Businesses’ approach to cybersecurity today should be characterised as a proactive approach, and not reactive, according to Etay Maor, Chief Security Strategist and Founding Member of Cato CTRL, who recently spoke to IoT Insider in an exclusive interview. He also spoke about how threat actors are investigating the use of AI as a tool to cause harm.
Having a holistic outlook
Maor outlined common cybersecurity “myths”, a prominent one is that “the attacker needs to be right just once and defenders have to be right all the time,” said Maor. He explained that reports on cyber attacks in the media can be misleading, as they depict this idea that it took cyber attackers one weak point in order to get in.
“There are 11 different tactics that attackers use, at the beginning of an attack this is tactics like reconnaissance, resource development all the way to initial access. At this point the attacker is in a network and they’ll use tactics such as execution, persistence, defence evasion … For every tactic, they have multiple techniques that they can use.” The point being that attackers employ multiple tactics and approaches to finally gain the data they want to perform a ransomware attack, for example.
“Look how many times an attacker has to be right in order to reach that final stage,” Maor stressed. “And on the other hand, look at how many opportunities the defender has to stop this.”
Looking at an attack holistically and part of a bigger picture was a running theme throughout the conversation with Maor. On who is responsible for preventing cyber attacks, the traditional answer would be the IT team, according to Maor – but this has evolved to bring together the whole business, in a holistic approach.
“Now we know that a security breach is not an IT issue alone, it’s a business issue.” Because of this acknowledgement, Chief Information Security Officers (CISOs) who historically have been technical people, are becoming more business-oriented. “We see boards of companies now saying, ‘Oh, okay, security is something that we have to take seriously.’”
Maor was keen to emphasise that although threat actors are exploring how they can use AI to help them, this is not a technology that is yet at a stage where it can be used, for example, to create code to hack people. “We’re not remotely close to an AI autonomous system that can hack networks by itself,” he said. “I teach at Boston College and one of the things I tell my students is that AI is not even close to replacing us. However, people who know how to use AI are going to replace people who don’t know how to use AI. That is what I see happening now with cyber criminals.”
Maor detailed that there has been a “lowering of the bar” in the technology people need to understand to commit cyber attacks. “In the past, for example, let’s say I wanted to target banks in Japan by running a phishing campaign. I don’t know how to write in Japanese, so in the past I’d have to go to an underground forum and buy a service that does translations for you.
“Now, you don’t need to pay for these services. You can ask the AI to do specific tasks for you, such as translation.”
On imparting a message for companies concerned with their cybersecurity, Maor likened it to the OODA Loop model: “It standards for observe, orient, decide and act. I think this is exactly what organisations should be doing.
“Start by understanding the threat landscape, start by observing, orient yourself and put yourself in the position you need to be in order to make the right decisions. And then act,” he concluded.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.