting and forensics. For example, at first, I didn’t know where I fit in. But once we started, everybody found their niche - I liked inspecting artifacts. You need a diverse set of skills and tools to find and halt an attack quickly.
Lots of experts in the room. I’m an intern and just learning, but there were many mentors and experts at our fingertips if we hit a roadblock or wanted to understand something new. The people around us were very passionate and committed to making sure our customers were secure. Their passion was motivating and kept us focused.
Keeping it real. I wanted to see if threat hunting is for me. The experience mimics real-life very well. We shadowed real-time hunts and watched our experts through the entire process. There were also mock hunts to help hone our skills, and projects that had an actual impact on the team (outside of testing and sandboxes.) If DART needed something done to make them more efficient, and we had to do it. We did real work on projects that went into production. That was extremely rewarding.
And there were surprises. One time, we were given only two hours to compile our findings and present them to a customer. I did some theater, so I was fine in front of a crowd, but this was different. I was in front of a group of our cybersecurity experts asking me questions as if they were customers under pressure. I don’t usually get nervous - but I was nervous. These people knew their craft. I was surprised by how much I learned and how working with customers was truly a team effort. The whole team had my back and jumped in to help.
My big takeaway was that although Incident Response is a Microsoft service, real people are behind it, and they care about their customers. As for me, the intern experience provided a real-world view of what IR at Microsoft is all about, and I plan to explore it as a career.
Return to DART internship blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.