ENTERPRISE TECHNOLOGY that specialises in getting access and a completely separate group that specialises in burning everything down.
Phishing alerts used to mean someone clicked on something they shouldn’ t have, and we rebooted their machine. Now, it might mean someone has established a beachhead that has access, and that access gets sold in about 48 hours. Every initial access event is a potential scene setter for something catastrophic. We have to stop measuring severity by current damage and start measuring it by potential trajectory. The fire alarm matters even before the building is on fire.
We’ re fighting yesterday’ s threats with yesterday’ s tools.
Standard MFA is clearly failing against real-time proxy kits. What is the most pragmatic architectural shift an organisation can make today to neutralise these sessionhijacking techniques?
In the 90s, VPNs were the saviour, then standard MFA was the silver bullet for all of us until it wasn’ t. Now, phishing resistant MFA, for example with passkeys, is the immediate answer. These break the proxy model because the credential is cryptographically bound to a legitimate origin.
But let’ s be honest, most organisations can’ t rip and replace their existing security structure overnight. So in the interim, layer on session level controls – short lived tokens, device binding and continuous reauthentication.
The deeper architecture shift is Zero Trust – as a genuine operating model, not a marketing aside. Assume the session is compromised and verify continuously, not
Speaker bio
Patricia Titus, Field CISO at Abnormal AI, has over 25 years of CISO experience, including leadership roles at Booking Holdings, Markel, Freddie Mac, Symantec, Unisys and the TSA. She has directed security strategies aligned with business goals and regulatory standards. Known for expertise in risk management, AI, cybersecurity operations and crisis management, she has optimised security, enhanced resilience and integrated AI into security programs. Titus serves on the boards of Black Kite, Black Cloak, The Cybersphere Group and Glasswing Ventures.
just at login. A lot of us would love it if we could just log in once a day. However, we’ ve moved to cloud and we’ ve moved to SaaS. These are environments where you need to reauthenticate those sessions.
If there was one thing every organisation should do this week, it would be to audit what you’ re protecting and get it off SMS. That is the lowest hanging, highest gross fruit in most environments. If you’ re using SMS texting, that is going to be your downfall.
When attackers rotate domains every few minutes, legacy blacklists are useless. How does your behavioural AI distinguish a sophisticated,‘ never-seenbefore’ domain from a legitimate business email?
Email blacklists are fundamentally reactive. By the time the domain makes it onto a list, the campaign is already over. The challenge with Artificial Intelligence is that it moves so quickly. We’ re fighting yesterday’ s threats with yesterday’ s tools. This is where our behavioural AI model comes into play.
Behavioural AI doesn’ t ask,“ have I seen this domain before?” It asks,“ does everything about this communication make sense in context?” It looks at the history, relationship, urgency, time of day and even the sentiment of the communication. If I’ m in regular communication with someone who always starts their emails with‘ Hey Patti’, and one day it starts with‘ Good morning, Patricia’ – that’ s suspicious.
Of course, humans can see some of these things in real time, however AI can operationalise it at scale. Our goal is shrinking your window of exposure from hours to seconds and getting the alert to the right person fast enough to matter. We want your SOC analysts to be looking at what’ s really important – not all the noise. The noise is what can be operationalised by our AI.
Looking ahead, do you expect these actors to use Generative AI to automate the high-trust social engineering that currently requires manual effort?
It’ s already happening. The capabilities that exist today are a result of attackers utilising AI. Messages are personalised, contextualised, have flawless grammar and are generated at huge scale.
The volume alone changes the economics of the attack. They’ re no longer sending out email blasts, spray and pray, hoping someone will bite. They are able to send very narrowly curated information about you and make that fit the attack. A skilled social engineer can run maybe a handful of these high-quality long game operations simultaneously. With automation, that number becomes hundreds.
The defensive implication is that we can’ t just rely on spotting poor grammar or dodgy domains anymore. We have to focus on the request, the context and the channel. Organisations that get ahead of this are the ones investing in AI assisted defences now, not waiting until it’ s too late. Humans cannot move fast enough to defend against the speed of AI attacks. •
INTELLIGENT TECH CHANNELS
INTELLIGENT TECH CHANNELS 17