CYSE 368 Internship

Introduction

In the summer of 2024, I decided to do an Internship and Security Risk Advisors, (SRA), a cybersecurity consulting firm that is primarily focused out of Philadelphia with offices in New York and Kilkenny Ireland. I chose this company because during my years completing my cybersecurity degree, my family would never shut up about SRA which a family member has worked with since the beginning of the company. SRA has two different types of internships, the 3 month internship or the 6 month Co-op, the majority of SRA interns do the 6 month internship. I chose to do the 3 month internship, just over the summer. This sadly means I will be leaving SRA with less experience than the rest of the interns, and I quickly regretted my decision to choose the three month internship.

What I wanted from SRA and Internship.

I wanted first hand experience in exactly what a cybersecurity professional does. I wanted to see how my college time has prepared me for this internship. I was ready to just forget everything I learned in college to be able to learn from real world specialists. I also wanted to learn and experience how an office job is, never worked in one before and all my examples are from pop culture. The biggest thing I wanted from this internship is something to get me more excited about cybersecurity, I always had an interest in computers and how they worked, always big into PC video games. That’s why I went into cybersecurity, to get a better understanding of computer’s, IT’ and networking. After a while though, it started to just feel like school work and I found myself coasting at times, and nearing the beginning of this internship I was scared, what if I don’t like it. I want to gain real life experience in cybersecurity from professionals. I want experience working in an office environment, very new to me coming from a small town where all my jobs were outside hard labor. I want to end up liking the job, the field, the profession and most importantly the work.

First Week and Background

SRA Background

Security Risk Advisors was founded in 2010 by 5 guys out of a house, two of which still work at the company, CEO Tim Wainwright and COO Chris Salerno. The company started as a pen testing company and specialized in it for a few years, then eventually transitioned into red teams and consultant blue teams, which lead the the creation of the SOC department. Around this same time they moved their office to downtown Philadelphia, and opened a new office in Rochester New York. Then SRA became strong leaders in purple teaming and created a data collection and visualization system that specializes in purple teaming VECTR, providing clear and instant data are perfectly suited for a CISO in a hurry needing the facts, numbers and potential solutions in order to gain funding and support for his company’s cybersecurity needs. Most recently, roughly 2 years ago, they opened an office in Kilkenny, Ireland due to many overnight employees being based out of Ireland and the UK.

During the first week we, the interns, were given the rundown on how the company runs, what services they provide and how confidentiality and private information should be handled by us Interns. This first week of training was held in Philly and members for the Rochester office in New York came down for the first week of training. 

Every day for this week, they took us to lunch and on Monday and Tuesday took us out for dinner. Every day followed the same pattern, in the morning all interns from all departments were together for a few general meetings and training, then we broke for lunch, had one or more general interns meeting, and later had meetings more specific to our departments. These meetings were just to get our toes wet. The first day we began with a meeting with IT to get our laptops setup for the internship, followed by a meeting around SRA services, SRA employees and structure. The second day went over more serious topics such as confidentiality and insider trading. The following days were an introduction to Office work, such as billing, filling out time-sheets, Microsoft intro, Client-Facing Communication, and Business writing skills. If the afternoon was clear and had no meetings, we were assigned basic onboarding modules to complete, for billing, for compliance, and nearing the end of the week department specific self paced work. 

My initial impressions of the internship and SRA were overwhelming. A ton of information is being thrown at us, constantly meeting new people, unsure if I am talking to a regular employee or a senior manager. The one thing that wasn’t overwhelming was our schedule. It was laid out and given to us before we started, almost looking like a high schooler’s class schedule. That meant I knew where I had to be and when I was needed there. The sheer amount of people was overwhelming, but the people themselves were nice and very welcoming.

Management.

SRA likes to label itself a relatively flat company, with not a lot of overhead supervision. It can be very hard to determine if someone is a “higher” up. I believe technically there are only two bosses above mine, and one of them is the CEO. They expect us to ask anyone any questions because they know not everyone in the company knows everything about the company and not one person knows everything Cybersecurity related. One cool thing about SRA management is that they have a Nintendo Switch, Xbox and PS5 at work, and pretty much every day at lunch and the last 20 minutes of the day a group of people, such as interns, consultants, and managers are playing Super Smash Bros, most of the time with the CEO.

I had an interesting experience when it came to my direct manager. He went on paternity leave for almost two months once my internship started, this was a mishap on SRA’s end. Another wonderful manager for the other CyberSoC interns helped me out to fill out my internship information and met with me weekly after about the 4th week being at SRA. Alex was an amazing resource and answered any outstanding questions I had regarding SRA and the workflow there. She is the head of Threat Hunts at SRA and when working mine anytime I had questions regarding the threat hunt she was more than happy to help.

SRA values feedback over everything, either giving or receiving, especially regarding Interns and Co-ops. All official feedback is to be given in a program called Lattice, so there is a written record. Before we received or even requested feedback from managers, we were required to give the managers or employees feedback on training, onboarding and anything in general.

The way SRA determines your supervisor or in SRA terms, your “squad lead” is dependent on what you are currently working on at the moment and who that client is. If it pertains to a specific client, there is a specific person I report to, when regarding my work for that client. If the question is mainly around my performance or my growth, I talk to my manager, Tyler D. If the question or work is around a particular EDR, generally I will be pointed to the Engineer in charge of that EDR.

Major Work Duties.

As stated before I am part of the CyberSOC department, which is the 24x7x365 services SRA offices to monitor cybersecurity threats within the client environments. I cannot show examples due to the client confidentiality required from SRA, not only for the clients, but their employees too as I run a lot of personal identifying info during the course of my work. I cannot disclose who SRA’s clients are. I can provide examples of tools and techniques used, but cannot show my work as an example. I did create a fake alert and an example closing notes for that alert later in the paper.

SRA’s CyberSOC is split into two different categories, eSOC and SCALR XDR. I work within the SCALR XDR team from Tuesday to Saturday. SCALR XDR is generally used for our smaller companies and institutions, which include Financial, Educational, Technology, Health Care and Retail. For our SCALR client’s we primarily use Microsoft Azure Sentinel as the backbone for logs and alerts as they come in. Majority of clients already have their own EDR’s that we can feed directly into sentinel to make it easier for us (SRA) to handle multiple clients. These EDR’s that the client uses, that we have direct access to are Falcon Crowdstrike, Microsfot Defender for Endpoint, and SentinelOne. Not all clients have all EDR’s and some have more, that we don’t have access to like other Microsoft Defender services, such as Identity, for Cloud Apps. However, the majority of our time is spent inside of Microsoft Sentinel and Azure Data Explore, using KQL Queries to parse through logs to gather actionable information for the client.

When working a Ticket we have to determine if it is one of three categories, false positives, benign positives and true positives. False Positives are the most rare, benign positives are the most common, and True Positives are the scary ones. Most of the time we do not determine if something is TP, we escalate the activity and inform the client of a possible TP and let them know what they should do based on their conclusion of the evidence we provide and what they can gather talking to the employees at their respective company. To accomplish this, we use a lot of OSINT tools, such as browserling, VirusTotal, abuseIPDB, and many more with our investigations. We generally go through logs using Azure’s KQL Query language and perform command line analysis to determine the intent of these alerts. 

I have created an example of a typical alert that is fairly common throughout the day.. The provided example would be one of detections that SRA developed directly into Sentinel. Nothing below is taken directly from my work, including any names or PII

Title: SRA Network triggered due to Login from Unusual geolocation

Description: User, mike, was seen logging in from ip: x.x.x.x in an unusual geolocation 

Entities: xx.xx.xx.xx, mike@bell.con

My investigation first would start with the IP and perform an OSINT on the IP, generally we use tools such as VirusTotal and AbuseIPDB to determine the threat rep of the IP. AbuseIPDB gives us a lot of information regarding the ISP and Location of IPs. Majority of the time this comes back clean, and the same for the example case. This would lead me to review our authentication and login logs, and review the User’s previous login location behavior, to truly determine if the alert is benign or needs to be escalated to the client. For this example, the User has previously logged into IP not often, but has at least a few times, and from similar locations. I would close this alert as benign.

Example of a benin closure notes

Incident Number: 11111

Hello Team, closing as benign:

Overview

  • Sentinel alert triggered due to a User logging in from an Unusual geolocation.

Analysis

  • User, mike@bell.con, was seen logging in from an unusual geolocation, from IP: x.x.x.x
  • In the past 24 hours, the user has made 6 interactive login attempts from alerting IP, with all 6 being successes.
  • In the past 30 days, the user has logged on from IP 10 times. And has additional logins from other IPs in the same geolocation.
  • All successful logins were made with MFA.
  • Closing as benign, due to previous login history from IP and geolocation, and all attempts being successful with MFA.

Alert Details:

  • Date/Time: 01/01/2024, 8:00:00 AM
  • User: mike@bell.con
  • IP: x.x.x.x
  • ISP: Generic Data LLC
  • Location: Paris, France

OSINT

https://www.abuseipdb.com

https://www.virustotal.com/gui/home

KQL Queries:

logonLogs

| where SrcDvcIP == “x.x.x.x”

| where User == “mike@bell.con

Skills and Knowledge

The most useful skills that helped me throughout the internship is how to do proper research, and the most useful technical skill is understanding and reading command lines. That’s where the majority of the information needed to determine if the action is malicious or not.

The best skill to have when working SOC and that is problem solving. I believe that being good at problem solving is not good enough, you must be efficient with problem solving. This requires not only being able to do good research and critical thinking but to be able to retain information to being able to recall it at a later date, improving efficiency at problem solving, I wrote a good query, but if I don’t save it now in searchable template way, I potentially will have to recreate the query at a later date.

 How did ODU help?

The amount of acronyms and abbreviations for stuff in Cybersecurity/Technology is ridiculous and I am so glad I had a much earlier introduction to majority of these acronyms, because the problem only got worse when I got to SRA, the amount of these that are used on an hourly basis feels like I am trying to read a different language sometimes.

The biggest help that ODU provided was the classes which required a lot of time with command lines, and getting familiar with creating and reading command lines. Throughout most of my classes we mainly did stuff in Linux, Kali Linux to be specific, and the majority of my work involves reading Windows command lines which are slightly different, in some ways. This was more of a result of my class choice, than an ODU problem.  

I did my degree entirely online, so a lot of the time I feel as though I was on my own, even though I did email questions and concerns to professors, but this allowed me to get better at troubleshooting and problem solving. Allowed myself to come to my own conclusions and allow me to have “aha” moments when researching or problem solving.

Outcomes: Did it happen?

I believe that I got everything I wanted out of this internship. The insight into the realtime work done by cybersecurity professionals was extensive and very informative. ODU provided much insight and basic background knowledge of cybersecurity and networking. The material I remember from class was up to date, other than the occasional windows 7 server VM. Tools I have used and seen at ODU were not entirely helpful due to the fact the majority of them were linux based, however some alerts included linux machines and command lines which I was able to understand and close out the alert. The biggest thing I take away from this internship is the excitement I now have after finishing college. Finishing college has been a scary though for a long time but after my experience from this internship has changed my greatly improved my feelings and interest in cybersecurity and this career.

Most Motivating aspects.

The people at SRA are awesome, they have been so welcoming and helpful with the training and so accommodating when it comes to working at your own pace, and the freedom they give you. The amount of freedom that is given followed by the overwhelming support and help from management and anyone on the team. Once I started my weekly meetings is when my confidence and motivation really shot up. I was very nervous for these meetings but once I had my first with Alex I, I really gained my confidence and stride in my work. It felt good to have feedback and experience, and really calmed my nerves when it came to the job. I get very nervous and anxious right before being “judged” “reviewed” or “graded” on things. However these meetings were not like this at all, we spent the first 20 minutes of our 30 minute meeting just getting to know each other, where I come from, what her primary roles and responsibilities are at SRA, barely talked about my performance or my work, other than when I had specific questions and wanted her thoughts on my work. After the first meeting it felt as though this big weight of expectations lifted, and it finally clicked that I was mainly there to learn, not work. I will potentially be shadowing a Purple Team nearing the end of my internship, after this paper is submitted. I have a feeling that it will be the most interesting thing of my internship.

Most Discouraging aspects.

Early on I was slightly discouraged due to other interns having a better resume than I did, they have been to multiple cybersecurity related competitions and my extracurricular activities are pretty lacking. I was the person with the least amount of actual experience when it came to my group of interns. They seemed to have a more natural and general understanding of cybersecurity. 

Another thing that I wouldn’t say that this is discouraging, but almost just as bad is coasting. During your first few weeks, at least as CSOC at SRA, we had a ton of freedom but also responsibility, that we had to be self disciplined for. We were required to schedule all our training, meetings with managers, and our own progress. SRA values individuality when it comes to your work and your progress, I don’t have an experience when it felt like someone was watching over my shoulder, or feel the need to always double check my work. I sometimes felt the exact opposite, feeling like someone should be double checking my work. The two threat hunts I worked on wrote a powerpoint slide which was seen by the client’s CISO and upper management, and the content was barely modified or adjusted by upper management which was nice to see that my input was valid and insightful.

Challenging aspects.

For me a big challenge was the internship overall. I have been struggling with anxiety and confidence issues for the past few years and leading up to the internship I was terrified of potentially failing or feeling like I don’t belong there. I feel as though since most of my schooling has been through online and I have really met too many people from other schools or even ODU in the Cybersecurity program.  So I haven’t really been able to judge my knowledge and skills even on a baseline.

  For the first week I struggled with physical symptoms of anxiety, I threw up pretty much every morning before work from anxiety. I struggle with anxiety when it comes to social events and gatherings and that extends to work as well, so I tend to keep to myself and do my work. That seems to put some people off and they try to be nice and include me but generally I like to be left to my own devices. I have been doing online classes for over 4 years now, was homeschooled for five years during elementary and middle school, when I returned to high school, I made four friends and I don’t think I have made a real friend since. My main anxiety with the job was being in office, I felt as though I had to keep appearances or someone would think I was slacking or potentially misjudge my knowledge and either underestimate or overestimate my abilities and knowledge. At first working from home was weird I

Prep and info for future SOC or SRA interns?

I would recommend getting a good understanding of command lime analysis, being able to read a command line, and research relevant information, and being able to distinctly describe what the command line does, is really helpful in determining if a program is malicious or benign. The next technical tip I could give is take some time to familiarize yourself with as many Cyber Security acronyms. The amount of times acronyms are used in cybersecurity and in office work is surprising, either in Teams,  Emails, or in person. Thankfully, the majority of the time I saw mine in Teams and emails, so I could google it or just ask the person what that acronym was.

Another big thing that I wish I did but I didn’t was getting familiar with Office 365, throughout my entire schooling I have used only Google Drive, if you have access to Office 365 at least get somewhat familiar with it.. These are much more prevalent in the office environment, offer way more features than those, I believe there is some type of free services, or I believe ODU provides Microsoft 365 products to students. And I may be in this alone, when I say before this job I used exclusively Google Drive and products for creating documents, slides, spreadsheets, etc, however SRA and I am pretty sure 90% of Offices/Companies use Microsoft Products.

More specifically for SRA, I cannot speak for other companies, since the management is so flat and almost fluid, expected to meet a lot of people, depending on the situation. The first week obviously due to onboarding and orientation, we met mainly upper management. However in CSOC at SRA, there are over 80 experienced employees working the queues, and at some point you will probably end up meeting all of them, either from a call, working an incident together, run into the same problem from a threat hunt, etc. So many experts and specialists as SRA that you are constantly pointing in new directions to new people when questions arise that are very specific. A big benefit is learning names, specific things about people you just met, and learning about their families to develop a healthy relationship with your coworkers and managers.

Conclusion

SRA is a wonderful place to work, it is very high octane and employee centric, they are constantly offering amenities and incentives to be in office, without actually requiring or forcing people to be in office. They are respectful and value your input, I was not expecting to be working this much over this internship, I was expecting more watching and learning, with occasional hands-on work with heavy supervision. I feel as though I gained real experience working in the field, even if it was a little narrow in scope, to what I could do even as the lowest rung on the ladder full time employee at SRA.

This internship has got me excited to return to ODU, and to finish out my last semester strong and on a good note. This experience has given me a glimpse into the life of a cybersecurity professional and I believe it will help me focus and truly dive into these last classes, to stay fresh for my upcoming job. I wish I had chosen the 6 month co-op instead, but if I did that I would have to finish college later, and start my job even later, so maybe my choice was a blessing in disguise.

The biggest influence this internship had was offering me a job. I really enjoyed the work and the people at SRA, they are so welcoming and inclusive to anyone’s needs no matter how particular, including mine which I did not feel comfortable going into on this paper. Nearing the end of my internship I was surprised to be sad it was almost over, the thing I was so anxious and nervous about, I was now sad to leave. This got even worse when I had a message recently regarding a call about my offboarding process, but that call was not only to begin my offboarding process, but to also inform me of my full time offer at SRA. That lifted a huge weight off my chest as well, and allowed me to finish my internship strong.