Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies.
Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps. Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Thinking Award and the Source of Life Award.
CyCognito was founded by veterans of national intelligence agencies who understand how attackers exploit blind spots and joined by experienced management from some of the most trusted cybersecurity companies.
What initially attracted you to cybersecurity?
I first became interested in technology around the age of 13 or 14. I started getting into IRC channels with people curious about technology and what was called “hacking” at the time.
People back then were experimenting with all kinds of interesting things like cryptography in messenger apps. They were also experimenting with file sharing. Kids were pranking their friends by sending an executable file that would trigger a funny action of some kind. If you think about it, this was the basis for what we today call ‘social engineering’ attacks.
This all made me think: what if a person with bad intentions got a hold of this technology for malicious purposes?
These early experiences are what kicked off my career in security. I eventually landed in the Israeli Unit 8200 Intelligence Force doing reconnaissance work, and later co-founded CyCognito.
Could you share the genesis story behind CyCognito?
CyCognito was founded on the awareness that attackers are always ahead of defenders. They are smart, relentless and always seeking the path of least resistance. And while all attackers need is one weak spot to break through, security teams have to secure every possible point of entry in an ever-growing, always-evolving attack surface. It’s quite the challenge.
To compound the problem, most organizations have potential points of entry unseen by security teams but easily discoverable by threat actors.
One day, I sat down with my Co-founder, Dima Potekhin and we set out to shift the paradigm where instead of deploying agents or instructing a port scanner to scan a few known IP ranges, we would create a solution that worked like a world-class attacker, meaning it would begin knowing only a company’s name and then proceed to identify the assets most at risk and the most tempting open pathways.
We wanted to simulate an attacker’s offensive operation, starting from step one, where the attacker knows only the target company’s name and their goal is to get access to sensitive data.
So, In 2017, we took our national intelligence agency experience and began to make this happen with the mission of helping organizations prevent breaches, by continuously mapping their external exposure blind spots and finding the paths of least resistance into their internal networks. This required leveraging not just advanced offensive cyber knowledge, but also modern technology that is still quite rarely used in our industry, like Bayesian machine learning models, LLM, NLP, and graph data models.
Today, we help emerging and large Global 100 companies secure their attack surfaces from growing threats. Some of our clients include Colgate-Palmolive, State of California, Berlitz, Hitachi, Tesco, just to name a few.
What is External Attack Surface Management?
The textbook definition of External Attack Surface Management (EASM) refers to the processes and technologies used to identify, assess, and manage the exposure of an organization’s digital assets that are accessible or visible from the internet.
External attack surfaces are vast and complex. A single organization can have hundreds and thousands of systems, applications, cloud instances, supply chains, IoT devices and data exposed to the Internet—often sprawling across subsidiaries, multiple clouds, and assets managed by third parties.
Security teams have limited ability to discover these assets. They are inundated with thousands of alerts, but they don’t have the context to know which are critical and which to prioritize.
Isolating the truly critical issues first requires visibility across the attack surface, but even more importantly, it requires a thorough understanding of the context and purpose of the assets affected. Once that’s established, security teams can calculate attack paths and predict which specific threats matter—those likely to cause serious monetary or reputational damage to the business. Then, the organization can prioritize correctly and remediate for maximum impact.
Can you share your views on the importance of thinking like an attacker to discover unknown risks?
According to Verizon’s DBIR, 82% of attacks come from the outside in. Furthermore, most breaches according to Gartner are related to unknown and unmanaged assets.
This is precisely why adopting an outside-in approach to evaluate your attack surface is critical for assessing and managing cybersecurity risk. Stepping into the attacker’s shoes provides an objective view of the crown jewels that live within your systems and, more importantly, which are exposed and vulnerable.
As I mentioned previously, attack surfaces are ever-growing and complex. Most security teams lack full-spectrum visibility into exposed and vulnerable assets. Attackers know this! And they will relentlessly explore the attack surface, hunting for the path of least resistance and that one gap that security teams don’t monitor. Unfortunately, one security gap is all they need to break in. Meanwhile, security teams have the difficult task of identifying the exposures that make their organizations most vulnerable, and then taking action to protect those entry points.
How frequently do you identify threats that are due to external applications and APIs that are simply not being monitored or tested?
More often than we would like. We recently conducted research showing vulnerable public cloud, mobile and web applications exposing sensitive data, including unsecured APIs and personal identifiable information (PII). Here are some of the key findings:
- 74 percent of assets with PII are vulnerable to at least one known major exploit, and one in 10 have at least one easily exploitable issue.
- 70 percent of web applications have severe security gaps, like lacking WAF protection or an encrypted connection like HTTPS, while 25 percent of all web applications (web apps) lacked both.
- The typical global enterprise has over 12 thousand web apps, which include APIs, SaaS applications, servers, and databases, among others. At least 30 percent of these web apps—over 3,000 assets—have at least one exploitable or high risk vulnerability. Half of these potentially vulnerable web apps are hosted in the cloud.
- 98 percent of web apps are potentially GDPR non-compliant due to lack of opportunity for users to opt out of cookies.
Our research aside, there’s ample evidence of these threats out there today. MOVEit exploit is a case point, which is still ongoing.
Can you discuss the importance of consolidating the processes and tools to test and manage the attack surface?
‘Stack bloat’ is something most enterprises suffer from. It’s particularly pronounced in security. Most organizations have siloed, disconnected security tools. There has been this mantra in security that more platforms will eliminate security gaps. But instead, it opens up the door for human mistakes, redundancies, increased operational load, and blind spots.
CyCognito was built to do the job of many legacy point solutions. We help companies consolidate their stack so they can focus on doing their jobs.
What are some ways that bad actors are using LLMs and Generative AI to scale attacks?
We have yet to see large scale attacks using LLMs but it’s only a matter of time. From my perspective, LLMs have the potential to provide greater scale, scope, reach, and speed to various stages of cyberattacks.
For example, LLMs have the potential to accelerate automated reconnaissance, where attackers can map and discover an organization’s assets, brands, and services, along with sensitive information such as exposed credentials. LLMs can also assist in vulnerability discovery, identifying weaknesses within a targeted network, and facilitate exploitation through techniques like phishing or watering-hole attacks to gain access and exploit network vulnerabilities. LLMs can also aid in data theft by copying or exfiltrating sensitive data from the network.
Also, consumer applications based on LLMs, most notably ChatGPT, pose a threat as they can be used both intentionally and unintentionally by employees to leak company IP.
Spear-phishing campaigns provide another use case. High-quality phishing is based on deep understanding of the target; that is precisely what large language models can do quite well, because they process large volumes of data very quickly and customize messages effectively.
How can enterprises in turn use Generative AI to protect themselves?
Great question. That’s the good news to all of this. If attackers can use gen AI, so can security teams. Gen AI can help security teams do reconnaissance on their own companies and remediate vulnerabilities. They can more quickly and cost-effectively scan and map their own attack surfaces to find exposed sensitive assets, like personal identifiable information (PII), files, etc.
Gen AI can greatly help understand the business context of any asset. For example, it can help recognize a database holding PII and play a role in revenue transactions. That’s extremely valuable.
Gen AI can also determine the business purpose of an asset. For instance, it can help distinguish between a payment mechanism, a critical database, and a random device—and classify its risk profile. This, in turn, enables security teams to better prioritize risk. Without the ability to prioritize, security teams have to sift through endless vulnerabilities labeled ‘urgent’ when most are actually not mission-critical.
Why should enterprises be cautious about being overly reliant on Generative AI for defensive purposes?
Generative AI has great potential, but there are inherent issues we have to work through as an industry.
The big picture for me is that gen AI models can make security teams complacent. The allure of more automation is great, but manual review is critical given the state of gen AI models today. For example, gen AI models ‘hallucinate’. In other words, they produce inaccurate outputs.
Also, gen AI models (LLMs, specifically) don’t understand context because they are built on statistical, temporal text analysis—which can also lead to further ‘hallucinations’ that are very tough to spot.
I understand security teams are increasingly looking to do ‘more with less’—but human oversight will (and should) always be part of the security process.
Can you discuss how CyCognito offers automated external attack surface management and continuous testing?
Not to sound like a broken record but, as I mentioned previously, attack surfaces are vast and complex—and they continue to grow.
We built CyCognito to continuously map an entire attack surface beyond the corporate core to encompass subsidiaries, acquisitions, joint ventures, and brand operations—and attribute each to its rightful owner.
There are a few technical capabilities worth highlighting.
In the black box attack surface discovery process, our platform leverages LLM as one of dozens of sources for “attribution hypotheses” that our Bayesian ML models analyze to determine the organization’s business structure (up to 1000’s of business units and subsidiaries) and assign assets to owners (at the scale of millions of IT assets) completely automatically.
The platform also accelerates asset classification through Natural Language Processing (NLP) and heuristic algorithms—a task that is generally costly and resource intensive.
We also provide the business context necessary to prioritize risks effectively. Even if a vulnerability affects a thousand machines, CyCognito can identify the most critical one by providing insight into exposure level, business significance, exploitability, and hacker chatter.
We take a holistic approach to External Attack Surface Management which overcomes the trap of treating all critical issues with equal urgency. We enable security to prioritize true critical vectors, saving them time and money.
Thank you for the great interview, readers who wish to learn more should visit CyCognito.
Credit: Source link