Using AI to Scan an Attack Surface

Student Assignment: Document all attack vectors to your enterprise. Use MITRE ATT&CK as a guide, and include all meaningful permutations. List all assets, including every dependency. Multiply the two sets, starting with a Cartesian product, but extend the domain to include groups of assets. Analyze each result and develop a risk-based plan to prioritize desired security controls and actions.  

The above assignment should take about six months to complete. When you are done, repeat the process, because your results will be out-of-date the instant you turn them in. As your instructor, I’d advise that you cancel your other classes, because this assignment will take up more than 100% of your time. My office hours are from 5:00AM to 6:00AM every third Tuesday if you need any assistance. Good luck.

OK – I’ll admit to some exaggeration: Students know that my office hours are much closer to, uh, never. But this attack surface assignment, if you really tried to do it manually, would proceed roughly as described. It would take months to do, because the sets are so large, and you would have to start over once done. And manually scanning your attack surface for the purpose of analysis and security planning is a total dead end. Don’t bother.

This scaling issue came up front and center during a discussion this week with an old friend of mine – an expert in our field, and a successful cyber entrepreneur: Gaurav Banga. His company, Balbix, uses artificial intelligence (AI)-powered automation to scan an enterprise’s massive attack surface and provide sensible decision support for security teams. (By the way, to cheat on the manual assignment above, Balbix would be the way to go.)

“Our predictive breach risk platform is powered by AI to make an attack surface visible,” Banga explained. “This allows our enterprise customers to discover and analyze this attack surface to understand and gauge their risk. From this, the security team can use our recommendations to develop a suitable security mitigation plan. We’ve found in our work thus far that use of automation is essential to getting this task performed properly.”

The way the Balbix platform works is that sensors and collectors are first deployed across a network – and this can include connectors to existing security telemetry sources such as your SIEM. The platform then begins its monitoring and analysis task using a component called the Balbix Brain (such a Seventies retro name), which is where the AI-based algorithms use the attack surface information to predict breach scenarios.

Typical cyber security information collected into the Balbix Brain include host sensor logs, cloud-based workload data, network and traffic sensor based telemetry (obtained from both east-west and north-south collection points), host-based log information from servers, desktops, and other endpoints, and data derived from special connectors to firewall logs, Active Directory (AD) audit trails, and other sources of relevant security information.

Balbix’s sensors perform a first-level of machine learning on the raw collected data. This task results in a set of higher-level data insights, which are then sent to the Balbix brain for subsequent analysis. “This edge and brain computing model is essential to address massive data computation,” Banga said. “The processing model is inspired by the hierarchical structure of the human nervous system.”

The Balbix system integrates with existing enterprise ticketing or orchestration infrastructure components to maintain consistency with other cyber security processes and initiatives. “We believe that the continuous discovery of attack surface elements that we enable,” Banga said, “truly enable the right insights to prioritize and ultimately improve the overall security posture of our customers’ enterprise networks.”

From a TAG Cyber analysis perspective, this platform and solution are right on the money – and for the reasons illustrated by the mock assignment at the top of this article: This task cannot be done manually. This implies two options – namely, either not doing it at all, or employing suitable automation to guide the process toward accurate conclusions about attack surface. Balbix seems well-suited to that task.

The challenge, obviously, is that this type of processing doesn’t fit neatly into existing funding categories or analyst quadrants (ugh). The Balbix team must therefore help its clients understand that while adjacencies clearly exist to scanning solutions from companies such as Qualys, or to more data-oriented platforms such as from Varonis – that this is a new capability with its own value proposition. This will require marketing and good messaging.

I’d recommend that you contact Gaurav Banga and his Balbix team to request an overview and demo. I will admit to some bias in recommending an old friend and colleague, but my guidance remains: This is a good use of automation on a platform that is likely to identify and help close vulnerabilities without depending on the obvious scaling issues of trying to do this manually.