Fighting invisible threats with behavioural intelligence
Patricia Titus, Field Chief Information Security Officer at Abnormal AI
As cyber adversaries evolve from fragmented groups into highly coordinated, professional operations, the rules of engagement are changing. Enterprises are no longer targeted based solely on who they are, but on who they are connected to. Patricia Titus, Field Chief Information Security Officer at Abnormal AI, talks through how a shift toward identity, behaviour and context-driven security is crucial in a landscape where attackers are already inside.
wWe are seeing state-aligned actors shift from fragmented hacktivism to highly coordinated, unified structures. How does this‘ professionalisation’ of regional conflict change the threat model for a standard enterprise that isn’ t a direct target? I don’ t think anybody is out of scope. Most enterprises will be thinking I’ m not a bank, I’ m not a defence contractor, I’ m not a target. However, that logic is so antiquated today because to be collateral damage, you just have to be in the path of it – part of the supply chain, shared infrastructure, trusted partner or even just a customer. Hactivists are inside your environment quietly, not kicking the door down loudly like it’ s been in the past. What we’ re seeing now is more disciplined, centralised tasking and shared tooling. Threat models need to stop being built around what you are; and start being built around who you are connected to.
If an adversary’ s attack infrastructure is pre-positioned globally and independent of their home country’ s connectivity, how can defenders move beyond simple geographic blocking to stay ahead?
If you’ re using geo-blocking as your primary defence, you’ re essentially locking the front door, but leaving the back door wide open. Attribution by geography is already a bit of a relic, despite only starting out five years ago. These actors operate through their own infrastructure in our own regions and on our own platforms. Blocking a Russian IP range does nothing when the traffic is coming from Frankfurt.
We have to shift our mindset and start thinking about how traffic is behaving and where it is coming from. For example, anomalous authentication patterns, unusual access sequences and lateral movement that doesn’ t match a human work pattern. We need to be profiling the behaviour of the session, not the flag on the packet.
Social engineering is a‘ long game’. Since technical controls can’ t easily flag a legitimatelooking conversation, how do we effectively harden the human element against such patience?
Technical controls are brilliant at spotting malicious attachments. But unfortunately,
INTELLIGENT TECH CHANNELS
INTELLIGENT TECH CHANNELS 15