Microsoft IR Internship Blog Series, Part 2 – ‘Keeping it Real’ – Ataliya’s experience
Microsoft DART Incident Response (IR) Internships
Blog Series – Part 2- Ataliya’s Intern Experience
Keeping it real-world
‘College isn’t always about starting your career path; sometimes, it’s about exploring what’s possible and finding your passion.’
The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft’s Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator – and experience it first-hand with our team of IR threat hunters.
This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.
Ataliya’s experience as an intern
Ataliya didn’t start her journey in Redmond, WA; she began thousands of miles away in Asia. She was awarded an opportunity to study business administration with a focus on IT at a major US university. Ataliya was already a little different, few people explore business and IT at the same time. But not just IT. Ataliya wanted to dive into where all the innovation was happening. As she discovered more about the DART investigator internship, she dove in.
Intern Ataliya
DART surprised me. People look at me and expect I’m a curtain way. I like to surprise them. Before joining the internship, I did my homework, expecting DART to be very corporate. I was surprised. All the people and ex-interns I spoke with were ‘un-corporate.’ Everyone was very human, extremely helpful, and passionate. You could tell they cared about their customers. I wanted to be part of that culture.
Three things struck me about the DART threat hunting and forensics internship experience.
-One was the structure and organization. Nearly everything we did had a purpose. We absorbed a great deal of knowledge quickly because learning and experiences were connected and built on top of each other.
-Two was diversity; we learned different things, worked in various environments, and touched nearly every aspect of the DART threat hunting and forensics process.
-Three was the real-life aspect of the internship. We shadowed real threat hunts and helped resolve mock attacks that were very realistic. We put together presentations about past cyber incidents and had to answer questions from DART investigators posing as frustrated customers. Even our projects would eventually be used in production.
It takes a village. What I like about cybersecurity is that good people are stopping bad actors. It is also constantly changing. Bad actors are innovative, business-minded, organized, and work in teams. The intern experience emphasizes teamwork from day one. It’s the first thing you learn: it takes a team to stop a team of bad actors. You can be in cybersecurity, IR, and digital forensics for your entire life but never learn it all; environments are different, everything constantly changes, and bad actors are continually innovating. It sounds cliche, but it takes a village to stop attacks.
Everyone has a place. You learn a great deal on your own, but you learn even more when you ask an expert. They not only know the answer but know why you’re asking it. Few answers are ‘Yes’ or ‘No’ – there is nearly always a ‘it depends.’ You also learn that you can’t be good at everything. For example, as a team member, my focus was strategies and tactics, which I could hypothesize by looking at the evidence. I enjoyed studying strategies in business school and find them even more fascinating when dissecting a threat or incident – during or after. By experiencing every aspect of a service, like IR, you discover which tasks you like the most.
It is real detective work. Some incident inspection exercises pointed to well-known TTPs (threats, tactics, and procedures), but others were novel. You need to explore many diverse details and artifacts while you build a visual timeline. What makes it more intense is that you are using tools you’re still learning. It is very satisfying when everything starts to come together, but you can’t become discouraged when some new evidence breaks everything and sends you in another direction.
There is time to innovate. DART fosters innovation. Some of my previous internships say they did but didn’t. College students can be very idealistic, that includes me. We think we can do things better, and sometimes we can. But as an intern or new employee, you’re not ready to innovate on day one. That takes time and experience. Having said that, our three projects were real-world projects that required creativity. For example, we built a new dashboard for hunters to use for Microsoft Defender XDR. We decided on the best design and then created the dashboard. The experts evaluated it and provided feedback, and after some iteration by us, it went into production. That was very gratifying.
Finding evidence of a failed attack. A real-life ransomware attempt taught us two important lessons. We were shadowing a threat hunt triggered by our customer. They suspected an attack in progress.
The first lesson demonstrated how much we learned. We assisted our experts in moving through the entire environment, looking for associated actions. We managed to uncover failed attempts to deploy the attack.
The second lesson was to help build a presentation that would put our customers at ease. This incident started with phishing and social engineering as most do. Knowing that would help the customer look at bolstering anti-phishing defenses and perform more employee training.
It’s more than bedside manners. When there is an incident, it is the customer’s worst day. Our first job is to help halt any threat and attack. The second is to communicate with the customer. We learn to be transparent and honest and always have a plan. We learn to put ourselves in the customer’s position. Customers not only need to know the status and our plan, but they also need to know that we will not stop until their worst day – becomes much better.
In the end, the field of incident response threat investigation is challenging. But it is also extremely rewarding because we help stop and investigate bad actors. Now that my internship is ending, I will miss the people I have met and plan to explore more aspects of cybersecurity.
Return to DART internship blog
Microsoft Tech Community – Latest Blogs –Read More