Throughout the past 20 years, enterprise security has been pretty much on a non-predictable beat. But threats gradually changed and a security team that had sufficient staff members could learn, prepare a defense to an attack pattern and maintain a lead for a reasonable amount of time. That beat has been disrupted! Today, generative and adaptive AI have given attackers tools that learn, iterate and personalize faster than humans could keep up with just a few years ago – and they are using them against those organizations that haven't caught up with security playbooks designed for a more traditional and slower past. This leads to a change in how defense is done, moving from periodic and predictable defense towards a more continuous and automated defense, where an attacker's tool arsenal is improved overnight and the defender's tool arsenal must be too, or else the gap just continues to grow. Those companies that are complacent about this future issue are already behind; this AI-era threat landscape isn't coming, it’s happening.
Elevating Attack Surface: Weaponizing AI
AI's impact on the threat landscape is the most tangible and quantifiable – namely in social engineering and in particular, how much friction it removes for the bad guys. Phishing used to be a real effort – performing some research on a particular target, drafting the email properly – and even then, there were some tell-tale signs that trained employees could notice such as the incorrect spelling, awkward phrasing, and even the generic email greetings. Generative AI virtually takes that work away. Now an attacker can take a model a piece of information that was leaked about an employee, for instance his job title, recent LinkedIn activity or a company press release, and receive back a fluent, contextually relevant, grammatically correct email in seconds. The standard "watch for spelling errors and unusual sentence structure" is no longer the case as the indicators of a phishing attack have been removed by the same technology used to create the phishing attack.
Scale is the 2nd large shift. A human social engineer could be able to make a few crafty and targeted attacks a day. That same play book can then be targeted against thousands of employees at once – each message a little different, but each believable enough to get past a tired employee during a hectic afternoon. This is no longer mass spam – it's mass-customized deception – and it alters the numbers when it comes to employee training. When staff are told to consider “suspicious emails” to be a good indicator, it becomes a bad indicator – more and more.
The third front is the malware itself is adaptive. The traditional malware were based on fixed signatures and with the help of a good endpoint detection system could be detected and quarantined over time against known variants. Self-learning malicious code alters that equation: It can test a target environment, see what causes a defensive response and change its behavior, all in near real time, to avoid detection. Threats are no longer a mystery to security teams, but are an entity actively learning the security team's defenses during the attack. Add to that the rise of shadow AI in the workplace, where employees are using unsanctioned AI tools to speed up their work, often without IT even knowing, and you've got a second, off-the-radar attack vector where data is being taken out of the organization's control – not to mention off the network. Throw in data poisoning: an attack in which malicious actors introduce intentional errors into the data used to train a company's own AI models, causing the AI model to generate inaccurate or fabricated results, and the threat surface no longer is at the network perimeter. Now it also has the integrity of business data and models it relies upon to make decisions.
As a Defense in securing the Digital Portal: Lightweight Architecture
Most of the AI-era threat conversation is about phishing and malware, but in a business, its blog, newsroom and knowledge hub can be an easily overlooked aspect of the same attack surface that needs the same attention as email security and endpoint security.- The amount of code is attack surface. All plugins, scripts and third party integrations on a website are possible access points, so a ‘full-featured CMS' with dozens of plugins provides more opportunities for an attacker to look for unpatched, outdated or poorly secured code than a lean, singular purpose-built theme does.
- The less that is dependent on the server, the less there are patching holes. You have to maintain the entire chain of server-side scripts and DB calls; with heavy platforms, there are many more of these to maintain, and this means that there are many more exploits possible if any of these scripts is not kept up-to-date.
- Piki Templates (pikitemplates.com) provides lightweight templates which help minimize — but not eradicate — this type of risk. Minimal code blogger themes like ‘Grid Mag’ and ‘Quick Spot' are more streamlined and have fewer injection points than other common CMS templates, and little custom script, reducing the scope of common front-end issues, such as old plugin exploits or unneeded injection points (although, it is important to note that these are only at the website level and not phishing or malware or even network-level threats).
- Faster pages load times help with quicker security monitoring – not just a better user experience. If the site itself doesn't have a lot of heavy components, security and monitoring scripts (uptime checks, intrusion detection widgets, SSL verification tools and more) load and execute quickly without having to wait for heavy site components to load first, which is important when teams require monitoring data to surface in a timely fashion.
- Consistent rendering of mobile-optimized layouts ensures there are fewer risks of inconsistent rendering. Mobile-optimised theme helps to minimise the type of ‘broken' or ‘inconsistent' page behaviour that can sometimes be used to exploit or that can obscure malicious overlays and fake inputs to forms on pages with poor responsiveness.
- The simpler, the quicker and more thoroughly an audit is done. Using a lightweight, clean and well documented theme can significantly reduce the amount of time spent on a security audit of a site, lessening the likelihood of vulnerabilities being discovered later and not being part of the original design.
- The benefit of reduced complexity is a team has more bandwidth to perform on higher value defense tasks. Each hour spent by a security or IT team on a basic vulnerability at the website level is one less hour spent tackling the more critical challenges in the AI era: AI-driven phishing detection, network segmentation and monitoring for data integrity.
What is the journey to create a Resilient Authority Hub in the Threat Landscape?
Often, a company's blog, technical wiki or news hub are viewed as marketing tools and not security tools, and that's where the problem lies—the lack of shared focus makes it a nice soft target. The hubs can often contain much more than just content for promotion — technical documentation, notes on internal processes made available to others, customer-facing knowledge bases — and if the hub isn't properly secured, it can be an easy gateway into a much broader network, or a place for a hacker to post fake content that undermines customer and partner trust.
Here, what looks good is more than just good, a stable, well structured framework is important. Using a theme such as ‘Wind Spot' or any other safe, minimalist blogger template provides an organization with a more central hub that has fewer moving components; meaning, less places for an attacker to try and inject a SQL attack, a cross-site scripting attack or exploit a forgotten plugin that nobody had the chance to update since the blog went live 2 years ago. While it certainly isn't a replacement for any of the other critical access control, patching discipline or web application firewall measures (those measures are also a must), it does make it easier to do all of that ongoing maintenance, as opposed to always having to overcome a hill of unnecessary complexity from day one.
The deeper strategic value is what this becomes a distraction from. Keeping up with phishing simulations, tracking for suspicious use of AI tools, and ensuring integrity of AI pipelines are already burdens enough for security teams in the AI era. If the communication hub is not continually weak with low-level vulnerabilities, there is one less area to defend, and the people responsible for security can spend time on the areas that pose the greatest risk to the organization—the areas from adaptive, automated and increasingly intelligent adversaries, not the company blog with a forgotten plugin.
In today's fast-changing landscape, agility has become a key strategic priority for security.
It won't be the business that has just one firewall and the most costly threat-intelligence subscription that will be the winner in this new threat landscape. It's the folks who know how to keep things simple at the bottom, while keeping them sharp at the top, and who know how to design network monitoring, employee training, and the structure of your website to work together, rather than to hinder each other. While AI has pushed the envelope on what an attacker can do, the core of good defense remains the same: Minimize unnecessary complexity as much as possible, be vigilant in areas where complexity cannot be avoided, and don't assume that yesterday's defenses are sufficient against today's attackers.
