AI is amplifying the risk of "toxic combinations", security leaders warn
"Individually, each risk is relatively minor, but combined, the danger increases considerably."
Security leaders fear that AI is intensifying the risk posed by "toxic combinations".
A study from Panaseer, a Continuous Controls Monitoring (CCM) vendor, has found that rising IT complexity is intersecting with a range of other interconnected risks to create new attack pathways.
"The term 'toxic combinations' originates from pharmacology, where mixing certain drugs can have deadly effects," explained Marc Möesse, Chief Product Officer at Panaseer. "In cybersecurity, it describes the compounded risks when multiple security weaknesses overlap, creating layer upon layer of risk."
Möesse argued that "almost all breaches" result from "some form of toxic combination".
"For example, a user who has failed multiple phishing tests might have access to critical systems and an exploitable vulnerability on their device," he continued. "Individually, each risk is relatively minor, but combined, the risk increases considerably. The whole is markedly greater than the sum of its parts.
"Now with AI, attackers can create more sophisticated attacks with minimal effort, so there is a greater chance that attackers will uncover and exploit toxic combinations."
Intersecting cybersecurity risks
Panaseer's research found 92% of leaders believe growing IT complexity is increasing the threat of toxic combinations, putting high-value assets at greater risk.
These intersecting risks span multiple security domains, so can be tricky to detect and prioritize. Security teams often lack the time and tools required to understand how different combinations of risk overlap within their environments and face challenges addressing areas of vulnerability or prioritising remediation effectively, Panaseer found.
“It’s very difficult for security teams to identify toxic combinations, as it requires piecing together information from multiple security tools, attack chain analysis, vulnerability scans," Möesse added. "Even then, you’re working blind because there’s no clear view of how different assets connect."
The security posture firm found that 82% of leaders fear AI will "amplify" challenges around toxic combinations, opening up opportunities for threat actors to compromise data, critical resources and high-value assets.
“Security incidents stem from a convergence of multiple control failures,” said Simon Goldsmith, CISO at OVO Energy.
“These failures have often been spotted before by security teams, either in security monitoring or controls testing, but it’s only when they interact in a toxic combination with the wrong threat actor as an accelerant that we see truly damaging consequences.
"This is why an information security management system needs to be wired to do much more than detect missing and misconfigured controls.”
Have you got a story to share? Get in touch and let us know.
