Hear from the following cybersecurity interns to see if an internship in this field might be worth your while!
Let's dive in!
My internship was six weeks long. In the first week, I watched and observed as people did their work.
After that, I got some hands-on experience. I worked alongside a senior SOC analyst. Most of the internship was watching screens to monitor the network for any suspicious activity. My mentor was in charge of three screens and he let me sit next to him and made me responsible for monitoring one of the screens.
He also showed me all the tools he used and got me familiar with the key concepts like CIA, NIST, and FISMA.
– SOC intern @ Federal government office
We shadowed an internal investigator as part of our internship.
To give you an idea of what this means, let's say an employee at the call center was handling sensitive information, like a customer's credit card number and they accidentally sent the full credit card number to another employee, violating our security policy.
We have a computer program that would catch things like this and alert the security team. So the internal investigator would get these alerts and he'd get an HR person to remind the employee that they're not supposed to do that.
If the employee violated the policy a 2nd or 3rd time, the investigator would summon them and ask if they were doing it on purpose and see if there was something suspicious going on.
We got to sit in on these conversations.
– General cybersecurity intern @ A call center
SOC interns spend much of their time watching network activity to look out for possible threats.
In total, I did 800 hours in the SOC, both day and night shifts, just trying to get familiar with everything. 60% of my time was spent monitoring network traffic for vulnerabilities.
This involved watching the Security Incident and Event Management (SIEM) tool to make sure there's nothing super suspicious. The SIEM tool is basically a dashboard with alerts coming through every second.
For example, whenever a user logs in, I'll get an alert that says "User logged on." Usually, I won't really pay attention to this as it's not suspicious.
But if you forgot your password and you're trying to log on 10 times in less than a minute, that raises a red flag. I'll need to look into this to make sure it's not a brute force attack.
30% is contacting people to determine if an alert is positive.
For example if I see that you've tried to log on 10 times in the last minute, I might call your boss to check if it's actually you logging in. Or if I get a weird sign on from a user at 3 am in China, I'll want to check if this user is on vacation there.
Before we block people from the network, we want to make sure the alert is valid.
10% of my internship was creating tickets. For instance, if I'm going off shift soon and there's something that I find suspicious, I'd create a ticket so the next person can look into it to see if it's a true positive.
To write up the ticket, you need to temporarily take your eyes off the screen. So usually you'll work in a team of two, and you'll ask your partner to watch your screen while you type up the documentation.
There are strict templates for writing up tickets. I'd basically fill up the template with exactly what happened, what my findings were, what my recommendations are to the company. If there's more information that I need for my investigation, I may raise a ticket for the analysts or SecDev Ops who'll do a deeper dive.
When you create a ticket, it goes through a bunch of steps before it's approved. The Incident Response team makes sure your documentation meets all the FISMA and NIST requirements.
– SOC intern @ Federal government office
Interns would help out with security incidents but wouldn't be responsible for owning an incident.
Say a computer was infected with malware. A full-time analyst might turn to an intern and ask them to check all the websites the user went to in the past six hours.
The intern would run the query and do some analysis: "The user went to Google and searched for this keyword. Then they went to this site and clicked on this suspicious-looking URL. You might want to look into it."
The intern might also be asked to run other queries like, "What files are in the user's download folder?"
So you'd help out here and there but you wouldn't be responsible for for the incident response lifecycle. For instance, you wouldn't be responsible for making sure that the computer is isolated (not able to infect other computers) or that the malware has been removed.
– SOC intern @ Defense contractor
Another security person at the company had created a secure browser that our call center agents would use. It was a "lockdown browser" that would keep people from going onto certain websites.
They tasked us interns with "breaking" the browser. So we had to try anything we could to see if it was possible to unlock the browser. We did not end up breaking it, but it was a fun task.
– General cybersecurity intern @ A call center
Usually, these tasks include carrying out specific assignments from analysts or managers. These tasks are important for the SOC's operation but don't involve making important decisions.
Managers love to give interns some side work that they've been asked to do by their managers. For instance, "Here's a spreadsheet of users and we need to pull their data from this day to this day."
– SOC intern @ Defense contractor
We used a data visualization tool called "PowerBI" to create graphs and visuals of the data the company collected from its various SOCs around the world.
Based on these graphs, it was easy to see that Latin America experienced more of one type of incident and Asia had more of some other types of incidents. And then you could break it down even further by city.
– General cybersecurity intern @ A call center
All of our cybersecurity interns agreed that their internships were worth it.
My cybersecurity internship helped me hone in what concentration of cybersecurity I was interested in. Your internship won't necessarily tell you what you want to do, but it'll definitely tell you what you don't want to do.
I was on a small team and got exposure to different concentrations. In the area of the office that I sat in, I sat next to the vulnerability management engineer who ran vulnerability scans. I had access to that tool even though I wasn't an administrator of the tool, I could see how it worked and what his job involved.
We also sat near the GRC people and I learned that it's a lot of audit compliance work. They largely make sure our cybersecurity program stays in compliance with laws and regulations. Because that internship was at a defense contractor, we were audited a lot by the US military and the government, so I was exposed to the audits.
In my case, I learned I didn't want to do GRC. GRC is a lot of paperwork, a lot of meetings. It's just very boring.
– SOC intern @ Defense contractor
The biggest thing I learned is to always reach out to someone if there are any alerts I'm unsure of.
I had a colleague in my internship who saw something and didn't think it was a big deal, except it was a big deal.
So always ask before just dismissing it. There are real consequences even as an intern! The responsibility falls on your lead but your lead will also come down on you. "Why didn't you reach out? I was right here."
You'll feel bad because the lead will take the brunt of it, but you should have spoken up about it. I'd rather someone say "That's nothing" as opposed to "Why didn't you tell me about this?"
– SOC intern @ Federal government office
This was my first internship ever, so my biggest takeaway was learning about how the corporate world works. Before that, I just worked cashier jobs. I'd never worked in an office, and this was the headquarters for a big company. So I learned things like Microsoft Outlook and how to properly write and talk to your colleagues.
Let's say there's an issue or some kind of disagreement, I learned how to address that in a professional manner. You got to keep a cool head, because not everybody's going to be chill about things, especially in security or IT.
Through this, I also gained more confidence in my skills and abilities. Until then, I had only started taking cybersecurity classes at school and done the bootcamp. Now, I was getting to apply my knowledge in real life.
– General cybersecurity intern @ A call center
Head on over to How to break into cybersecurity as a student.
You can find plenty of internships on Prosple. We have a vast selection of internships curated for students like you. Just filter 'til you find the right fit!