Decoding Threat Actor Behavior, Analyzing Person-Based Profile, Training AI with Datastreams, and Creating Less Friction for More Adherence

TechNadu interacted with Kris Bondi, CEO and Co-Founder of Mimoto, to explore the nuances of person-based identity verification as opposed to credentials-based methods. Bondi elaborated on types of evidence, limiting false positives, and remote worker impersonation.

Human inputs on various devices, including the touchpad, could give away a lot about their identity, which could be used by researchers to find them. Bondi underscored the critical role of combining datastreams and training AI accordingly to improve efficiency and accuracy.

She highlighted the importance of a person-specific profile analysis and examining how someone usually interacts with devices, to create a contrast between an impersonator and an employee to prevent unauthorized access, escalated privileges, or stolen data.

Read on to find the details about detecting insider threats, digital footprints, and utilizing LLMs for intent-based analysis of a series of actions.

Vishwa: Please tell us about your journey to founding Mimoto. What drove you to cybersecurity? What is your advice for someone aspiring to found a cybersecurity company?

Kris: I’ve been fortunate that most of my career has been working with the most cutting-edge technologies. When you’re working with foundational technologies, security is always a significant consideration. 

My background is unique in that I also have many years of crisis management experience. This combined experience has made me very aware of the holes legacy cybersecurity solutions leave. 

For too long, cybersecurity vendors have focused on managing processes and adding friction for end-users. It’s a simple equation - more friction equals less adherence. Mimoto’s approach draws from building blocks of technology from our team’s past, coupled with additions that are only technically possible today.

My advice for someone who wants to found a technology company is to first look for a problem to solve. Next, conduct a thorough market analysis. Go beyond market sizing. Interview as many people who fit who you assume will be your target customers. It’s important to include in your questions that help you ascertain if your solution is a must-have or a nice-to-have, and why.

Vishwa: Being a co-founder of an AI-powered cybersecurity company, do you envision a futuristic AI-based solution with the potential to prevent risks? What would be its features, and which cyber threat would it address?

Kris: While AI is a powerful addition to the cybersecurity arsenal, it will never be able to prevent risks. We must remember that cybercriminals are also utilizing AI. Threats created with AI continue to evolve.

For enterprises trying to protect themselves, they should look to AI to minimize risks, determine who did what after an incident occurred, and, in my opinion, the biggest AI impact, catching and responding in real-time to active malicious behavior. This enables responsive measures before it has been weaponized, for example, in the form of ransomware or stolen data. 

Vishwa: Please share your observations of what you’ve seen when Mimoto has identified a user being impersonated, like the motive behind impersonation, selection of the target, origin of the threat actors, and so on.

Kris: In our experience, the driving force behind most impersonations has been to stealthily gather information or make changes that, if not caught, would have been exploited by adding backdoor access or ransomware.

A common target is high-value accounts that have both the veil of anonymity of a group account and extensive access authorization. For every person who says it is a bad security practice to use group accounts, there is an army of professionals ready to explain why it’s unrealistic to believe organizations can survive without operational accounts. 

If we accept the assumption that these accounts will exist and they’re likely to be targeted regularly by both external attackers and internal threats, it’s critical to identify and react to who is using these accounts.

We’ve also surfaced poor internal security practices in coding approaches or the use of root access. Because solutions like Mimoto can recognize users without credentials, these practices have been quickly addressed with anyone not following the organizations’ security protocol.

Vishwa: What are the types of evidence that lead to discovering unauthorized access through remote worker impersonation? What are the common mistakes threat actors make that companies should look for to block them?

Kris: To detect and respond to unauthorized access with minimal false positives, it’s important not to rely on only one type of evidence. Evidence that a remote worker is being impersonated ranges from the obvious, such as being in the wrong location from a device that hasn’t been used before, to more sophisticated, including the way they type or use their mouse and quirks about how the person interacts with data or systems. 

This may be in the order of actions someone normally takes or what tools they use at what time of the day.

Companies should be looking at the combination of actions and interactions to identify their remote workers. Similarly, they should also make automated checks before kicking people out of systems. For example, if I’m an SRE who looks like me in every way, but I’m typing erratically, it would be a good idea to check the change management system to see if I’m responding to an outage before I’m kicked out.

Vishwa: Are there subtle differences in touchpad activities, typing style, and other interactions an imposter has after a corporate account takeover? Could you detail how cybersecurity solutions help spot them?

Kris: Human input of all kinds is unique to a person. Usage of a touchpad or mouse, or typing style can be measured and analyzed in multiple ways. While each is effective in identifying a person, these methods become much more effective when they are combined with each other or with other datastreams. 

This makes identification more effective and, conversely, makes spotting a fake easier. If the AI-powered solution adapts so that it isn’t reliant on a specific datastream or group of datastreams, the cybercriminal isn’t able to mimic the person-based profile. More simply said, if you don’t know what is being analyzed, you can’t train to duplicate it.

By analysing person-specific profiles with how that person usually interacts with devices, systems, and applications, the bad actor appears as if they’re wearing neon. They are obviously not the person they pretend to be. Even the initial actions they take can reveal their intentions.

Vishwa: Can AI detect insider threats based on their digital footprint and online activities? What are some of the common giveaways that AI uses to offer timely notifications?

Kris: Some cybersecurity tools analyze what employees do in the digital world, whether they are related to work or not. These solutions assign a risk score as they attempt to determine high-risk individuals based on their online activities. This is a risk analysis approach.

My company, Mimoto, doesn’t take this approach because it may trigger privacy concerns in multiple regions. Second, by not collecting this information, we can’t have information exploited that we never had. 

Our belief is that insider threats can be detected and addressed in real-time by knowing when company-related activities are out of the ordinary. In addition, LLMs may be automatically queried to help determine intent based on a series of actions.

Vishwa: What steps would you recommend enterprises and individuals take if they have reasons to believe that their systems have been compromised by unauthorized access?

Kris: Anyone who suspects their systems may have been compromised should prioritize identifying if the unauthorized person or bot is still within their system. Shut down the access, then figure out how they were able to gain access. 

Removing bad actor access is critical as it could stop data from being stolen or a ransomware script from being launched.