Interview: How To Find Out Where Your Vulnerabilities Lie In Practice, Not Just In Theory

Cale Black is a Senior Security Consultant at WithSecure, a provider of leading threat detection and response and cybersecurity consulting services. In his role at WithSecure, Black helps organizations augment their internal security teams and delve into their networks to discover what security challenges and threats they’re actually vulnerable to, versus what’s written on paper.

At RSAC 2022, we spoke to Black to discuss the use of adverserial AI in cybersecurity and how organizations can prepare themselves to combat it, as well as how business can test their own environments to discover where their vulnerabilities lie in actuality, not just in theory.

WithSecure is a leader in the endpoint security space. What differentiates your solutions from those of your competitors?

WithSecure definitely has more of a business focus, so we tend to do a lot more consulting and specific services that clients need, and a lot the differentiation comes from how bespoke some of our services can be. 

We tend to be very flexible with how we do things. We’ve got a really good talent pool of folks that just really want to dive into things, even if it’s things that they’re not familiar with. We’re also very research-driven—a lot of our consultants are hackers at heart and really like to dive into things and find new ways of looking at things. 

Our clients like the work we do, and we can oftentimes become pretty integrated into their processes and stuff like that as well. So, we’ve got quite a few clients that like to bring us in and have us integrate and do some staff augmentation-style work under certain conditions.

It may not sound like sound like a strong differentiator, but when you’re actually interacting with and seeing how a lot of consultancies deal with clients, you see that it’s very transactional. We try and move clients away from that kind of thinking, and to try and focus on how to build good systems and actually fix real problems.

Some of your recent research predicts that cybercrime groups will begin to utilize artificial intelligence and machine learning to automate their attacks in the near future. What could this look like, and how will it affect our current approach to cybersecurity?

There’s a little bit nebulousness around how attackers do things and everything’s in conjecture. If we understood their methods, we’d actually have a handle on these types of problems. But as AI becomes more usable and as ML becomes a more understood process that gets taught in schools, it will become more of a thing that’s actually utilized in real world attacks. 

How that exactly looks is a little hard to say, but I can give examples of how it’s actively being used now. A perfect example is CAPTCHAs; things that actually prevent users from bypassing a wall, they have to solve a little puzzle or something like that. Those are actually exactly the types of problems AI is really good at solving. So, we’ve seen situations where, in order to bypass CAPTCHA services, someone will actually use the machine learning services provided by the company to actually crack their own CAPTCHA systems and bypass those restrictions.

I’ve done similar types of things to model and build around those, to crack those, or even just find patterns and things, and those are definitely going to be used more.

Anytime there’s a situation where there’s something hard to model but easy to replicate, you’re going to quickly get good candidates for AI and ML injection into an attacker process and I think it’ll just become another tool set in general for attackers. If something is hard to predict but easy to humanly model, it tends to be a good target for that kind of stuff. So, I think that’s the reality of how the world is kind of going to shift a little bit.

I don’t know if it’s going to fully take over, but it’s definitely going to be a component of day-to-day operations.

How can businesses adapt their security to address this?

With AI and ML, I’m actually a little bit of a skeptic. I don’t believe in general AI. I think that the reality is that it’s going to be used in situational locations. So, if you supplement even some traditional mechanisms of logging and behavior analytics with detections, you can actually get some models to figure out what’s happening. Because in the end, if someone’s trying to do something that’s malicious, whether it’s done by AI or not doesn’t necessarily matter too much to someone defending the network. 

There is some research on adversarial AI, where you’re trying to detect if someone is using an AI and things like that, that are okay candidates and I think we might see it deployed in certain types of environments, but I don’t think it’d be necessarily hugely adopted. Generally, this involves tightening of the behavior analytics components that are already deployed, to make them more aggressive than they used to be. And tying that in with real-time device detection and things like that, which are imperfect too, but will help keep that ceiling a little bit higher.

How does WithSecure help protect people against some of the threats that you’re seeing today?

We always encourage a continuous analysis with clients. Don’t just do what something once, come back and do it multiple times to get an idea of metrics on how you’re actually performing with, say, penetration tests or even some of our other more bespoke services like red teaming, web app assessments, etc.

That continuous analysis, and sitting down with the clients and having them track those metrics internally too, is something we always advocate for as it really helps people to get a handle on what is actually going on in their network and how they’re improving over time, instead of potentially stagnating.

So, we use point in time assessments to build a continuous map of how you’re improving over time. 

At what stage in their journey do customers typically come to you? Are they generally already fairly established when it comes to cybersecurity, or are they just starting out and looking for that direction?

Our clients are very diverse in terms of their security maturity to be completely honest. People who work with us will oftentimes come explicitly to us for expertise in certain areas. Some of our work with ERP solutions and things like that have brought lots of people to us in the past. But we also definitely get lots of clients who don’t know where to start, and for them I always suggest we do a network penetration test to see what’s actually there, see what’s visible, and actually sit down and discuss everything in your network as a graph. That lets you look at your environment in reality, not just on paper.

That’s where consulting is super powerful. It lifts the veil of what is documented, versus what is reality. Because the reality is what attackers look at; they don’t care what you’ve written down in your playbooks. They don’t care what you have as a process. They’re going after what’s really there.

And so sometimes, especially for people who haven’t done these types of assessments before, it’s a really good eye-opening experience to get an understanding of what’s going on in their environment.

As well as securing their own endpoints directly, it’s important for businesses to protect themselves from threats that move laterally via their partners, stakeholders and supply chains. How do these attacks work, and how can businesses avoid them?

I think the industry trying to figure that out. One of the key themes of RSA this year is definitely supply chain management. And I think that there are tiers to this.

There are first party supply chain problems, where the software you build has dependencies that might be compromised and directly impact your things. But then there are layers where—now that the world is more cloud-oriented and using anything as-a-Service—software components have their own third-party dependencies that could potentially be compromised.

So, I think that it’s going to be a tiered approach. People will look at what they have in their network, to figure out what their approval process is for getting dependencies and how software is built, to mitigate the impact from supply chain attacks. Figuring out how to do that is a core part of the process.

I think the reason this has become such a big deal is partially due to how software ecosystems have developed over the last few years, in combination with the fact that how it developed was not predicted. It wasn’t seen as a way that we were going to build software, and some of those components got lost in building those baseline security components.

So, I think what’s going to happen is those baseline security components that were missed are going to slowly get built in, and it’s going to become more of an internal process. And the impact of those will slowly wither over time in comparison to what they are now, where it keeps impacting people because they’re just trying to go fast and they don’t have a process for any of these things, and developers are just building all the software locally. 

So, in the end, it’s kind of a good thing that people are focusing on this, even though it seems like a doomsaying situation right now. Eventually it’ll become an ecosystem where people will have dependency managed and secure their supply chains. And there will probably be people who will turn that into a product with secure supply chains and things like that.

What is your final piece of advice to organizations struggling to protect themselves against today’s sophisticated endpoint attacks?

I think a lot of it is back to the basics. I’ll say this in every interview I ever give; the basics are missed a lot. Thinking like an attacker is not something that defense people often have the knowledge or know-how to do. But if you can get people who know how to think like an attacker and they see how the real world is? Let your internal employees attack your network under stipulations, and use this to figure out how someone could actually impact the businesses. Encourage some of that adversarial thinking so the business can better react to real-world risks, and not just audit-oriented things.

The real-world risk is what attackers are actually going to do. So run phishing campaigns and network attacks, run third-party pen tests or internal ones if you can afford it and have the skills, and actually prioritize those to be the top of the list to get fixed, because those threats are what’s really there versus what’s theoretical.  And those are really basic things. Network segmentation is one of the most missed things that we oftentimes run into in real world. People have been saying to segment your network and yet it’s something that people still miss, because of business needs in a lot of cases. So, go back to the basics and look at them from the ground up.

Thank you to Cale Black for taking part in this interview. You can find out more about WithSecure’s threat detection and response solutions and cybersecurity consulting services via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.