Microsoft DART Incident Response (IR) Internships
Blog Series - Part 4 – Patro’s Intern Experience
‘Becoming an DART intern is like reaching into a mysterious grab bag. You have no idea what you’re going to get—until you get it.’
The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft's Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator - and experience it first-hand with our team of IR threat hunters.
This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.
Patro’s experience as an intern
Microsoft is a global organization and a good place for people who like to be on the move. Patro started his journey in Southern Europe, ended up on the east coast of the US, and studied math and philosophy at a large university. That combination of rigorous proofs and abstract thinking led him to pursue a degree where both have value, a Master of Science in Cybersecurity.
Intern Patro
What did I get myself into? It wasn’t until after the interview process that I understood what the program was all about. I stayed in touch with one of the interviewers, and we talked about the internship and some real-world cyber cases. Then, at the beginning of the program, we met experienced DART investigators and were bombarded with even more real-world cases. Before, named bad actors seemed like urban legends to me – not something I would ever encounter. As part of the program, I’ll confront them in real life.
Real people – Not robots. One big takeaway was that DART investigators are real people. I know that sounds a little strange, but we think of Microsoft as a company with technology, products, services, and lots of AI and ML. It’s easy to forget about the people. We were motivated by their passion for finding and ejecting bad actors. They take their jobs personally and never lose because they keep working until the incident is resolved. As they say, “A human-guided attack requires a human-guided response.”
Watch and learn. We had opportunities to shadow threat engagements – past and present. DART stepped us through their process if it's a routine post-incident engagement. But if it's an active threat, we had a front row seat to the action.
I was surprised that two or three DART investigators could secure a good-sized business very quickly. When it is an active threat, they spring into action with speed and precision. I was amazed by how quickly they can halt threats once engaged. I was intimidated by their knowledge compared to mine. But they reassured me that I'll be better than they are if I focus on learning all I could about threat hunting and infrastructure. Although there are many tools such as AI that help, experience matters most.
Adrenaline rush. The mock engagements for active threats were intense. There are too many moving parts for one person. The clock is ticking, and multiple activities need to occur simultaneously. Having a team really helps. You can also feel your adrenaline flow when dealing with an active threat inside your customer’s environment. Mock or not, you only have so much time before the threat mutates or moves, and halting it becomes more difficult.
It felt very real. During the mock engagements, we had to find, gather, and examine the artifacts. Microsoft’s AI really helped do that quickly. We needed to find the bad actors, contain them, remove them, and uncover all their activities, including making sure that no other security was compromised. Moreover, we communicated with the mock customer throughout the process and presented our findings to them during a formal meeting. It seemed that the only thing missing was a genuine bad actor.
Hunting the worst of the worst. One day, we were suddenly called in to shadow an engagement. TTPs pointed to a very professional and well-known threat actor. Our team has encountered them before. The group is well known for its social engineering expertise and had recently joined forces with an English-speaking group to help with ransomware - proper use of the English language would allow for better victim targeting and social engineering success. Gaining access to their targeted victim is something the group does very well, and once inside, they act quickly. They are nearly always hand-guided and will exfiltrate data for as long as possible. They’ll add extortion to data theft by encrypting what they can and requesting a ransom.
Traps and triggers. Most people don’t know or forget that Microsoft has extensive threat intelligence and sets traps to help uncover subtle early indicators. The bad actor was discovered by combining the power of Microsoft threat intelligence, traps and high-fidelity detections, and Microsoft AI/ML. As I expected, DART moved quickly and precisely and contained the threat. I was feeling the adrenaline from encountering a well-known cybercriminal group. But it was just another day in the ‘virtual’ office for the IR team.
Attackers hit walls. The interns were able to assist during post-incident threat hunting and forensics. That notorious bad actor made multiple attempts to execute its attack but hit walls. We could see where they tried and were stopped. I learned that if a customer follows simple best practices, which this one did, they have a much better chance of halting a serious bad actor even if they gain access to the network. We also learned that most network breaches start because an unwitting employee surrendered their credentials without knowing it. The first line of defense includes having security-savvy employees.
The internship program gave me an amazing amount of insight into Microsoft and dART. What stood out was the teamwork, the high degree of security built into the Microsoft security stack, and the knowledge, professionalism, and personal commitment of DART. I hope to return to Microsoft after I complete my master's program.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.