Inside the Incident: War Stories and Lessons from the Frontlines of Cyber Security
Based on a conversation from ThreatCast with host Ru Campbell and guest Shiva P, Senior Security Researcher at Microsoft DART
What Really Happens During a Cyber Security Breach?
Cyber security preparedness is not optional. It is essential. In this episode of ThreatCast, host Ru Campbell is joined by Shiva P, a Senior Security Researcher at Microsoft’s Detection and Response Team (DART), to explain what actually happens when things go wrong. Drawing from real-world experience, Shiva reveals common pitfalls that organisations fall into, and how they can strengthen their defences before a threat becomes a full-scale crisis.
This episode goes beyond technical advice. It explores the operational breakdowns that open the door to compromise, the emotional toll of managing a breach, and the simple steps that can dramatically reduce risk.
A Breach Unfolded: What Went Wrong
One of the key stories Shiva shared involved a custom-built remote access application that was exposed to the internet and lacked multi-factor authentication (MFA). That single oversight set off a chain of vulnerabilities:
- Credentials were compromised through exposed configuration files
- The service was running with excessive privileges
- Endpoint detection and response (EDR) was disabled
- Weak password reuse enabled lateral movement
Attackers moved quickly, exploiting the same local admin password across multiple servers. With tools like Hydra and Mimikatz, they scanned the environment, escalated privileges, and expanded control while the security team struggled to contain the breach.
"Even one basic security control, properly implemented, could have stopped this attack at the outset."
Shiva P
Common Mistakes Observed in the Field
Despite growing awareness, Shiva noted that the same issues continue to appear across different organisations:
- Poorly implemented MFA, including SMS-based codes or simple push notifications
- Services running with more privileges than necessary
- Flat networks without segmentation or tiering
- Local administrator accounts using the same password across systems
- An over-reliance on EDR without hardening or monitoring
These are not failures of awareness. In many cases, the organisation has a security team in place. The problem lies in execution, prioritisation, and the lack of integrated processes.
Strategy Over Tools
Shiva emphasised that security is not about finding the perfect tool. It is about having layers of defence that delay attackers and create opportunities for detection and response.
"Make the attacker’s life a nightmare," he advised. "If it takes too long or gets too noisy, they will move on to an easier target."
Shiva P
Recommended strategies include:
- Phishing-resistant MFA
- Regular patching of internet-facing systems
- Least privilege access and just-in-time provisioning
- Proper deployment of EDR with tamper protection
- Tiered access models in Active Directory
Shiva also encouraged a mindset shift, moving from a checklist approach to a continuous model of reducing exposure and limiting attack paths.
The Human Factor in Incident Response
Shiva also spoke about the emotional aspect of incident response. The teams he supports are often under immense pressure, facing the risk of job loss, reputational damage, or financial fallout.
“You are not just solving a technical problem. You are helping people through one of the most difficult days of their careers.”
Empathy, he explained, is not an optional skill for incident responders. At Microsoft DART, it is built into the culture. Teams provide support, structure, and clarity at a time when clients need it most.
Advice for Future Responders
Shiva’s own path began with an internship at Symantec, followed by roles in managed SOC services and threat hunting. His advice for those interested in incident response is straightforward:
- Learn the basics of system administration and networking
- Understand how to read and interpret logs
- Use platforms like Hack The Box or CTFs to practise detection and investigation
- Develop a mindset focused on evidence, cause, and consequence
"Learn how to recognise the traces an attacker leaves behind. If you cannot see the signs, you cannot investigate the incident."
Shiva P
Closing Thoughts
Security does not require perfection, but it does require purpose. Organisations that take the time to get the basics right, structure their environments defensively, and prepare for the worst are far better equipped to recover when the inevitable happens.
The goal is not to be unbreachable. It is to be resilient, responsive, and ready.
