Rob Gurzeev, CEO and Co-Founding father of CyCognito, has led the event of offensive security solutions for each the private sector and intelligence agencies.

Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps. Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Considering Award and the Source of Life Award.

CyCognito was founded by veterans of national intelligence agencies who understand how attackers exploit blind spots and joined by experienced management from a number of the most trusted cybersecurity firms.

What initially attracted you to cybersecurity?

I first became excited by technology across the age of 13 or 14. I began stepping into IRC channels with people interested by technology and what was called “hacking” on the time.

People back then were experimenting with every kind of interesting things like cryptography in messenger apps. They were also experimenting with file sharing. Kids were pranking their friends by sending an executable file that might trigger a funny motion of some kind. In case you give it some thought, this was the premise for what we today call ‘social engineering’ attacks.

This all made me think: what if an individual with bad intentions got a hold of this technology for malicious purposes? 

These early experiences are what kicked off my profession in security. I ultimately landed within the Israeli Unit 8200 Intelligence Force doing reconnaissance work, and later co-founded CyCognito. 

Could you share the genesis story behind CyCognito?

CyCognito was founded on the notice that attackers are all the time ahead of defenders. They’re smart, relentless and all the time searching for the trail of least resistance. And while all attackers need is one weak spot to interrupt through, security teams should secure every possible point of entry in an ever-growing, always-evolving attack surface. It’s quite the challenge. 

To compound the issue, most organizations have potential points of entry unseen by security teams but easily discoverable by threat actors.

In the future, I sat down with my Co-founder, Dima Potekhin and we got down to shift the paradigm where as a substitute of deploying agents or instructing a port scanner to scan just a few known IP ranges, we might create an answer that worked like a world-class attacker, meaning it could begin knowing only an organization’s name after which proceed to discover the assets most in danger and essentially the most tempting open pathways. 

We desired to simulate an attacker’s offensive operation, ranging from the 1st step, where the attacker knows only the goal company’s name and their goal is to get access to sensitive data.

So, In 2017, we took our national intelligence agency experience and commenced to make this occur with the mission of helping organizations prevent breaches, by constantly mapping their external exposure blind spots and finding the paths of least resistance into their internal networks. This required leveraging not only advanced offensive cyber knowledge, but in addition modern technology that continues to be quite rarely utilized in our industry, like Bayesian machine learning models, LLM, NLP, and graph data models.

Today, we help emerging and huge Global 100 firms secure their attack surfaces from growing threats. A few of our clients include Colgate-Palmolive, State of California, Berlitz, Hitachi, Tesco, simply to name just a few.

What’s External Attack Surface Management?

The textbook definition of External Attack Surface Management (EASM) refers back to the processes and technologies used to discover, assess, and manage the exposure of a corporation’s digital assets which might be accessible or visible from the web. 

External attack surfaces are vast and sophisticated. A single organization can have a whole bunch and 1000’s of systems, applications, cloud instances, supply chains, IoT devices and data exposed to the Web—often sprawling across subsidiaries, multiple clouds, and assets managed by third parties. 

Security teams have limited ability to find these assets. They’re inundated with 1000’s of alerts, but they don’t have the context to know that are critical and which to prioritize. 

Isolating the truly critical issues first requires visibility across the attack surface, but much more importantly, it requires a radical understanding of the context and purpose of the assets affected. Once that’s established, security teams can calculate attack paths and predict which specific threats matter—those prone to cause serious monetary or reputational damage to the business. Then, the organization can prioritize appropriately and remediate for optimum impact.

Are you able to share your views on the importance of considering like an attacker to find unknown risks?

In keeping with Verizon’s DBIR, 82% of attacks come from the skin in. Moreover, most breaches based on Gartner are related to unknown and unmanaged assets.

That is precisely why adopting an outside-in approach to guage your attack surface is critical for assessing and managing cybersecurity risk. Moving into the attacker’s shoes provides an objective view of the crown jewels that live inside your systems and, more importantly, that are exposed and vulnerable. 

As I discussed previously, attack surfaces are ever-growing and sophisticated. Most security teams lack full-spectrum visibility into exposed and vulnerable assets. Attackers know this! And they’ll relentlessly explore the attack surface, trying to find the trail of least resistance and that one gap that security teams don’t monitor. Unfortunately, one security gap is all they need to interrupt in. Meanwhile, security teams have the difficult task of identifying the exposures that make their organizations most vulnerable, after which taking motion to guard those entry points. 

How steadily do you discover threats which might be as a consequence of external applications and APIs which might be simply not being monitored or tested?

More often than we would love. We recently conducted research showing vulnerable public cloud, mobile and web applications exposing sensitive data, including unsecured APIs and private identifiable information (PII). Listed below are a number of the key findings:

• 74 percent of assets with PII are vulnerable to no less than one known major exploit, and one in 10 have no less than one easily exploitable issue.
• 70 percent of web applications have severe security gaps, like lacking WAF protection or an encrypted connection like HTTPS, while 25 percent of all web applications (web apps) lacked each.
• The everyday global enterprise has over 12 thousand web apps, which include APIs, SaaS applications, servers, and databases, amongst others. At the least 30 percent of those web apps—over 3,000 assets—have no less than one exploitable or high risk vulnerability. Half of those potentially vulnerable web apps are hosted within the cloud.
• 98 percent of web apps are potentially GDPR non-compliant as a consequence of lack of opportunity for users to opt out of cookies.

Our research aside, there’s ample evidence of those threats on the market today. MOVEit exploit is a case point, which continues to be ongoing. 

Are you able to discuss the importance of consolidating the processes and tools to check and manage the attack surface?

‘Stack bloat’ is something most enterprises suffer from. It’s particularly pronounced in security. Most organizations have siloed, disconnected security tools. There was this mantra in security that more platforms will eliminate security gaps. But as a substitute, it opens up the door for human mistakes, redundancies, increased operational load, and blind spots. 

CyCognito was built to do the job of many legacy point solutions. We help firms consolidate their stack in order that they can deal with doing their jobs.

What are some ways in which bad actors are using LLMs and Generative AI to scale attacks?

Now we have yet to see large scale attacks using LLMs however it’s only a matter of time. From my perspective, LLMs have the potential to supply greater scale, scope, reach, and speed to varied stages of cyberattacks. 

For instance, LLMs have the potential to speed up automated reconnaissance, where attackers can map and discover a corporation’s assets, brands, and services, together with sensitive information corresponding to exposed credentials. LLMs may also assist in vulnerability discovery, identifying weaknesses inside a targeted network, and facilitate exploitation through techniques like phishing or watering-hole attacks to achieve access and exploit network vulnerabilities. LLMs may also aid in data theft by copying or exfiltrating sensitive data from the network.

Also, consumer applications based on LLMs, most notably ChatGPT, pose a threat as they could be used each intentionally and unintentionally by employees to leak company IP.

Spear-phishing campaigns provide one other use case. High-quality phishing is predicated on deep understanding of the goal; that’s precisely what large language models can do quite well, because they process large volumes of information in a short time and customize messages effectively. 

How can enterprises in turn use Generative AI to guard themselves?

Great query. That’s the excellent news to all of this. If attackers can use gen AI, so can security teams. Gen AI will help security teams do reconnaissance on their very own firms and remediate vulnerabilities. They will more quickly and cost-effectively scan and map their very own attack surfaces to search out exposed sensitive assets, like personal identifiable information (PII), files, etc. 

Gen AI can greatly help understand the business context of any asset. For instance, it may possibly help recognize a database holding PII and play a task in revenue transactions. That’s extremely beneficial.

Gen AI may also determine the business purpose of an asset. For example, it may possibly help distinguish between a payment mechanism, a critical database, and a random device—and classify its risk profile. This, in turn, enables security teams to higher prioritize risk. Without the power to prioritize, security teams should sift through infinite vulnerabilities labeled ‘urgent’ when most are literally not mission-critical. 

Why should enterprises be cautious about being overly reliant on Generative AI for defensive purposes?

Generative AI has great potential, but there are inherent issues we now have to work through as an industry. 

The large picture for me is that gen AI models could make security teams complacent. The allure of more automation is great, but manual review is critical given the state of gen AI models today. For instance, gen AI models ‘hallucinate’. In other words, they produce inaccurate outputs.

Also, gen AI models (LLMs, specifically) don’t understand context because they’re built on statistical, temporal text evaluation—which may also result in further ‘hallucinations’ which might be very tough to identify.

I understand security teams are increasingly trying to do ‘more with less’—but human oversight will (and will) all the time be a part of the safety process. 

Are you able to discuss how CyCognito offers automated external attack surface management and continuous testing?

To not sound like a broken record but, as I discussed previously, attack surfaces are vast and sophisticated—and so they proceed to grow.

We built CyCognito to constantly map a complete attack surface beyond the company core to encompass subsidiaries, acquisitions, joint ventures, and brand operations—and attribute each to its rightful owner. 

There are just a few technical capabilities price highlighting. 

Within the black box attack surface discovery process, our platform leverages LLM as considered one of dozens of sources for “attribution hypotheses” that our Bayesian ML models analyze to find out the organization’s business structure (as much as 1000’s of business units and subsidiaries) and assign assets to owners (at the size of hundreds of thousands of IT assets) completely mechanically. 

The platform also accelerates asset classification through Natural Language Processing (NLP) and heuristic algorithms—a task that is usually costly and resource intensive.

We also provide the business context essential to prioritize risks effectively. Even when a vulnerability affects a thousand machines, CyCognito can discover essentially the most critical one by providing insight into exposure level, business significance, exploitability, and hacker chatter.

We take a holistic approach to External Attack Surface Management which overcomes the trap of treating all critical issues with equal urgency. We enable security to prioritize true critical vectors, saving them money and time.