Autonomous Ethical Hacking for Accurate and Continuous Security Testing

I start with as everyone starts, right? Like we know that cybercrime is here. We know that is, is is getting bigger and bigger. We know that nowadays one in eight businesses are at with more than six digits per, per loss every year, okay? And everyone is talking about cybercrime and we are defending a lot against cybercrime, right? What I'm going to talk with you is like how to prevent cybercrime. Because if we put all the money that we spend in cybersecurity right now, which is billions in prevention, maybe we'll not have so much cyber cybercrime as we have, okay? And these are some examples.

You know, these more than me, okay? What I just wanted to tell you here is like, there are business that are going out of business because of hacking, okay? Or criminal hacking.

We call, we call them crackers, not hackers, okay? Because hackers for us, they are the the good guys. And what we are seeing right now is this transition where hacking is already going and is already affecting physical systems and even health. Okay? So you see here, attack in French, I can tell you like that three weeks ago there was a big attack in Portugal to an hospital that was three days without operating and doing surgeries. Okay?

So when we are starting doing that, like when hacking is starts like having interference also with our physical lives, I think we need to, to take a step back and we need to think what's going on, why we are not preventing it enough, okay? And the main reason that we see is that digital exposure is bigger than ever. Okay? So why is that happens? Because it's like, it's like a city, okay? Our organizations, we have built, we've been building buildings all over the city, but are we monitoring them?

And our work with enterprise have shown us that around 30% of external tax surface management is unknown to the organization itself. So if 30% is unknown, how can we really monitor and defend it if we don't know it? Okay? And this happens for several reasons.

We, we have digital transformation, we have cloud, we have remote work. Third, more, third party than ever. So the first problem is that is 30%, okay? In the past level. And that is from our experience and also some sources that we see that more or less, 30% of it is shadow. Okay? So they don't know it. So how to prevent cyber attacks, that's easy, right? So I like this, this figure here, okay? So this is basically how hack see cybersecurity. So if we see cybersecurity, we, it's goes down between two ways. Offensive and defensive, right?

We focus a lot on defensive, but if we look at it, everything starts at two things on the core. So vulnerabilities and patching. If we find vulnerabilities and patch, that is the core of cybersecurity, of course we have the, then the payloads, the infrastructure, the business model, wherever, but everything goes to the core of cybersecurity is still vulnerabilities. So it's easy, right? If this is the core, the way to prevent it is basically identifying vulnerabilities, right? That's quite easy. And patch them fast as well. But that is only possible throughout offensive security testing.

The only way for you to identify vulnerabilities is hacking. That's no other way. You just need to find them and then patch it, of course, right? The problem with hacking and testing, see offensive security testing today is that people put it in two buckets, okay? So you do manual testing for example, but bounty, for example, pen testing, wherever.

What, what is that problem? So how many of you do more than one pen test a year? Not so many, right?

Maybe two, three. But is that enough? Even bug bounty is very expensive. It's very timely and it's, it's not enough, right? If we just think about cvs, there are now 70 cvs, new cvs per day, okay? And statistics say that hackers with automation, they are taking 15 minutes to start, not exploit, but to start like attacking everyone with this Duke knowledge, okay? We have seen this happen with a client with log four J some years ago, some years ago when log four J appeared, four hours after flock four J was published, there was already attacks with log four J. Okay?

So basically we need more frequency, the manual testing, okay? And then you can say, okay, but there is scanners, there is dust, there is dust, whatever. Okay? We are more focused on, on the, the part of, of the external attacker face here. So dust and, and the external attacker, black box testing, right? And that the problem with scanners today, and I don't know how many seasons there is in this, in this room, but what people are telling me is no one trusting scanners anymore because you have hundreds of alerts per day. Most of them will be compliance issues.

So good practices and the other af there will be false positives. If an impact of vulnerability is coming from a scanner, there is no trust from them to go look at that and mitigate it because most of the way it'll be a false positive. Okay? So there is a vulnerability burnout problem right now at CSOs. So how can we basically put both of both worlds together, okay?

And the, we make security testing first proactive because it needs to be proactive, needs to be offensive, but then how we make it continuous, instant and accurate so that we really focus on the core of the industry and identify vulnerabilities and patch them, okay? And basically what we do at ATAC and how we believe it is that the best way to do it is to combine both approaches. Okay? So we develop, and that's why we call autonomous hacking. Autonomous is not automatic, okay? We have an automatic approach. We have artificial hackers that basically do in breath and continuous testing.

So they are 24 7 testing and they don't work like a scanner. We are going to see why in a bit. And then what we believe is that manual testing is still important because there is no creativity that you can pass to the machine. A i is here of course, but there will that, there is this part of the creativity. But the problem withers is that most hackers, they are creative and they don't want to focus on the pen testing and the checklist based list. So you just automate that part.

And this is like per to principle, you do 80% automatic with 20% of the impact, and then hackers come in and they can really focus on the logical bugs on the creativity part and they can do 20% of the impact, sorry, 80% of the impact with 10 20% of the, of the work. Okay? And what we are basically doing here is we are now using AI to basically flow knowledge from here to there. Okay?

So we have a pool of hackers that work with us first to build our more automatic modules and then to, if we are doing manual testing and we can ize that, we will pass that knowledge and we are using AI and LP to be more precise, to basically get the inputs of this vulnerability identification from manual testing and build a module with that. Okay? What we believe is that this should, this knowledge should all always power that one. Okay? This is the dashboard that we have, okay? So this is the, the ATAC Porwal.

Basically what you have and what you can see is that we have machine and human acting. Okay? So basically the idea is this, you have 24 7 testing with our machine, and then you can launch multiple events, several events per, per year with manual testing. When you define the scope, you go more in depth in that scope and you go way more in depth than the machine, okay? And basically that, so you can find here what we have, we do, first we do external attack, surface phase management. Why? Because recon is the first step as is important step for hacking.

If you don't, if you cannot, if you don't know what you have, you cannot test it. So it comes a little bit by, by force, right? Like we started doing more hacking modules and then we went a little bit in the external attack surface management. But what we have is vulnerability analysis and prioritization. That is what we basically focus more, okay? And every vulnerability that we find they will come with description will come with steps to reproduce the impact and mitigation.

And when I talk about accuracy, okay, what I'm telling you is that right now we have 99% of accuracy in our automated solution, okay? We have less than 0.5% of false positives. Why? Because we are, we are, we develop the technology that allow us to do a benign exploitation, okay? And identify a vulnerability with a high accurate of, of certainty, and that we call it proof of vulnerability. So how this, this machine works, it's not a scanner, usually scanner. What it does, it has a bunch of tests and it runs the tests on that, on that part.

So you run that, you run the scan and you have like, you overcharge your network, you overcharge your assets, there is a bunch of tests going on. What we do is we use machine learning and we use the attack surface first to identify what are the, the sub domains, what is the s port scanning fingers, service, finger printing. And then only then we'll start doing tests. So we first, our machine works like as, as an event approach, okay? Event approach test. So we are continuous monitoring your external attack attack, surface your infrastructure.

We know when you do changes in your infrastructure. So we know when you push code to production for example, and we run tests based on that. Okay? Then we have this accurate triaging. So we have automatic triaging. Right now we are doing mostly black box, but we are also doing some gray box testing automatically, okay? And what is interesting is this instant knowledge propagation that I told you.

So for example, if we have two clients and I'm testing, I'm doing manual testing in one client, and now I found a vulnerability that the machine didn't find, and I build a new module into the machine based on that knowledge and the machine is now running on another client, I'm protecting that client with the knowledge of the other one, okay? And that allow us to build a, a security collaboration environment. Okay? That is very interesting. And now it's with more client, it's, it's getting very interesting. Okay? Then we also do automatic retesting of patch vulnerability.

So if you market as fixed, we, we are able to retest it automatically. And we are doing compliance reports of course because our machine will be, does basically automated pen testing. So the idea is why most companies do pen testing mostly is because they want to be compliant, not mostly because they want to be secure, right? So we also provide compliance reports on that. Okay? So you can see here how, how iTWO, how it looks like the part of the machine hacking.

So you see the vulnerabilities to the scope and you see the external attack surface face here where you have the assets, you can prioritize, prioritize assets as well, and you can see what your external attacks are faced, okay? And here is the, really the value proposition in terms of our automated solution compared with the scanners is the accuracy of the solution. So what clients are saying to us is that they have scanners and they have atac, they know when vulnerability comes on atac, it should be, it's valid and we should look at it, okay?

And we are putting the compliance issues in another part of the, of the dashboard, okay? Then you have the human ethical hacking events, okay? So basically what this does is like we work with a vetted ethical hack pool, okay? So this is our ethical hack that work with us continuously. They are vetted by us. We have a 5% acceptance rate right now. We do very strict vetting on them, but the idea is the machine can only go so far, right? So you have this bank of hours, you define the scope, you, you launch these tests, and then there is this reporting, okay?

So how we are doing this and how we are making it really interesting is that we work as a mix between pen test and bug bounty. So for example, if you're an hacker, if you go to a bug bounty program, if you don't find anything, you will not earn anything, right? But if you, if you are going to a pen test, you earn by hourly rate, but even if you find critical or if you find compliance issues, right?

So what we are doing here is every act that works with us, they, they will earn at the hourly rate, but then we create a competition between them, between these in these two weeks of event and then the hourly rate will go up or will go down depending on the vulnerability that they find. So they can earn twice or three times what they should earn, or twice, two times or three times less, okay? Between them, the client always pays the same. Okay? So this gives us the impact driven results as well. Okay?

Basically that, so events are this, so you can launch different events and what we found is that these methodology gives you four times more impactful results. Then we are, we were having, when we're doing pen testing, because we already did pen testing services, right? So you can see it here. So in terms of numbers, what I can tell you is like we, we just started, okay, we have one year of existence working from it is is one year we already protected that is the wrong number. We're protecting right now, 30,000 these daily assets, okay?

So we are continuously testing 30,000 assets when I'm talking about assets, our ips, our sub domains, okay? For example, we identified more than 20 vulnerabilities, we had more than 200 hacking events in terms of humans. And what is very interesting is these 15 vulnerabilities learned by ai. So that's what I was telling you. So right now our hackers, when they find something that the machine couldn't find, they are inputting this information in a system. And now we are, and the machine is learning with that information based on NLP technology, NLP language. Okay?

So this is what we have been working mostly right now. Yeah, some clients, at least the ones that that allow us to, to, to say, okay that we work with them. We have been getting some, some prices. I don't want to be like very sales here, but it's what it is. And what why you should test with us is because what we, we really believe that test is the answer for cyber attacks. As you said, as as I showed you, vulnerabilities are the core of the industry.

The more you test, the more vulnerability identify, the more vulnerabilities you patch and the more secure you are, even if you don't do so much defense. The, the idea is how to find these vulnerabilities. They can be vulnerabilities in technology that we are focusing anymore, but can be also vulnerability in humans or in vulnerabilities in, in physical locations as we saw earlier, right? But the idea is this is our values, okay?

So how we work is we work with transparency, we work ethics, we work with synergy because security needs to be collaborative and we work with trust of course, which is the basis of the industry, okay? And that's it.

If I, I have some learnings from this, this presentation, I just want to give you like these six final points, okay? The first point is, guys, you need to focus on the core, right? You want to be secure, you need to identify vulnerabilities, and for that you need acting. Okay? So let's stop making actors the bad guys, and let's use them as our advantage because they are here as well to protect organizations and you need to bring them to the light side of the force. Okay? Then prevention starts with this ethical hacking. Okay? And ethical hacking shall be frequent and fast.

We need to identify vulnerabilities continuously, okay? Not by weekly, not monthly, not annually. And we need to patch them fast and it needs to be accurate because if you are focusing on the impact, on the compliance issues, on the good practices, we are not really focused on the core. The idea about this autonomous ethical hacking is what we believe is the future, okay? We believe that the future is combining both approaches, machine, human and AI learning with that, okay? And what we believe is that the future is symbiotic.

There will no, there will no be AI that replace humans, but humans and the real good actors, they need automation to do the bo boring job. Okay? So let's start, stop reacting and start preventing. And if you have questions, I'm here to say, and what I say is like, go, go and give us a change. Sign up for a free trial and you can see the difference between solutions that you have and solutions that we, we, we have here. Okay? So pass by tak boot or just ask some questions. Thank you so much for listening.