Mick Leach: Hello and welcome to another SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe and more. This week, we are excited to have Anthony Coggins. Anthony, welcome to the show. It's good to have you.
Anthony Coggins: Yeah, thanks for the invite and it's been a minute since we talked, so I'm glad to get to catch up.
Mick Leach: Absolutely. And for our listeners who may not know, Anthony and I go way back. We've done a couple of different webinars together and podcasts. We've done a bunch of stuff.
Anthony Coggins: We have, yeah. It's been an eventful last couple of years for sure. And we've both made some nice changes in hops as well during that time.
Mick Leach: Absolutely, absolutely. So, but before we dive too deeply into those topics, what I wanted to do is give you an opportunity to introduce yourself to our listeners. I would ask that you kind of tell us a little bit about yourself, your background, what your current role is and mostly how did you get there.
Anthony Coggins: Yeah, sure. So my name is Anthony Coggins and I'm the Director of Information Security at Acrisure and the Vice President of the West Michigan Cloud Security Alliance. I've been in the industry in one form or another since 2010. So what is that, 14 years now? And started in IT at the help desk, doing password resets. I started my career in K -12, helping teachers with their projectors and all that fun stuff. And just kind of through experience, and I had a lot of good mentors and leaders throughout my years, eventually made it to where I am today.
Mick Leach: That's awesome. You know, it is that aspect of the career progression that I find so interesting with all of our guests, because what I've learned already and continue to learn each time we have these conversations is that everyone's journey into cybersecurity is unique. You know, some folks came from a heavy development background. Some folks come, many folks come from an IT support background. That's where we got started, myself included.
And heaven knows you were doing the Lord's work there supporting teachers. That is a thankless job and tons of work. So I get that. But that's what I love because there are a lot of listeners that aspire to a role in cybersecurity. And they think maybe, you know, it can be disconcerting. It can feel like there's no chance. You know, I just don't know enough.
Anthony Coggins: Right. Yeah. I need all the certs or I need the master's degree or I need whatever before I really even consider it. Yeah.
Mick Leach: Right? Yes. Exactly. Exactly. Because let's be honest, imposter syndrome is real. And, and I don't know about you. I definitely still to this day feel it.
Anthony Coggins: I get it multiple times a day, probably. Yeah, like, should I really be in this conversation? I think I can speak to this, you know, but even though I know whatever the topic is, like the back of my hand, it happens to everybody. And I think, you know, not to go too much on a tangent here, but the imposter syndrome effect is a sign of competency. It's what I tell other people. I try to tell myself, but I mostly tell other people who tell me they have imposter syndrome that it's a sign that you know that there are things you don't know. Right.
So if you look at something like the Dunning-Krueger effect, you know, there's that curve and you get to the top and you've been in the industry for two or three years or whatever, and you think you know it all. Right. And you're super confident. And I think they call that Mount Stupid, right. Because what it takes to come off that mountain is deleting a whole DNS zone or deleting a database or just having yourself humbled, to realize that, I don't actually know everything. And so you start to build your competency and your expertise, but always understanding that there's still more I don't know, there's still more I need to learn. And so that imposter syndrome is a sign of your overall great knowledge in the space. So that's what I think.
Mick Leach: Yeah. And I'm glad you brought up the Dunning-Krueger effect. I saw this firsthand at a previous company years ago now. This would have been, goodness, got to be 10, 12 years ago now. And we were building out a SOC at a major insurance company and we were building out a security operations center and we took a self-assessment. So our leadership said, well, let's see what you feel like you know and then we'll kind of scrub that against what we feel like you know, based on what you're doing on the daily. And then we'll kind of see where we're at. And that'll help us understand where the strengths of the team lie and maybe where there are some gaps in terms of knowledge. Great idea.
So we did this and when the results came back, we all shared them and we did this, you know, open notes, shared them with the team and everybody looked at them and went, wait, wait, you're like the smartest guy in the room. Why are you rating yourself like a three in most areas? And he's like, cause I know guys that are way smarter than me. And then we had some more junior folks that rated themselves very highly because they were comparing themselves against like their friends and their family and their neighbors and the people that kind of surpassed in their knowledge and kind of considered themselves above. So it was interesting. And I remember looking at the results and I didn't, I'd never heard of Dunning-Krueger at that point. And so I remember looking at the results thinking, man, this is wild. I've never seen anything like this. And one of my leaders came in and said, no, this is classic Dunning-Krueger. In fact, it was Mick Douglas who said it, who was my first podcast guest.
Mick said, nah, this is classic Dunning-Krueger. And I was like, say more, because this is not a phrase I'm familiar with. Tell me more. And he went on to explain it. And then we both went and looked it up. And I was like, well, hot dog. That's exactly what we're looking at here. So, you know, it's fascinating that that still exists today in each and every one of us. But as we grow to learn more, I think to your point, the realization that there's so much more to learn really humbles you and makes you feel like you're not quite as far as you are. So all that to say, and it was much apologies, but all that to say that every journey is valid into cybersecurity. We all get here with a past and none of the two journeys are the same and that's okay. So enough about that. So now I want to really dive in.
Anthony Coggins: Yeah. 100%.
Mick Leach: In this podcast, we typically do sort of a past present future. So in terms of the past, I would love to hear about some particularly challenging cybersecurity threat or attack that you've seen, that you've encountered, that you responded to and what that looked like.
Anthony Coggins: So back when I was doing K -12 IT support, we used to have a separate school district that was called the Alternative Education System. And these kids were, you know, not always the best behaved. And one time I got a ticket into the system saying one of the computers had a weird sound and it wouldn't start. Okay, well, that's weird, but these kids were notorious for taking the rubber bands out of the CD drives and back in the day of XP, the BIOS would check if each attached device was working. And so when it checked the CD drive, it would make this god-awful noise. So I figured maybe that's what it was.
And so I drive over there and I walk in and the kids start snickering, so I already know something, you know, I'm like, okay, whatever. So I walk over to the computer, push the button and there is just this god-awful noise coming from inside the case. Well, that's weird. And there's a CRT monitor which is sitting on top of the computer which is on its side. So, you know, take the CRT off, unscrew the case, pop it open, and when I take the case off, I'm flabbergasted because there is a whole corndog shoved into the CPU.
I mean, I'm just standing there looking at it and thinking like, okay, first of all, thanks for this kid. But secondly, like, teacher, this kid had to have taken the CRT monitor off, unscrewed the case, shoved this corndog in here and screwed it back on and you didn't know, like, come on, man. And yeah, so that was the time I found a corndog in a computer. I'll never... I'll never forget that as long as I live.
Mick Leach: I'm just glad they didn't go the grumpy old men route and put like a fish in there. Because boy that would get rough pretty quickly. Plus that fan would probably help distribute... This is not by the way an endorsement or an idea for you listening folks. Although if you do like subscribe and tell us about it. Anyway, hilarious stuff.
Anthony Coggins: Yeah, so this is a mix, I think this is a mix of past and present. And that's, you know, the uptick in MFA bypass attacks and the types of more advanced social engineering that's being done is anything like we've never seen before.
But it's not new, right? It's just next level. So I think MFA bypass is a commodity at this point, right? You have organizations still struggling to get basic MFA in place, but we need to be talking about the next step, which is passwordless authentication, which is, you know, FIDO2, passkey, you know, whatever the term we're gonna eventually standardize on here. And we need to be moving our employees and our parents and our grand everybody to these methods because everybody gets fished. No filter's perfect, no person is perfect. And we're seeing less and less attacks that are traditional credential gatherers, right? They all have MFA bypass built in at this point, or MFA downgrade attacks, right? So if you, you know, I have the passkey, I have a U key, I have Windows Hello, know, whatever the thing is. But if my attack is downgrading that to SMS or push, because I'm not enforcing passwordless, then you're still open to that, right?
So that's something we've seen a lot of in the past, and you know, so pushing the passwordless envelope is kind of the present and future kind of for me. And then, man, the social engineering with deepfakes and voice cloning and calling the help desk and all of that. We're only gonna see more and more of that. There's always been some of that and pen testers have been doing this for years, right? Trying to get somebody's password by calling the help desk. But I think it's cyber criminals who are doing this and cyber criminals who sound like whoever's answering the call. So those attacks I think are what organizations need to be focusing on and what would pass attacks that we've dealt with and have put in place.
Mick Leach: Yeah, absolutely. there was a lot there to unpack, right? We talked a little bit about what we've seen in the past. Do you have any examples of some of the things that you've come across over the years that you can share? Right. I understand you a job and you don't want to share anything too private in terms of our companies. But anonymized data, are there any attacks over the years that kind of followed that that you're willing to share or able to share?
Anthony Coggins: Yeah, I mean one that didn't personally happen to me or a company I worked for, but one I read about in the past, earlier, I think it was late last year, of an executive in Hong Kong got a deepfake call from his CEO and CFO. The call was about a wire and it was something upwards of millions, it might have been like $100 million. All I know is it was a huge amount, right? It sounded like his CFO, looked like his CFO, right? Like had all the same, you know, I mean, there was no reason not to believe him. It was a Zoom call and he called him, right? And, you know, he made the wire transfer. And when they eventually found out that this happened, they called him and like, why did you do this? And he was super confused because he said, you told me to, right?
So those specific attacks are terrifying, right? The mechanisms of protective keywords or some sort of AI protection that isn't built yet are things that we need to be looking at for that. those attacks, I've been following very closely because they're just fascinating and quite troublesome, I think.
Mick Leach: Yeah, and you know what, with social engineering in particular, what strikes me is both odd and just unusual is that even though we are 30 or 40 years on now, you still go back to one of the best hackers, Kevin Mitnick. I know story after story after story about Kevin, who is a dear friend of Dave Kennedy who we just had on the show a couple of weeks ago. So, you know, Kevin, his big claim to fame was not actually anything all that technical. His big claim to fame was just that he could convince good people to do something they shouldn't do. And that's really no matter how far we've gotten with all the technical security controls that we all bring to the table, there's still a human at the end of the chain that is susceptible to being tricked. It's crazy to see those things.
John Strand has a great story. I don't know if you've ever heard this one, I think it was a webinar or something along those lines. He did his talk and it was like I sent my mom to prison and then we had cake and he was doing a physical pen test. Well, physical slash you know, digital pen test of a prison system. And he, you know, got his mom to go in and plug a bunch of rubber duckies in. Just a great story about how, you know, she was able to convince hardened prison guards to let her into places she shouldn't be, left her alone and let her cause or could have caused a whole bunch of crazy.
Anthony Coggins: Yeah, yeah, I mean, they, you know, they say if you, if you walk into a place wearing a suit, looking like you're in a hurry, most people hold the door open for you, or if you're carrying a, you know, six boxes of pizza, and you say, can you, you know, can you get the door for me? You know, my keys in the pocket, whatever. Everybody wants to be nice and polite, right? Who's going to say, well, hold up, buddy. Where's your ID badge? You know.
So yeah, the people side of it, to your point, is both our greatest strength and vulnerability, right? So we talk about security awareness training, and it's important, and we need to do that. But how do you attain that meaningful awareness of the human firewall aspect of it, right? We need to continuously kind of just tweak and work on it.
Mick Leach: Yeah, agreed. And this is why attackers drive me crazy. Because they're capitalizing on the good nature of people who are trying to do the right thing, to be kind. These are attributes we want to promote in society, and yet these are the exact attributes that bad actors are capitalizing on. So enough on that one. You talked a little bit about what the biggest things you feel like are facing SOCs today. Is that the social engineering and MFA bypass?
Anthony Coggins:
Yeah, I'd say, to steal a term from my CISO, the MFA apocalypse is upon us and the four horsemen are here. And if you don't have your passwordless shield available, you're going to be in a rough spot.
Mick Leach: Yeah, yeah. And part of the challenge with implementing MFA is getting over that hurdle of impacting users. In security, there's this aversion to making life hard for our users. And that's a good thing to pursue, but there's a point to which that's got to stop, right? And yes, you and I, we've been using MFA for many years now. You know, it's not that big of a hurdle to overcome. More than that is that the MFA solutions today that are available to us are so frictionless now.
Anthony Coggins: Right. Well, the password solutions we have are more secure and easier for the end user, right? I don't have to remember a password. It's, you know, if we're using Windows Hello, it's your face. It's a pin that is biometrically hard-coded into your TPM chip. It's, you know, it's a YubiKey that you touch and it logs you in. I mean, these make it less frictional or increase the user experience while also increasing security. It's literally a win-win, you know, on all aspects of it. You just gotta do it, man. It's just, I know it's hard because we've been saying, you know, 14 character password and, you know, all this other stuff, MFA, and just, you know, it really is a new fork in the road that we all just have to go attack together.
Mick Leach: I couldn't agree more. So looking into the future, mean, are these the kinds of advancements and changes that you foresee in the field of cybersecurity? How does that change? How do you think that really impacts security operations in particular?
Anthony Coggins: Yeah. With everything, I don't think there'll be a ton of adoption or advancement until there's a big enough problem. There has to be, obviously with love for everybody to be proactive and go start rolling out Windows Hello today and what that would mean for your company and all that. But until there's attacks the world is seeing with MFA bypasses and enough regulations that start to require it because let's be frank, many companies are only doing MFA because they have a regulation or a contract that says they have to, right? So until we get to that point, I think it'd only be the brave souls who continue to adopt that. But what does passwordless, I think, mean for the SOC? It means the end of remote account takeovers. You're always going to have social engineering and other things. But we're talking about a huge sector of risk and attack that once we get to a point where enough people are doing it, we're racing it overnight, which I think is something everybody needs to be striving for.
Mick Leach: Yeah, agreed. Agreed wholeheartedly. So kind of transitioning now, we've talked a little bit about the past, the present, the future. And I know we talked a little bit about, you know, getting into cybersecurity on the front end of the podcast. But what I would love to ask is, like, what advice would you give to someone that is looking to get into security as a field or even more specifically into security operations?
Anthony Coggins: I would say that people who have IT or help desk experience are super underrated. All of my best people have come from a background of general IT. And do you know why that is? Because I can teach them security. I don't have to teach them IT, right? I'm gonna go on a bit of another tangent here, so bear with me.
Our higher education systems at large are failing cyber students today because they are coming out with 40 to 100 grand in debt to have a cybersecurity degree, but they don't know how DNS works. They couldn't tell me what a subnet is and they've never heard of Active Directory. How do you expect to get a job if you don't have those mundane based skills? So for anybody wanting to get into cybersecurity, you have to be a very special person, I think, to just hop right into it. You have to have some level of IT exposure or experience, even if that's one near a help desk, right? I would hire a level two, level three help desk person or a sys admin or a former DBA or a network engineer or whatever any day of the week over somebody with just a bachelor's degree in cybersecurity. I'm sorry to say that because it is unfortunate, but the skill set is just so lacking with these new graduates.
Mick Leach: I mean, I wish I could disagree because I am an advisor. I'm on the advisory committee for one of the local colleges, their cybersecurity degree program. And it's been my joy and my pleasure to be able to contribute to that. But each time we do talk about, you know, some of the challenges are the tooling that the schools are leveraging, not just in terms of teaching, but as a whole. Many of the colleges are using GSuite across the board. You're turning papers in on Google Classroom, and they're all using Google Mail. So everything is Google-oriented, because Microsoft's pretty expensive. And so many times, it doesn't make sense for the student body to have that. But unfortunately, most corporations are running on Microsoft.
And so you're right when you said it's the first time they've heard Active Directory or seen it. You're right. It bothers me, but you're right, because that's the case. You know, another good example is that for years, they have been leveraging that Cisco did a great job of getting, you know, their hardware into school systems all over the country. Like the local highschool here has a Cisco Academy program where you can use your CCNA by the time you graduate highschool. Super cool. That's great stuff because you're right, you're learning the basics on a lot of stuff. Many of the companies that I've been at over the years have transitioned from Cisco hardware to other layer seven firewall kinds of things, application security based firewalls, things like Palo Alto and there's a lot of big players in this world. But the students that are coming out have never seen any of that. So they are ill prepared, and yet saddled with a ton of debt.
Anthony Coggins: Yeah, I think we need to collectively decide that IT and cybersecurity is actually a trade, right? Because you don't really learn it until you're doing it. I know that's true for a lot of things, but it really is true for IT because you have so many layers, complexities, systems, all these. You can't possibly expect a collegiate system which moves fairly slow for updating curriculum and like that to ever keep up with the pace and speed of technology, right? As far as keeping up to date with the latest. So yeah, mean, getting exposure to Palo or any of that, you know, it's just an unfortunate gap we have today. I would, so to wrap all that up, I would say, you know, get exposure to IT. Find a help desk job, work at an MSP, grind for a couple of years, and then decide where you want your specialty to be. Because you might decide it's not in cyber. You might find, I really like writing applications. I really like SQL, so I want to be a DBA somewhere. I really like networks, so I'm going to go be a Palo expert and do this other stuff.
So that would be my advice for anybody looking to get into cyber or IT in general. You just gotta find that entryway. Your first job is always going to be the hardest. And then you just start climbing the ladder.
Mick Leach: Yeah. So I like that. I like that. And you heard it here first, folks. IT and cybersecurity are becoming a trade. That's what Anthony Coggins had to say here. And I agree. I agree. I think that there are ways, know, knowledge is knowledge and you can come by knowledge in a variety of ways and none of them are discounted. You want to take a formal education and you want to go that route? Great. Great. Love that for you.
Because it's often what I've experienced, and your mileage may vary, but what I've experienced with folks that I hire that have a traditional four year education, either in IT or maybe in the newer world cybersecurity, those folks have a better base than many of the folks that learn are self-taught because the base is broad and they spend a lot of time in it and it's old school stuff. And so they have a better foundational understanding of how many of the things worked. But then you get these self study folks that maybe don't have the basis of how some of those things work, but they built way above it. And so their knowledge is also valuable, but it's all self taught. And then there's the certification folks that went you know, CompTIA or maybe, you know, maybe you have a rich grandpa and you went to SANS or, you know, there's lots of options, but, you know, there are folks that come out with, with information from those organizations as well. And I, I'm of the opinion that all of those routes to knowledge are valid and, and, and good.
Anthony Coggins: There's no wrong path for sure.
Mick Leach: Yes. Agreed. If someone can only take away one thing from this wide-ranging, fun conversation that we've had so far, what would you have them hear? What would you have them take away from this?
Anthony Coggins: Man, that's a good question. I would say don't be intimidated by the breadth of cybersecurity and just start doing it. Start doing things you're uncomfortable with and get comfortable being uncomfortable. Get comfortable learning things that you've never touched or seen before. Get comfortable talking to people because networking is and will always be an advantage to you getting a better job, making connections to peers to get more skills, whatever that might be. Networking is something you should always be doing as well. Just don't lose hope on what you want to do and just keep grinding away.
Mick Leach: Okay, so networking. I'm going to double click into that just because I think that I think there's value here. How right? Because our listeners are probably hearing networking, networking, because every guest has recommended this at some point or another. And they're right. But how do I get started? I don't know anybody. I don't know how to meet people? Are there mixers for cybersecurity?
Anthony Coggins: There are actually. you know, whether it's a local CSA chapter that you can go and attend, whether it's an ISSA chapter, whether it's, you know, sometimes even Europe City's Chamber of Commerce will hold events. There are things out there that are free, free to go and meet with other technology practitioners, with vendors, you know, executives to, you know, start those conversations. And, you know, I can't speak for everyone, but at least in my section of the world here in West Michigan, you can approach anybody. And we're all, we're all one big blue team, right? So we're all very happy to share information or tips or tricks or, you know, you need with your resume, like, send it to me and I might not get to it right away, but eventually I will respond and maybe add these or tweak it here. I just heard about this job opening, like, you should consider this. So there are a plethora of possibilities for you to start networking.
Mick Leach: Yeah, agreed wholeheartedly. I know you're in the Grand Rapids area and one of the best cons in the Midwest is up there, conferences. Yeah, GrrCON. Love it. Here in, I'm in the Columbus, Ohio area. So just a little bit further south of you, but also kind of in a not, it's not a major market, right? It's not LA, it's not San Fran, it's not Austin, it's not, you know, New York or DC.
Anthony Coggins: We're gonna come right up.
Mick Leach: Those all have tons and tons of options, but even here in our smaller markets, we have lots of good choices. We have a BSides, we have an ISSA that's amazing here in the Columbus area. There's 614Con that's been rebranded, think, to hackers teaching hackers. So even in the smaller markets, there are options out there. And then at worst, what I would recommend is hop on LinkedIn and look in your own area for people that have titles that relate to cybersecurity and reach out. Because to your point, Anthony, and I don't think it's just here in the Midwest, I travel a lot and have an opportunity to speak with, you know, blue team and cybersecurity professionals all over the world. And everyone I have met is willing to take time and have a conversation with an up and comer.
Right, someone who aspires to get into the world of cybersecurity and share tips and tricks and pointers. So, yes, find someone, reach out. All of us are here to help folks get moving forward. Awesome. OK, well, folks, we are at time. And I want to say thanks to Anthony for a fantastic discussion.
This has been SOC Unlocked, Tales from the Cybersecurity Frontline. I'm your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in, and don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you next time. Thanks again, Anthony.
Anthony Coggins: Thanks, mate.
