Microsoft IR Internship Blog Series, Part 2 – ‘Keeping it Real’ – Ataliya’s experience

Microsoft DART Incident Response (IR) Internship

Blog Series – Part 2 – Ataliya’s Internship Experience

‘College isn’t always about starting a career path. Sometimes it’s about exploring possibilities and finding your passion.’

The Microsoft Internship Experience is a summer experience at Microsoft. Interns on the Detection and Response Team (DART), Microsoft’s Incident Response (IR) customer-facing business, gain insight into what it takes to be a cyber incident response investigator and gain hands-on experience working with a team of IR threat hunters.

This blog is based on interviews with interns about their internship experiences and is written from a first-person perspective.

Ataliya’s experience as an intern

Ataliya didn’t start her journey in Redmond, Washington. She started thousands of miles away in Asia. She had the opportunity to study business management with a focus on IT at a major American university. Ataliya was already a little different. Few people explore business and IT at the same time. But not just IT. Ataliya wanted to jump into where all the innovation was happening. When she learned more about the DART Investigator Internship, she jumped in.

Intern Atalia

DART surprised me. People look at me and think I’m a curtain person. I like to surprise them. Before I came in for the internship, I did my homework expecting DART to be very corporate. I was surprised. Everyone I talked to and the former interns were ‘not corporate.’ Everyone was very personable, very helpful, and very passionate. You could tell they cared about their customers. I wanted to be a part of that culture.

Three things stood out to me from my DART Threat Hunting and Forensics Internship experience:

– One was structure and organization. Almost everything we did had a purpose. Learning and experience were interconnected and built on each other, so we absorbed a lot of knowledge quickly.

– The second is diversity. We have learned a lot, worked in a variety of environments, and been involved in almost every aspect of the DART threat hunting and forensics process.

– The third was the practical aspect of the internship. We were assigned to follow real threat hunters and help solve very realistic mock attacks. We had to put together a presentation about past cyber incidents and answer questions from DART investigators who were pretending to be frustrated customers. Even our projects would eventually be used in production.

It takes a village. What I love about cybersecurity is that it’s good people stopping bad actors. It’s also constantly changing. Bad actors are innovative, business minded, organized, and work in teams. The internship experience emphasizes teamwork from day one. It’s the first thing you learn. It takes a team to stop a team of bad actors. You can spend your whole life doing cybersecurity, IR, digital forensics, and you won’t learn everything. The environment is different, everything is constantly changing, and bad actors are constantly innovating. It may sound cliche, but it takes a village to stop an attack.

There is a place for everyone. You can learn a lot on your own, but you can learn even more by asking experts. They not only know the answers, but they also know why you are asking. There are almost never “yes” or “no” answers. It’s almost always “it depends.” You also learn that you can’t be good at everything. For example, as a team member, I focused on strategy and tactics, which allowed me to look at evidence and develop hypotheses. I enjoyed studying strategy in business school, and when I was analyzing threats or events, I was even more interested in it, both during and after. By experiencing all aspects of a service like IR, you discover what you love most.

This is real detective work. Some incident review exercises point to well-known TTPs (threats, tactics, procedures), but others are novel. You have to explore a variety of details and artifacts while creating a visual timeline. What makes it even more intense is that you are using tools that you are still learning. It is very satisfying when everything starts to come together, but you can’t be discouraged when new evidence breaks everything and sends it in a different direction.

There is time to innovate. DART fosters innovation. Some of the people I’ve worked with as interns before have said they did it, but they didn’t. College students can be very idealistic, and I am one of them. We think we can do better, and sometimes we can. But as interns or new hires, we’re not ready to innovate on day one. It takes time and experience. That said, our three projects were real-world projects that required creativity. For example, we created a new dashboard for Hunter to use in Microsoft Defender XDR. We decided on the best design, and then we built the dashboard. Experts evaluated it and gave feedback, and after a few iterations, it went into production. It was very satisfying.

Find evidence of a failed attack. The real ransomware attempt taught us two important lessons: We were tracking a customer-triggered threat hunt. They suspected an ongoing attack.

The first lesson showed how much we had learned. We helped the experts explore the entire environment and find related behaviors. We uncovered failed attempts to deploy an attack.

The second lesson was to help create a presentation that would reassure the customer. This incident, like most, started with phishing and social engineering. Knowing this will help the customer strengthen their anti-phishing defenses and do more staff training.

It’s not just bed etiquette. When an incident occurs, it is the worst day for the customer. Our first job is to stop all threats and attacks. Our second job is to communicate with the customer. We learn to be transparent, honest, and always have a plan. We learn to think from the customer’s perspective. The customer needs to know not only our status and plan, but also that we will not stop until the worst day is much better.

Ultimately, the field of incident response threat investigation is challenging, but it is also very rewarding because it helps stop and investigate bad actors. Now that my internship is coming to an end, I will miss the people I met and plan to explore more aspects of cybersecurity.

Back to the DART Internship Blog