Creating Cyber-reconnaissance: Breaking Out of the Tech Bubble


The world of security products is often self-contained in its own technological bubble. I believe that’s because of some cultural issues in the security sector. Up to this point, most security tools have been created for IT and IT security teams, and they are almost entirely defensive in their function. These tools were created from the vantage point of the IT person: they’re focused on the infrastructure and systems that IT people know, and they are built such that IT people are comfortable configuring them. It’s a technology bubble.

But hackers don’t care about the things an IT person knows about, and they don’t think the way an IT person thinks. They don’t really care if the pathway to their objective is within the organization’s main systems, or through some inactive and forgotten asset, or through a third-party holding the organization’s data. They’re just looking for that easy win.


Operating Outside of the Prevailing Security Technology Bubble

For the last 30 years, organizations have been trying to defend themselves from the inside out with a “guard the castle” approach that’s only become more fragmented and less effective with each new wave of threats and defensive tools. Organizations will never be secured solely by internal defensive strategies and tools, no matter how many they use or how great their budget.

At CyCognito, we are approaching enterprise security from an operational point of view, an entirely different perspective from the “guard the castle” view that shapes every other security product. Much of what we do is more closely related to mass-scale search engines and analytics engines than to security. It’s a unique and inherently operational approach conducted on a massive scale that is far removed from how most security tools are developed and operate.

Instead of looking at an organization as a functional IT system, we start with an external perspective and think about an organization as a constellation of vastly distributed, often undiscovered or unmonitored targets. An organization’s threat-scape is something spread across the broad expanse of the internet.

 

The Hacker Doesn’t Use an IT Lens

Rob Gurzeev first approached me in 2016 with the idea of evaluating an organization’s attack vectors through the same sort of lens that attackers use, and I was immediately interested. Proactively, methodically and automatically discovering the sorts of exposures that attackers hope to find when probing a target was an intriguing new approach to enterprise security, and true “uncharted territory”. Using the latest large-scale data science techniques to analyze and prioritize those attack vectors would be a satisfying challenge to tackle. I signed on, and today CyCognito is charting a new category of solution, one that puts the power of nation-state-scale reconnaissance into the hands of security professionals.

 

What Will a Hacker Find When They Start Poking Around?

We started to think about architecting our solution based on the perspective: If you're somewhere “inside” the internet and you point a flashlight in the direction of the company you’re targeting, what do you see?

Similarly, the CyCognito platform looks for those first points of exposure that attackers will encounter when they set their sights on an organization. That’s our unique approach.

As a commercial security offering, the CyCognito platform operates at unprecedented scale. It covers a lot of ground – the whole internet – to give customers accurate, actionable, high-quality data. Helping the world’s largest companies find the far-from-obvious assets in their IT ecosystem means rigorously scouring all across the internet, identifying connections between assets that are not clearly or traditionally related. The kind of connections that, when discovered by sophisticated attackers who are poking around, provide an open conduit into the customer’s data.

 

Advanced Analytics Cut Through the Clutter

It’s important to understand both how an attacker will view an intended target as well as how the business itself values its assets. This business classification or context is an integral aspect of security that security and IT people rarely discuss or effectively take into consideration.

To bring that critical element to the forefront, the CyCognito platform automatically factors in which assets and data belong to what departments within an organization, who else may have access, whether the assets are customer-facing or internal-facing, and how the processes associated with an asset work. Taken together, an organization’s exposed assets and the business context of those assets form their attack surface.

To further cut through the clutter of alerts traditional solutions deliver, the CyCognito platform also prioritizes the most urgent attack vectors where a breach would do most damage. Understanding the business context of what is exposed enables the CyCognito platform to identify what is likely to look most attractive to attackers. The platform may find thousands of attack vectors for an organization, but it will also distill those down to the 5 or 10 that an attacker would most likely pursue. This lets security teams focus on the most potentially explosive exposures.

With IT ecosystems that span the internet, thwarting cyberattacks is a very large-scale problem, and it won’t be met with narrow, inwardly focused legacy security solutions. Preemptively preventing attacks requires a perspective that begins outside the technology bubble, and outside the organization.