Andrew Cook, security operations director at Recon Infosec, is next to take the hot seat for our ongoing “Sitdown With a SOC Star” series. Cook is a valued contributor in the Siemplify Community, where he regularly imparts his expanding wisdom as an incident responder and a National Guardsman.
Cook recounts the story of a ransomware event that brought him to a small Texas town, explains why physical whiteboards will always outclass the digital variety and shares arguably his biggest gripe in cybersecurity, plus a whole bunch more.
Enjoy the Q&A!
I work at Recon InfoSec, based out of Austin, Texas. Recon was started by my good friend Eric Capuano, who I met in the Texas Air National Guard. Eric had taken his passion for cybersecurity and gradually assembled a team of awesome folks with awesome stories. I came in as the director of security operations responsible for the direction of our SOC, the delivery of our MDR service, and everything incident response. Security operations is a major pillar of Recon’s capabilities and essential to our mission to protect our customers. The work is rewarding, and I’m most excited to be building the type of SOC and team that I’ve always wanted.
I’d always been interested in computers, security and programming. I give a lot of credit to my mom who worked in IT and whose college textbooks I kept stealing. Once I had my own TV in my room, I think I had TechTV on 24×7. I’m still upset about what happened to that channel. Naturally, when it came time to decide on my career, I had to pursue something with computers.
I joined ROTC a couple of weeks into college and never looked back. Around that time, the U.S. Air had just formally incorporated cyberspace into its mission. The leadership and cybersecurity training I received in the Air Force, even while in college, was some of the best in the world. I’m tremendously grateful for everything the Air Force gave me and I’m forever looking for ways to pass it on.
On active duty, I was part of an amazing team who literally wrote the book on how to perform threat hunting in the Air Force. Our unit became the template for standing up the nation’s first cyber protection teams. I’ve been focused on security operations, threat hunting and incident response ever since.
After leaving the Air Force, I joined the Texas Air National Guard part-time and sought out companies that had the same passion for cybersecurity that I did. Once a month on drill weekends with the guard, I’d get glimpses into Eric’s company and the work going on there.
We found ways to work together occasionally, but after a few years it became silly not to jump in and join the Recon team.
A little tongue in cheek, but really, a lack of whiteboards – especially for incident response investigations, but also for routine things like brainstorming, planning threat hunts and collaborating on playbooks. I’ve messed around with iPads and drawing apps, but it just isn’t the same as a large physical whiteboard in front of everyone. If anyone has any ideas on virtual whiteboard replacements, let me know.
I’ve messed around with iPads and drawing apps, but it just isn’t the same as a large physical whiteboard in front of everyone. If anyone has any ideas on virtual whiteboard replacements, let me know.
That being said, we’ve benefited tremendously from transitioning to a remote-first culture. Our workflows, technologies and team events have shifted to accommodate people no matter where they are. As a result, we’re more efficient and able to pull from a larger and more diverse talent pool with team members from all across the country. And we all love the flexibility of working from home. There is still huge value in meeting in person, so finding the right balance to bring people together on occasion is something we’re continuing to work through as the pandemic evolves.
I could say a lot, but let me make a case for a soft skill/hard skill duo: problem solving and programming. Separately they’re good, but together they’re great.
Cybersecurity is full of unsolved problems and limitless solutions. These problems overlap and cascade in ways that sometimes obscure what the actual problem is. We need people who can identify and prioritize the right problems, ask the right questions, assess options critically, and test solutions.
Let me make a case for a soft skill/hard skill duo: problem solving and programming. Separately they’re good, but together they’re great.
When a problem solver also knows how to code, they become a builder and an innovator. Someone who can both identify a problem and also develop their own solution is invaluable. I encourage everyone on my team to use these skills to help us “build the machine.” Builders move faster, iterate quickly and, ultimately, deliver more value. Another benefit is that knowing how to program also makes you a better analyst. Understanding how code runs, how systems and processes talk to each other, how API calls work, and how “the cloud” is connected all translate to understanding things like malware, vulnerabilities, exploits and attack chains.
It’s always something different, but an easy target to hate is ransomware. (Editor’s note: Siemplify just created The Definitive Guide to Ransomware Response e-book, which you can download for free here.) I hate ransomware because it is too immediate and too destructive. By the time it happens, the battle is lost and we’re picking up the pieces. As the attacker’s dwell time shrinks, the opportunity to interject and disrupt their malicious activity shrinks as well. It’s an unfortunately widespread and asymmetric attack.
Ransomware is all about preparation. You almost have to be perfect. In the current state of cybersecurity, perfection is impossible. Even the “basics” like multi-factor authentication are complex in real organizations with real people just trying to do their jobs. On top of that, even if you’ve done everything well, you can still be hit by some zero-day vulnerability or supply-chain attack like SolarWinds. Ransomware is one of the primary threats motivating our customers to be proactive about improving their security posture. It’s also a large part of why we’re focused just as much on detection and response as we are with helping our customers make progress on their security initiatives.
After learning some real problem skills and how to code, I’m going to go with practicing empathy. Cybersecurity is stressful for everyone: analysts, IT folks, employees, business leaders, and all the rest. It requires constant vigilance against an adversary who is deliberately trying to destroy, steal, and disrupt. It doesn’t help when that adversary is intentionally targeting holidays (e.g. the 4th of July Kaseya ransomware attack this year) for maximum impact and apparent spite.
Empathy goes a long way toward keeping us all on the same team and keeping that team happy and healthy. Burned-out and stressed-out security analysts are ineffective and don’t last long. Blaming IT for not solving impossible problems with limited budgets doesn’t help make anything more secure. Imposing impractical controls against users who just want to get through the day without worrying about whatever “phishing” is just leads to anxious and frustrated employees. A dose of empathy in how we think through cybersecurity challenges and solutions leads to better outcomes.
It’s been a rough few years for everyone. Pre-pandemic, I took mental health for granted and assumed it was easy. In hindsight, I’d just been lucky that things generally went well for me. It seems obvious now, but nothing is worth sacrificing your mental health for.
Since the pandemic, I’ve shifted a lot of priorities. I’ve also been much more deliberate about taking breaks with intention, going to the gym (bouldering is awesome), being mindful and connecting with friends. It also turns out “gratitude” is something you should be developing instead of just having.
I still get a kick out of the time a general mentioned me in her testimony to Congress. It was my first year on active , and I was still in training. I guess I peaked early. Ok, but really, I am proud of the work my National Guard unit did in response to the 2019 Texas ransomware event.
Twenty-two Texas towns were struck in a single day in a coordinated attack. Essential services were down, like police departments and courts, so the urgency was immediate. The state had triaged the victims by their ability to help themselves – those least capable were prioritized for National Guard support. No one really knew what was going on yet, and I was among the first out the door. I left early in the morning with the address of a small city’s Police Department four hours away. My instructions were “protect health and safety, report what you find, and help with recovery.”
I’m proud of this work for two reasons: First, it was humbling to see how far our team had come. Almost everyone I worked with in both the Air and Army National Guard had some role in the success of our state-wide response. Watching everyone fill their roles, piece together the puzzle and work together as a team was amazing. This response put our years of exercises, coordination and preparation into perspective and showed that we were on the right track. Second, the city I worked directly with was eternally grateful and truly needed help. Residents and officials never expected anyone would show up to their small municipality, so being able to do something for them was immensely gratifying.
One of my favorite metrics is the concept of “wins.” These are cases where our analysts took some action against a malicious event before it became worse or led to an incident. These are the cases where our team added value and our analysts got in the fight. Analysts are hungry for interesting work and want exposure to malicious cases. Going too long without a “win” as an analyst is discouraging. For our customers, important cases highlight the value of our work, and each one is a lesson for them to improve.
In the Siemplify Security Operations Platform (Editor’s note: Recon InfoSec is a Siemplify customer), we mark our wins as “important” and track these cases carefully. The quantity of these wins is important – too many and we’re not doing enough to prevent “close calls,” too few and we may be ineffective at our detections. Out of all the time-based metrics we have, mean time to detect (MTTD) and mean time to remediate (MTTR) for important cases are essential. Every other metric can appear out of whack, but if we’re still consistently on top of our important cases then we’re still doing well.
Your technology does not “do” threat hunting. Threat hunting is a human-driven effort that requires human-level thinking. I’ve been pushing against this ever since leaving the Air Force (here’s an example in 2016: “Threat Hunting: More Than a Marketing Buzzword”). It’s getting better but I will continue fighting this fight until I’m sure it’s done.
Threat hunting is driven by a belief that existing detection efforts have failed. You cannot buy or implement a technology that checks the “threat hunting” box now and forever. You need to assume it has also failed or is insufficient. The uncomfortable belief that what we currently have is insufficient to meet the threat is what drives security operations forward. You must continue to improve your people, their processes and how they use technology.
Your technology does not “do” threat hunting. Threat hunting is a human-driven effort that requires human-level thinking.
The key to threat hunting is people who are thinking critically, generating hypotheses, gathering evidence and testing their hypotheses. They may use old technology or new technology. They can automate parts of it and become more efficient. But you cannot take the human out of threat hunting. Once you assume your technology is working without humans second-guessing it, you’re stagnant and no longer threat hunting. Truly proactive threat hunting is critical to continuously improving and evolving security operations.
Working every day on a computer, sometimes you just really need to remind yourself that your body is more than a way for your brain to type on a keyboard. My wife and I try to stay active, or at least get out of the house occasionally. We really like indoor bouldering because it involves a lot of problem solving. While I enjoy the slow and steady progress, bouldering is just inherently fun without being concerned about progressing. I’m too chicken to go bouldering outside.
We also got into birding during the pandemic. I never thought I’d be birding, but somehow I got hooked on this game of real life Pokémon. We also go hiking and biking with friends frequently. Really, anything to be social and active is a win in my book.
As much as I encourage my team to stay active, they probably do more to motivate me. A quick example – one teammate hiked 200+ miles, and a month later ran 47+ miles around the Grand Canyon. That’s huge. You couldn’t pay me enough to wake up at 3 a.m. and start running like that.
You can connect with Cook on LinkedIn here.
Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.