Z
Zophar
Microsoft DART Incident Response (IR) Internships
Blog Series - Part 3 – Vadin's Itern Experience
‘College students are lifelong learners, which is a good thing since you can’t learn everything there is to know about cybersecurity in a lifetime.’
The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft's Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator - and experience it first-hand with our team of IR threat hunters.
This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.
Vadin’s experience as an intern
Vadin is all in when it comes to tech. He hails from South Central US and has already completed his undergraduate studies in management information systems. He’s now knee-deep in pursuing his Master of Science in IT. He represents a new breed of IT professional; he loves engaging with people, knows good IT is never good enough, and can write code when dev chops are needed. His biggest challenge is finding a career that keeps changing and pushes his limits.
Intern Vadin
Incident Response - What’s that? I have a passion for IT, but having a career in configuring networks, managing mobile devices, or babysitting cloud apps didn’t appeal to me. I realized that I wanted a career in IT that fitted my personality. I didn’t know much about Incident Response, threat hunting or forensics other than it dealt with cyber security. While at school, I learned about a consulting internship at Microsoft. It was during the interview process that I learned about DART. To me, it sounded much more exciting than applying patches. So, I joined the program.
An artifact is not a clay pot from 2000 BCE. When people hear the term artifact, they immediately think of a museum. They don’t think about logs, files, settings, registry keys, patches, timestamps, etc. The moment I understood that the internship was about investigating cybercrimes – past and active – I knew I had found my niche.
Critical thinking. For me, critical thinking is the analysis of data to form a judgment. You must remain rational, skeptical, and unbiased. That is something I really enjoy doing. An aspect of the internship was learning how to look at all the artifacts and everything else to formulate the attack 'story.' But it's not fiction - you can’t make anything up nor make assumptions because you could be completely wrong. Real data that supports findings is treasure. Threat actors are also experts at creating false tracks or diversions while they act. A large portion of threat hunting is real detective work. You need to follow the data and other evidence. Sometimes, the evidence runs out, and you need to form a hypothesis to take you to where there might be more ‘fingerprints.’ And if there is an active threat, you need to do all that very quickly.
KQL is my magnifying glass. Forensics is not like Sherlock Holmes looking for clues in 1880. Most of the evidence is digital and hidden in massive layers of data. During the internship, I became particularly good at Kusto Query Language (KQL). I knew SQL from before, so it was an easy transition, but it was still a big learning curve and sometimes frustrating. The three personal traits I honed while conducting queries are rigor, persistence, and mental agility.
Teamwork. There were fifteen interns in our group. The only way to complete everything in the program was to help one another. Each one of us had things we did well. We were students, teachers, and leaders to each other. Without teamwork, finishing the program, including all the projects, would have been much more difficult.
Learn. An essential aspect of the internship program was learning how to think about data. Sometimes, you don't know what you are looking for, how to build the query, or even what data set is the best. I relied on my teachers and mentors to show me how to determine what data to use and extract what I needed. That included the best way to build the trail of evidence, create an incident timeline, and validate my conclusions.
Teach, I’m still in college and enjoy sharing what I know with others. I had a teaching moment while presenting our findings to a panel of DART investigators who were acting as frustrated customers. I found myself not only detailing the cyber incident but sharing knowledge about how we found the source, traced it, and closed the case. I felt that teaching our customers would help them improve their posture. I knew they would appreciate the added insights.
Lead. I feel like a leader because I know and feel that as a member of the DART, I can help continually raise the bar of security excellence. I enjoy helping people arrive at an ‘a-ha moment.’ My knowledge of SQL gave me a head start on KQL. I was able guide some of my fellow interns on the mechanics of queries.
Transparency. Knowing more about the investigation process gives customers additional confidence in the service. Being transparent was very refreshing for all. Besides, anyone in cybersecurity knows that remaining secure includes rigorous reviews of defenses and continuous improvement.
The freedom to innovate. The three projects we did were real-world and will be used in production. One project we did on our own. I built a tool to find non-ASCII characters or symbols camouflaged as true characters in file names and services. Those characters may fool a threat investigator's naked eye, and it is a common trick bad actors use to mask their actions. There may be other ways to spot those anomalies, but it was rewarding to give DART an easy-to-use tool that will save them time.
I recommend this program to anyone who likes constant change and challenges. I have a passion for IT and solving crimes, which makes IR the perfect fit. After I finish my master’s program, I hope to return to Microsoft and help keep our customers across the globe more secure.
Return to DART internship blog
Continue reading...
Blog Series - Part 3 – Vadin's Itern Experience
Learn – Teach – Lead
‘College students are lifelong learners, which is a good thing since you can’t learn everything there is to know about cybersecurity in a lifetime.’
The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft's Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator - and experience it first-hand with our team of IR threat hunters.
This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.
Vadin’s experience as an intern
Vadin is all in when it comes to tech. He hails from South Central US and has already completed his undergraduate studies in management information systems. He’s now knee-deep in pursuing his Master of Science in IT. He represents a new breed of IT professional; he loves engaging with people, knows good IT is never good enough, and can write code when dev chops are needed. His biggest challenge is finding a career that keeps changing and pushes his limits.
Intern Vadin
Incident Response - What’s that? I have a passion for IT, but having a career in configuring networks, managing mobile devices, or babysitting cloud apps didn’t appeal to me. I realized that I wanted a career in IT that fitted my personality. I didn’t know much about Incident Response, threat hunting or forensics other than it dealt with cyber security. While at school, I learned about a consulting internship at Microsoft. It was during the interview process that I learned about DART. To me, it sounded much more exciting than applying patches. So, I joined the program.
An artifact is not a clay pot from 2000 BCE. When people hear the term artifact, they immediately think of a museum. They don’t think about logs, files, settings, registry keys, patches, timestamps, etc. The moment I understood that the internship was about investigating cybercrimes – past and active – I knew I had found my niche.
Critical thinking. For me, critical thinking is the analysis of data to form a judgment. You must remain rational, skeptical, and unbiased. That is something I really enjoy doing. An aspect of the internship was learning how to look at all the artifacts and everything else to formulate the attack 'story.' But it's not fiction - you can’t make anything up nor make assumptions because you could be completely wrong. Real data that supports findings is treasure. Threat actors are also experts at creating false tracks or diversions while they act. A large portion of threat hunting is real detective work. You need to follow the data and other evidence. Sometimes, the evidence runs out, and you need to form a hypothesis to take you to where there might be more ‘fingerprints.’ And if there is an active threat, you need to do all that very quickly.
KQL is my magnifying glass. Forensics is not like Sherlock Holmes looking for clues in 1880. Most of the evidence is digital and hidden in massive layers of data. During the internship, I became particularly good at Kusto Query Language (KQL). I knew SQL from before, so it was an easy transition, but it was still a big learning curve and sometimes frustrating. The three personal traits I honed while conducting queries are rigor, persistence, and mental agility.
Teamwork. There were fifteen interns in our group. The only way to complete everything in the program was to help one another. Each one of us had things we did well. We were students, teachers, and leaders to each other. Without teamwork, finishing the program, including all the projects, would have been much more difficult.
Learn. An essential aspect of the internship program was learning how to think about data. Sometimes, you don't know what you are looking for, how to build the query, or even what data set is the best. I relied on my teachers and mentors to show me how to determine what data to use and extract what I needed. That included the best way to build the trail of evidence, create an incident timeline, and validate my conclusions.
Teach, I’m still in college and enjoy sharing what I know with others. I had a teaching moment while presenting our findings to a panel of DART investigators who were acting as frustrated customers. I found myself not only detailing the cyber incident but sharing knowledge about how we found the source, traced it, and closed the case. I felt that teaching our customers would help them improve their posture. I knew they would appreciate the added insights.
Lead. I feel like a leader because I know and feel that as a member of the DART, I can help continually raise the bar of security excellence. I enjoy helping people arrive at an ‘a-ha moment.’ My knowledge of SQL gave me a head start on KQL. I was able guide some of my fellow interns on the mechanics of queries.
Transparency. Knowing more about the investigation process gives customers additional confidence in the service. Being transparent was very refreshing for all. Besides, anyone in cybersecurity knows that remaining secure includes rigorous reviews of defenses and continuous improvement.
The freedom to innovate. The three projects we did were real-world and will be used in production. One project we did on our own. I built a tool to find non-ASCII characters or symbols camouflaged as true characters in file names and services. Those characters may fool a threat investigator's naked eye, and it is a common trick bad actors use to mask their actions. There may be other ways to spot those anomalies, but it was rewarding to give DART an easy-to-use tool that will save them time.
I recommend this program to anyone who likes constant change and challenges. I have a passion for IT and solving crimes, which makes IR the perfect fit. After I finish my master’s program, I hope to return to Microsoft and help keep our customers across the globe more secure.
Return to DART internship blog
Continue reading...