CYSE 368

Cybersecurity Internship

This course allows students to volunteer to work in an agency related to cybersecurity. Students must volunteer for 50 hours per course credit and complete course assignments.

The company I completed my internship with was Millennium Corporation, a contractor that mainly works with the Department of Defense’s (DoD) Threat Systems Management Office (TSMO). The program focused on penetration testing and red teaming, preparing for the Security+ and Pentest+ certifications, and learning what it means to be a DoD employee. I developed skills in offensive methodologies, reconnaissance, and vulnerability exploitation. Through hands-on exercises I applied these concepts to real-world scenarios and presented findings to both executive and technical audiences.  

 

Reflection #1

Reflecting on the first 50 hours of my internship experience, I can say that it has been a great experience so far. Given that this was the first week, a lot of time was spent on orientations, basic introductions, and learning more about what we will doing and what to expect in the future. The first day we met the program managers, who managed to excite us anxious interns about a government internship and learned more about each other and the company. Day two was more of the same, except we met upper management and the owners of the company. They shared their excitement with us and taught us what it means to be with Millennium Corporation. The main point of the day, however, was learning how to deal with expense and payment software such as CostPoint and ADP.

The third day was a bit of a break. This day was dedicated to exploring campus (UCF) and getting comfortable with the area. Although not much was during working hours, this day was significant for bonding with fellow interns.

On the fourth day, we went into some technical training with TryHackMe, focusing on the basics of Linux through hands-on-labs. Day five was similar with interns using TryHackMe to learn Metasploit, Nmap, and Network Services. The students hired through the DoD CSA program (15 students) also met with leadership at Naval Information Warfare Center (NIWC) and learned more about what our scholarship, internship, and future internship entail. On day 6 we started the weeklong Security+ bootcamp. Although the information is valuable, after the first class I can already tell this is going to be a long week. 8 hours of lecture in one day can be mind numbingly boring (a complete contrast with the first week).

Reflection #2

Looking a my 2nd 50 hours of internship experience, this has mostly been class rather than doing “work.” This 50 hours of internship includes parts of week 2 and week 3, which are scheduled for a security+ and pentest+ bootcamp respectively. Both were taught by different instructors with the pentest+ instructor being more interesting in my opinion, although he is also just mostly teaching off of a slideshow. I look forwards to next week when we will be doing more hands on experience with TryHackMe and will be exploiting a windows device and learning more red teaming skills and techniques.

During these 50 hours I finished the Security+ bootcamp and am currently waiting for my exam voucher. This bootcamp was directly from CompTIA and was split into 16 lessons, each with a practice quiz and a final cumulative practice exam. Security+ is possible one of the most important certifications to get your foot in the door for cyber, but it ended up being a lot more surface level that I thought it would be. A lot of the material I had actually learned previously in my coursework at ODU. It covers basic information about fundamental security concepts, to vulnerability management, to data protection and compliance.

Although I would like to say there was more to these 50 hours, this really was nothing more than classroom instruction where we sit in a classroom for 7-8 hours a day for 5 days a week. While the content is important, no doubt, being lectured for 8 hours is just not how I learn effectively.

Reflection #3

My final 50 hours of internship experience were a lot more interactive and interesting than the previous 100 hours. This last 50 hours includes the end of week 3 through the beginning of week 5. The end of week 3 saw the end of the PenTest+ bootcamp where it was just the final 3-4 lessons of lecture. We were let out early and we should be receiving our vouchers for the exam by the end of the internship.

Week 4 of the internship saw the interns again split into two groups; software and cyber. As part of the cyber group, we worked on specific assignments through the software “TryHackMe.” TryHackMe is an online platform designed to teach cybersecurity through hands-on practice and “gamified” learning. It offers interactive learning paths, labs, and challenges that cover various cybersecurity topics such as network security, penetration testing, and digital forensics. As far as platforms like this are concerned, TryHackMe is more catered towards beginners, although there are still some pretty advanced rooms. Although I’m not sure if I can talk about what exactly we did, I can say that it was all related to cybersecurity, red teaming, and penetration testing. This 50 hours also bleeds into the beginning of week 5 which was more of the same. However, on day 1 of week 5 a team was brought down to us to give a presentation and instruct labs based on Closed access. Again, I’m pretty sure I’m not allowed to say much, but it was an interesting day where we learned about the many techniques and tools used by the close access team (they break into buildings essentially).

Final paper

Old Dominion University – School of Cybersecurity

CYSE 368 – Cybersecurity Internship

Employer: The Department of Defense

Company: Millennium Corporation

Table of Contents

  1. Introduction
  2. Millennium Corporation and Initial Orientation
  3. Management Environment
  4. Work Duties
  5. Skills Used
  6. Connection to ODU Curriculum
  7. Internship Objectives
  8. Motivation and Excitement
  9. Discouraging Aspects
  10. Challenging Aspects
  11. Recommendations
  12. Conclusion
  13. Appendix

 

 

 

  1. Introduction

As a junior and rising senior pursuing a Bachelor of Science in Cyber Operations, I was actively on the lookout for internship opportunities to gain experience in the field and fill my time in the summer. Although I sent out many applications, I never heard back from any companies. While this was a little discouraging, especially since I’m constantly being told how there’s a huge shortage of cybersecurity professionals, I still held out hope of hearing back from the DoD CYSP (now DoD CSA) scholarship program that I had applied for back in February. I had applied the previous year but wasn’t accepted, likely due to a couple of reasons, one of which was beyond my control (and I’m still a little annoyed about it).In mid/late May, I received the exciting news that I had been accepted into the DoD CSA program, with a commitment from NIWC LANT (Naval Information Warfare Center – Atlantic) to hire me the following year in their cyber test and evaluation division. I was even placed in a convenient location that wouldn’t require me to relocate, unlike many CSA students. However, since I would not be officially awarded the scholarship until the fall semester, I still needed an internship, although truthfully, it was less of a priority given the huge opportunity and award the DoD CSA program represented. To my surprise, a few days later, I received an email from Millennium Corporation, a DoD contractor, offering me a summer internship opportunity. Although the email initially appeared a little suspicious, resembling a phishing attempt, it was a legitimate offer resulting from NIWC’s now second-year partnership with Millennium Corporation through the DoD CSA program. It seemed too good to be true! I was offered, non-competitively (although I guess the scholarship program was competitive), a spot in this internship program where I would learn the basics of red teaming, earn important cybersecurity certificates, and gain a security clearance. As per the email:

“The Pathfinder program is designed to provide you with multiple cyber training opportunities, including participating in cyber and software testing training ranges and events, cyber research, and experiential activities. These activities will be hands-on exercises and tours of DoD facilities during summer breaks. Additionally, during the internship, you will be adjudicated for a government security clearance. Each of these activities is compensated. This makes the Pathfinder internship a terrific opportunity for you to hone your advanced cyber operational and software testing skills, all while getting paid.”

I later learned that out of about 80 individuals accepted into the DoD CSA program, about 30 were selected by NIWC for the scholarship, and out of those 30, 15 were selected to participate in this six-week “pathfinder” internship in Orlando. Needless to say, I was thrilled to be among those chosen for this unique opportunity, albeit a little nervous. The next couple of weeks after I applied for this internship were spent entirely getting prepared for it, with me even ending my baseball season early (I’m an umpire). After attending an orientation, I was notified that I would be receiving a Top-Secret clearance. Receiving this clearance required me to complete the necessary paperwork (SF86) and get my fingerprints taken. I also learned that, on top of this being a paid internship, I would be getting paid per diem, i.e., the government is paying for my food, and they would be paying for room and board. They also offered compensation for travel, either paying for a plane ticket or paying for mileage at the standard rate of 66.7 cents per mile. I chose to drive as, even though it was relatively inconvenient, getting paid 66.7 cents per mile (770-mile trip for me) and having a car down in Orlando, the least walkable city in the nation, seemed like a no-brainer. Going into this internship, I had three goals: gain my certifications in Security+ and PenTest+, learn the basics of red teaming and what is required of me in a government position, and network with my peers and others. The goal given to us interns by the project manager, however, was, in my opinion, the most important: have fun. At the end of this internship, I can say with confidence that I have completed all objectives with flying colors, although I haven’t achieved my certifications (they haven’t given us the vouchers yet).

  1. Millennium Corporation and Initial Orientation

So, who/what is Millennium Corporation? Millennium Corporation at its core is a cybersecurity contractor that works with the Department of Defense and other companies. Millennium was started by two brothers in arms, who I’ve both met in person at the final culminating event for the internship. The two co-founders, Kevin Jennings and Cedric Henry, recounted the story of them starting the company shortly after getting out of the military to all the interns. It was hard work with long, long hours, but it paid off, and now Millennium Corporation is a successful DoD contractor with high job satisfaction. Meeting the two co-founders was actually part of the orientation, which lasted about three days. Orientation was something I think all of us interns needed. Although most of us came in anxious as this seemed like a big job (top-secret clearances with the DoD), the first day of orientation put all our worries to rest. Management made intern comfort and satisfaction their top priority, and as a result, all the interns finished the first day off excited to continue this internship. Initial impressions of the company and the internship were high. The next two days of orientation involved going over government software that we would need to get used to and learning more about the company. We learned how to submit our expense reports and time sheets and learned about further accommodations such as parking. One day was filled with a tour around campus as this internship used facilities from the University of Central Florida (UCF). The final day of orientation involved us meeting upper management, most notably the co-founders of Millennium Corporation. As stated earlier, they told us their life story and congratulated us on being selected for this internship. After that, those of us with NIWC and the CSA program held a meeting with the NIWC hiring manager in charge of the CSA program, where we learned more about our future employment. He answered some questions but mentioned that most of our questions would be answered at a later date (the CSA bootcamp in July). It should be noted that there were 45 interns, with 15 being from NIWC and the CSA program. Other interns were hired by other means, whether that be a job application, sponsorship by their school, or sponsorship from another scholarship program such as SFS (Scholarship for Service).

  1. Management Environment

Moving to the management environment, I can confidently say that they are some of the best managers I’ve had the pleasure of talking to and working under. Although I haven’t held many jobs, I have had my fair share of experience talking to management. These guys prioritized us interns and made sure we were comfortable and accommodated. They were nice people and, unlike a lot of managers, grounded in reality; grounded in reality meaning they were understanding and empathetic. Not only were they great at keeping the interns motivated, but they also had great technical knowledge and were able to help us later in the internship when we were doing hands-on labs and work. As for management structure, I wouldn’t say that it was very structured, with the project manager helping a lot even though that wasn’t necessarily his job. There was structure in the sense that we had a chain of command to go through if there were any issues. This chain starts with the resident assistants, then our pathfinder mentor, then our technical mentors, and finally the project manager.

  1. Work Duties

Beginning at the end of week 1, we started doing what would be considered “work.” This was more of a learning internship than anything else, as this internship was structured around the interns learning rather than completing any meaningful work for the hiring organization. At the end of the first week, we started using an online program called “TryHackMe” to learn the basics of Linux. TryHackMe is a free online platform for learning cybersecurity, but in a more gamified manner. As far as online hacking platforms go, TryHackMe is relatively entry-level and walks you through many of the boxes/rooms that you go through. This is in contrast to Hack The Box, which I have heard is much more difficult. Looking back at week 1, the final two days were purely doing TryHackMe rooms Linux Fundamentals 1 and 2 (and 3 if you managed to get ahead) and Nmap. These were basic rooms, and my schoolwork prepared me well for this. Week 2 had us doing a Security+ bootcamp. This and the PenTest+ bootcamp were relatively uneventful. Although we all understood the importance of these certifications, everyone had trouble staying awake. To put it bluntly, it was boring. Week 3 was more of the same; however, instead of doing the Security+ bootcamp, we did PenTest+. This instructor was a little more engaging, but it was still a little mind-numbing. A lot of the stuff from Security+ is carried over to PenTest. Week 4 had us back doing rooms in TryHackMe. The focus of week 4 was primarily on exploitation with lessons like “Windows & Basic Exploitation” and “Basic Exploitation & Breaking Windows Services.” This is the description of the “Windows & Basic Exploitation” lesson:

“Deploy & exploit a Windows system leveraging a common misconfiguration. Work through the pentesting framework executing reconnaissance, gaining access, escalating privileges, and cracking hashes. Learn the basics of AD and how it is used in the real world today. Foundational knowledge of the topic are: Physical Active Directory, Forest, Users & Groups, Trusts & Policies, AD Domain Services & Authentication. Learn about active reconnaissance, web application attacks, and privilege escalation. Tools and techniques used are NMAP, Gobuster, Burpsuite, and SUID privilege escalation on a Linux system.”

Within these lessons, there were multiple rooms to complete that would teach us the necessary skills to complete the culminating event at the end of the internship. Although I’m not sure how much detail I can go into regarding the techniques and procedures we used, I can say that we learned a lot and that although it could be frustrating at times, we enjoyed the process. As stated earlier, our job as interns was simply to learn as much as possible and to have fun. TryHackMe was the entirety of weeks 4, 5, and part of 6. These lessons all led up to the culminating event in week 6, where we would present to not only our mentors and managers but to top executives such as the CEOs of Millennium Corporation and other DoD companies such as Naval Information Warfare Center. Although this was less important to those from the CSA program with NIWC as we were already guaranteed a job, it was still incredibly nerve-racking. I couldn’t imagine how the other interns felt who had a potential job offer on the line. Overall, I’d say the presentations went great! They were given in the form of debriefs of a penetration test, as that was what we were doing in TryHackMe. The final culminating event was performing a penetration test on two systems, one Linux and one Windows, and presenting a debrief to a board of executives to simulate an actual red team engagement. We were split into four different groups, and although we all had the same systems to pentest on, each group still had their own unique take on the situation, and everyone learned a lot. Focusing on my group, I like to think we did the best, especially since we were considered the underdogs of the competition. In fact, I was the only student in the internship that managed to hack the Windows box without much further assistance from our technical managers (although we didn’t use my method in the final presentation). We presented well within the parameters (unlike some other groups), and it felt good when I managed to get the entire room of 100 people to laugh at the end of the presentation. The debrief was the final event of the internship. Afterwards, we were given certificates of completion and were dismissed from the building. All that followed was to get ready for travel day the next day. It was bittersweet. Although everyone was excited to go home and see their family, we were all sad knowing that, after growing with each other for nearly two months, we may never see some of each other ever again.

  1. Skills Used

Looking at the skills used in the internship, although I can’t discuss all of them (such as the closed access skills), a decent amount I already had experience with due to school. Linux, Metasploit, Nmap, and hacking into a Windows system; these were all skills that I had learned previously as part of my coursework. Although the exercises we did during the internship were a bit more complex, I didn’t go into this internship blind. Most of the skills learned during the internship built off what I had learned in school, but you could have gone into this internship without any prior knowledge (and some interns did come in without prior knowledge). It was a good mix of basic topics amplified with more advanced topics. Of course, there were other skills used outside of just cyber skills. Soft skills were the next important set of skills that were used in this internship. Although not technically needed, they were necessary for smooth interaction with other interns, especially during the culminating event. As stated earlier, there were four groups; however, these groups were not made equally. Looking at just two groups, group 1 had a couple of the most technical people and some of the most extroverted people. My group had a good balance, although no one was extraordinary at everything. In fact, we were likely behind the curve in most aspects, which is why I stated we were underdogs (our team’s name was SB for struggle bus). In the end, though, our presentation was better received by both the interns and upper management. Why? Well, group 1 lacked coordination and the necessary soft skills to communicate properly. They had completed the exercise faster than any other team, but the technical leads on the team didn’t have any way to communicate what they did or how they did it. The more extroverted members of the team also clashed with each other over how to give the presentation, and it ended up sloppy. Even during the presentation, one member ended up taking over most of the presentation (even though he did little to no work), much to the annoyance of the other members.

  1. Connection to ODU Curriculum

This internship had a strong connection to the ODU curriculum for Cyber Operations. As stated earlier, because of the skills I learned as part of my degree program, I didn’t go into the internship blind like many other interns. What I learned at ODU allowed me to be an effective and reliable intern. Furthermore, having some background knowledge allowed me to further develop new skills quicker and more effectively. The entire internship was based on red teaming, and as such, all of my CYSE classes were relatable in some way, shape, or form. The classes that helped me the most during the internship were both CS 466 and CYSE 301, both of which gave me an introduction to a decent amount of the skills that we would use in the internship.

  1. Internship Objectives

This internship had three (four) objectives for me. The first objective was to gain my Security+ and PenTest+ certs, as these are considered important for starting out in cybersecurity. Although I had gone through both bootcamps, I was not able to get either of the certificates. CompTIA is being obstinate and is dragging their feet in getting the interns our vouchers to take the exam. I could take it on my own dime, but free is better than spending the 400+ dollars on each exam. I will say that the bootcamps were effective in preparing me for both exams, as I feel ready; I just haven’t had the opportunity to take them yet. My second objective was to learn the basics of red teaming and to learn what was required of me as a government employee. Given that the internship was entirely based on red teaming and penetration testing, I would say that this goal was completely fulfilled. I learned the many complexities of what it means to be a red teamer and learned that, even though it can be a difficult job, it is a rewarding job. Supposedly what we were doing wasn’t wildly different from what a red team would be doing on a normal day, although they typically had a larger team to help them, and of course, the job is much more complex. As for learning what was required of me as a DoD employee, the NIWC interns actually had our hiring manager there for a virtual interview where we learned what would be required of us. It was nothing intense; at the end of the day, he just wanted us to enjoy our future jobs and to keep staying engaged. When we saw him again for the DoD CSA bootcamp, we learned more about our positions, pay, and such, but this was not part of the internship, so I won’t go into details. My final objective was to network with my peers and have fun. The connections were, in my opinion, the best thing that came out of this internship. Although the technical knowledge and certifications were great, the connections I made and the overall experience were the best part. From this internship, I gained friendships with people that I hope to stay in contact with for the rest of my life. I also made connections with some relatively interesting and high-up people, which I hope will help me out sometime later down the road.

  1. Motivation and Excitement

The most exciting part of the internship, besides exploring Orlando with the other interns, was doing the TryHackMe rooms. They offered a level of engagement that isn’t often replicated in a classroom environment. Having us learn and figure things out on our own was rewarding, and I’m glad that’s how this program was set up. Another motivating factor was that what we were doing was related to what we would potentially be doing in the workforce. This motivated us to try our best and learn so that we could apply our experiences to the real world. Overall, I would say the entire internship experience was enjoyable, save for some minor gripes that will be discussed next.

  1. Discouraging Aspects

The internship itself didn’t really have any “discouraging” aspects. The most discouraging aspect was just knowing that during weeks 2 and 3, I would be going into a classroom to sit there and listen to someone lecture for 8 hours. While the lectures were important, this is simply not how I learn, and I found it incredibly boring. I often found myself finding other things to busy myself with as I would move ahead of the instructor. Another discouraging factor not necessarily related to the internship itself was just one of my roommates. I shared a quad with three other interns, and although the experience was overall great, one roommate was messy, to say the least. My other roommates and I got tired of his antics, and we found ourselves having to occasionally call him out on his behavior and having him correct it. There was some other drama among the interns, but I’ll just leave it at that.

  1. Most Challenging Aspects

The most challenging aspect of the internship was the culminating exercise at the end of week 6. This exercise required us to use everything we learned in the past 6 weeks and apply it to a simulation of a red teaming exercise where we would present our finding to executives. Not only was it technically difficult, but it was also mentally and socially difficult as well. It was difficult to coordinate with my team properly and it was stressful knowing that this would lead to a huge presentation in front of a bunch of important people. It didn’t help that the “team lead” often wasn’t around and I would have to step up along with another team member to help manage the rest of the team (the team lead was just a randomly chosen intern). For the technical aspect, really the only difficult part was the Windows box as it required a specific route of attack and would often crash for no reason. Every group required some form of help from our technical mentors, although I’m proud to say I did figure out the box on my own after work hours. We didn’t use my method, but this ended up working out as the method we presented was unique to our group. Other than the culminating event, there weren’t really any other incredibly challenging aspects.

  1. Recommendations

For future interns, I recommend just not being too anxious about the internship. Although it may seem like a big deal, there isn’t anything on the line and there’s nothing to worry about. You will have fun and you will learn a lot. Make the best of it and try to get out of your shell. The most important part of this internship is making friends and connecting with other interns as these are the people you’ll be spending nearly two months with. They could even possibly become friends that you keep for a lifetime. Even if you’re an introvert (like me), try to do something out of your comfort zone. It may seem difficult, but it’s incredibly rewarding, and you won’t regret it. As for preparations, some knowledge in cybersecurity is useful, but it isn’t necessary. If you are assigned to the software group, you should have some basic knowledge in coding, but again, it’s not necessary. Other than that, it wasn’t dissimilar to getting ready for a college semester. Again, make the most of it, and you’ll find this internship incredibly rewarding. Don’t just stay in your dorm room all day (not to say you can’t just relax in your room occasionally).

  1. Conclusion

Overall, this internship was an amazing experience. I learned a lot about cybersecurity and made many friends along the way. My takeaway is to try new things and to not be afraid. I was anxious to accept this internship and almost didn’t because I was afraid of missing important events at home (and I did because I missed a flight), but if I knew what I know now, I would accept this internship without any hesitation. Not only did I learn a lot, but I got paid while doing it, and I got a top-secret clearance. That itself is worth its weight in gold as sometimes companies wont even hire you without a clearance since it’s a long and tedious process. This internship had one big impact on the remainder of my college career at ODU; I now plan to get my masters in cybersecurity. Granted this was more the scholarship program than the internship, but I was highly encouraged to get my master’s since its paid for. Even though it isn’t necessary, they encouraged it to set me apart from my peers. As for future professional path, I’m now certain that I want to do something in cybersecurity, hopefully with the red team or in some management position. I would encourage anybody interested in cybersecurity to try and take a similar internship and I’m in the process of helping a friend who is also not fully convinced of cybersecurity. This internship was an amazing opportunity, and I would go into it again 10/10 times. I would do it again next year, however, I’m not able to due to obligations with NIWC, but I do know some interns plan to attend next year as resident assistants. Again, this internship was an amazing opportunity and I’m grateful I was given the chance to participate in it.