Microsoft IR Internship Blog Series, Part 4– ‘Facing an Active Threat’ – Patro’s experience

Microsoft DART Incident Response (IR) Internship

Blog Series – Part 4 – Patro’s Intern Experience

‘Being a DART intern is like reaching into a mysterious bag of goodies. You never know what you’re going to get. Until you get it.’

The Microsoft Internship Experience is a summer experience at Microsoft. Interns on the Detection and Response Team (DART), Microsoft’s Incident Response (IR) customer-facing business, gain insight into what it takes to be a cyber incident response investigator and gain hands-on experience working with a team of IR threat hunters.

This blog is based on interviews with interns about their internship experiences and is written from a first-person perspective.

Patro’s Experience as an Intern

Microsoft is a global organization and a great place for people who like to move. Patro started his journey in Southern Europe and then moved to the East Coast of the United States to study mathematics and philosophy at a large university. With a combination of rigorous proof and abstract thinking, he earned a Master of Science in Cybersecurity, both of which are valuable degrees.

Intern Patro

What have I done? It wasn’t until after the interview process that I understood what the program was all about. I kept in touch with one of the interviewers and we talked about internships and real-world cyber cases. Then, at the beginning of the program, we met with experienced DART investigators and were bombarded with even more real-world cases. Previously, people who were identified as bad guys seemed like urban legends. I never had a chance to meet them. As part of this program, I would actually get to meet them.

Real people – not robots. The biggest lesson is that DART investigators are real people. It may sound a little strange, but we think of Microsoft as a company with technology, products, services, and a lot of AI and ML. It’s easy to forget about people. We’re motivated by their passion to find and take down bad actors. They take their work personally and never lose it because they keep working until the case is solved. As they say, “Human-driven attacks require human-driven responses.”

Watch and learn. We had the opportunity to track past and current threat engagements. DART guided us through the process if it was a routine post-event engagement. But if it was an active threat, we were able to take action on the front lines.

I was amazed at how quickly two or three DART investigators could secure a fairly large business. When a threat is active, they fly through the stages like robots on autopilot. I was amazed at how quickly they were able to stop a threat after they engaged it. I was intimidated by their knowledge and my own. But they assured me that if I focused on learning everything I could about threat hunting and infrastructure, I would be better than them. There are many tools that can help, like AI, but experience is the most important.

Adrenaline rush. Simulated engagements against active threats are intense. There are too many moving parts for one person. Time is ticking and multiple activities need to be done simultaneously. Having a team really helps. You can feel the adrenaline rush when dealing with active threats within a customer environment. Simulated or not, time is limited before the threat mutates or moves, making it harder to stop it.

It felt very real. During the mock engagement, we had to find, collect, and examine artifacts. Microsoft’s AI helped us do that really quickly. We had to uncover all the activities, including finding, isolating, and eliminating the bad actor, and making sure no other security was compromised. In addition, we communicated with the mock client throughout the process and presented our findings to them in formal meetings. The only thing missing seemed to be the real bad actor.

We hunt the worst of the worst. One day, we were suddenly called to monitor an engagement. The TTP pointed out a very professional and well-known threat actor. Our team had encountered them before. This group is well known for their social engineering expertise and they have recently joined forces with English speaking groups to counter ransomware. Using English appropriately allows them to better target their victims and succeed in social engineering. Approaching their target victims is something this group does very well and once infiltrated, they act quickly. They are almost always guided by hand and try to extort data for as long as possible. They add extortion to the data theft by encrypting what they can and demanding a ransom.

Traps and triggers. Most people don’t know or forget that Microsoft has extensive threat intelligence and sets traps to help spot subtle early indicators. The malicious actor was discovered by combining Microsoft threat intelligence, traps, high-fidelity detection, and the power of Microsoft AI/ML. As expected, DART moved quickly and accurately to contain the threat. I felt the adrenaline of running into a well-known cybercrime group. But it was just another day in the IR team’s “virtual” office.

The attackers slammed into the wall. The interns were able to assist in threat hunting and forensics after the incident. The notorious bad guy tried to execute the attack multiple times but hit a wall. I was able to see where they tried and how they were stopped. I learned that if a customer follows simple best practices like this customer did, they are much more likely to stop a serious bad guy from accessing their network. I also learned that most network breaches start with an unknowing employee giving up their credentials. The first line of defense includes security-savvy employees.

The internship program gave me an incredible insight into Microsoft and dART. What stood out to me was the teamwork, the high level of security built into the Microsoft security stack, and the knowledge, expertise, and personal commitment of dART. I would like to return to Microsoft after completing my master’s degree.

Back to the DART Internship Blog