In an exclusive interview with Cyber Intelligence, Tim Grieveson, Chief Security Officer for attack surface discovery platform, ThingsRecon, explains how companies can protect their constantly expanding attack surfaces while using AI tools to monitor potential vulnerabilities in real time.
Cyber Intelligence: As the recent Marks & Spencer cyber breach shows, even large companies have vulnerabilities of which they are unaware, to what extent is this the result of the ever-expanding attack surface?
Tim Grieveson: A larger attack surface means there are more ways for potential attackers to get into a system. This includes things like more devices, cloud services, web applications, and connections to third-party vendors. The more complex a system is, especially when spread across multiple cloud and on-premises environments, the harder it is to maintain and secure. With a wider range of technologies and assets, it’s far easier to miss vulnerabilities. Unapproved technology, known as shadow IT, and abandoned resources can easily go unnoticed. Securing a larger attack surface inevitably requires additional resources. Companies may struggle to keep up with the increasing security needs, leading to vulnerabilities being overlooked. Larger employee networks increase the risk of mistakes, such as clicking on harmful links or using weak passwords. Security teams can also be overwhelmed by the sheer number of alerts from security tools, potentially missing critical threats. Having clear communication channels with contractors is also crucial, as any ambiguity in defining security responsibilities between the organization and the contractor can lead to gaps in coverage. It is also vital to avoid any legal ambiguity regarding data ownership and responsibility in the event of a security incident involving contractor systems.
Cyber Intelligence: Is it true that most organizations, even those who are well-resourced with up-to-date cybersecurity in place, frequently have no clear picture of their entire attack surface?
Tim Grieveson: Most organizations now face the challenge of an ever-expanding supply chain, including unapproved technology downloaded by individual staff members. Covid also changed the way in which the world works, and the impact of remote working and the increased adoption of cloud services has further expanded the attack surface. This effectively means that an easily identifiable security perimeter no longer really exists. When a contract ends, access privileges might also not be promptly or completely revoked, opening potential backdoor security threats. Contractors are also frequently not fully aware of or compliant with the organization’s industry-specific regulations and compliance requirements.
Cyber Intelligence: Organizations of all kinds increasingly use third-party contractors in the form of software and other frequently unapproved services. Can you explain what potential vulnerabilities this can create?
Tim Grieveson: Using third-party contractors in software development and services introduces a unique set of vulnerabilities of which organizations need to be acutely aware. These often stem from the external nature of the relationship and differing security practices. For example, contractors might be granted broader access to systems and data than strictly necessary for their specific tasks, increasing the potential impact if their accounts become compromised. The organization may also have limited visibility of the contractor’s security practices. Although it is less common, there can be a very real risk of a malicious or disgruntled former contractor intentionally introducing vulnerabilities or exfiltrating sensitive information. There may also be ambiguities regarding data ownership and responsibility in the event of a security incident involving contractor systems. Best practice involves developing a joint incident response plan that outlines the roles and responsibilities of both the organization and the contractor in case of a security incident.
Cyber Intelligence: How can companies begin to map their entire attack surface in order to detect potential vulnerabilities?
Tim Grieveson: There are five distinct phases to this. The first is to make a full inventory of all assets such as identifying all devices connected to the network. This involves listing servers, workstations, laptops, mobile devices and unmanned Internet of Things (IoT) devices plus network equipment. Software, cloud and web assets must also be clearly identified and all connections and data sharing with third-party vendors, contractors, and partners must be fully documented. The second phase is to analyse potentially vulnerable entry points. The third is to determine the potential impact of a successful attack entry point, taking into account the financial, legal, and reputational consequences. The fourth phase is to create specific plans to address identified vulnerabilities, including patching, configuration changes and the implementation of new security controls. The fifth and final phase is to continuously search for new vulnerabilities and suspicious activity.
Cyber Intelligence: Can you explain what role artificial intelligence (AI) can play in detecting vulnerabilities over such a wide attack surface?
Tim Grieveson: AI algorithms can learn the “normal” behavior of systems, networks, and users. By continuously monitoring activity, they can identify deviations and thereby dramatically reduce the number of time-wasting false alerts. AI-powered tools, such as those used by ThingRecon, can also scan and analyze large codebases in real time, identifying coding errors, insecure practices, and potential vulnerabilities. By analyzing historical data on attacks and vulnerabilities, AI can predict which areas of an application or infrastructure are most likely to be targeted next. Machine learning models can also be trained to distinguish between genuine threats and benign activities, further reducing the number of false alarms. When a threat or vulnerability is detected, AI can automate initial response actions, such as isolating affected systems or quarantining malicious files, significantly reducing reaction times.
Cyber Intelligence: What kind of cyber-attacks are companies now experiencing as a result of their expanded attack surface?
Tim Grieveson: There are many. They include not only ransomware attacks, but also potential vulnerabilities such as the exploitation of staff collaboration on platforms such as Microsoft Teams and Slack, where threat actors can impersonate colleagues or IT support personnel to trick employees into sharing credentials or clicking on malicious links. Malicious AI tools are also increasingly being used by cybercriminals to automate vulnerability discovery and accelerate account takeover attempts. To counter these and other threats, companies should make use of threat intelligence platforms and behavior analytics to detect suspicious activity and strengthen access control by adopting a zero-trust security policy and by automating security patching. Companies should also use strong authentication methods, including multi-factor authentication, while maintaining a real-time asset inventory and continuously monitoring and managing new and existing vulnerabilities.
Cyber Intelligence: Thank you.
