A week in Cyber Security
In late June Hexiosec had the pleasure of hosting Juliette as a work experience student. Fresh from finishing her GCSEs, Juliette was keen to find out about what goes on at a cyber security company. And we were keen to encourage her towards a future in engineering, which is the correct choice, in my correct opinion.
From the outset we wanted to make sure Juliette had an engaging technical challenge, which would give her a genuine experience of working at Hexiosec. We chose a research topic for Juliette, aiming to both challenge her technically and provide useful insight for Hexiosec. Alongside the research we also made sure she met people from across the company, to allow her to find out about all the different roles and opportunities at a company like ours, such as marketing, services, product management, etc.
Alongside the other Services work we provide at Hexiosec, we also introduced Juliette to our end-to-end encrypted secure file transfer product Hexiosec Transfer.
It’s always tricky to judge the work and expectations for a placement student, but long story short, Juliette really impressed us with what she achieved. Juliette went beyond what we’d planned and helped us to prepare for future updates to Hexiosec ASM, our attack surface management product.
My work experience week at Hexiosec
During my work experience week at Hexiosec, I was tasked with investigating how AI could be used in Hexiosec’s ASM product.
The work experience gave me the opportunity to discover real world coding tasks which helped bring computer science theory to life. I was excited to find out about how it is possible to use APIs to query websites within Python code and for this I used the tool Insomnia. I used this tool twice, first to get the company’s domain and then to get a response from AI.
I think AI is an incredible tool, however I learnt that it can be quite a challenge to get consistent and accurate results, so I enjoyed experimenting with different prompts to achieve the results I was looking for.
I very much enjoyed my work experience week at Hexiosec and learning about the world of work. I found it very rewarding and insightful to work with specialists in the industry and I am incredibly grateful to all the team for the amazing opportunity. My time at Hexiosec has helped confirm to me that I would like to pursue a career in engineering, IT or cyber security in the future.
Using AI to enrich ASM insights
What did we ask Juliette to do?
We wanted to better understand how consistently we could use Artificial Intelligence (AI) platforms to provide additional insights alongside our gathered Hexiosec ASM scan results and analytics.
When users create new Hexiosec ASM scans they only need to input minimal seed data, typically the main domain, e.g. for our own domain, hexiosec.com. Hexiosec ASM will use this to automatically discover and monitor assets used in the hosting of this domain and subdomains, and then perform checks on these assets to non-intrusively determine associated risks. This combines to an overall picture of an organisation’s public attack surface.
The idea to explore… can we use the same seed domain data, provided to an AI platform to present more general detail about the organisation and industry associated with the seed domains? The assumed short answer to this was yes, but how accurate and consistent would this data be, both for the same organisation over time, and for different organisations.
Answering this would help with:
- User perspective: Present AI generated insights for a user to understand the context of a scan and relevant organisation.
- System perspective: Track industry data for categorisation and comparison of scan results.
APIs, Python and AI, a week in Cyber work experience
From Juliette’s point of view, what did we actually want her to do? Roughly:
- Understand how Hexiosec ASM works, and the context of the challenge
- Learn about REST APIs and how to get seed domain data from Hexiosec ASM
- Learn to use dev tools to help, e.g. Insomnia for calling APIs
- Use Python in real world scenarios calling REST APIs
- Try AI platforms, ChatGPT and Google’s Vertex AI, to see how different prompts impact results, and to help us understand any technical challenges
- Use an AI’s REST API, tracking a conversation, and get that working in code
- Last but not least, bring it all together for the grand finale to be run together
And possibly most importantly, as Juliette was working on a Windows laptop with a basic setup… experience that as an engineer, installing and getting things running is often the greatest challenge. We definitely planned that bit.
Along the way we also introduced a few other common development concepts, such as source control, documentation and cynicism. Juliette worked with a number of us at Hexiosec during the week but, Lauren, Hexiosec’s Engineering Team Lead and general ASM guru, was on hand to mentor and help Juliette in the Cheltenham office.
Putting ASM and Vertex AI together
Actually, as hinted above, the reality was that it all went pretty much to plan. There were some challenges, getting Juliette’s laptop setup with Python was problematic (we’re a bit too used to MacOS these days).
We investigated using ChatGPT and Google’s Vertex AI for the solution. In the end we focussed Juliette’s efforts on one tool and chose Vertex AI, as this fit within our existing ecosystem and meant we had ready API access for her to use.
From the outset, Juliette quickly got to grips with Hexiosec ASM and its REST(ful) API. She scanned her own school, the further education institution (she is now attending!) and ourselves, Hexiosec. This helped her understand the context of the results we produce and how new AI insights could fit. Using Hexiosec’s API she then tried using the API tool Insomnia and then her own Python code to extract the seed data from these scans. Juliette noted that it was the first time she’d written code for a real world use case.
The next focus was on the AI side of the puzzle, querying Vertex’s API for details on the associated seed domains. Juliette initially started by directly querying Vertex in a browser to get used to chat responses, crafting good prompts and to help in producing consistent results. The “chat” nature of this also highlighted that doing the same programatically can require that the full chat history is passed in each time. She also learnt that the API would not automatically have access to use the internet to expand the query, something which was necessary to enable in our case.
Regarding the collection of industry data, Juliette quickly grasped that to answer the “What industry is this domain’s company associated with?”, needed more detail to categorise consistently. Juliette achieved better consistency in results by finding a suitable industry classification standard. There are various standards available, but for the purposes of this research she choose the UN’s International Standard Industrial Classification (ISIC).
On her final day with us Juliette was able to plug it all together, and created a single Python script which:
- Queried Hexiosec ASM’s API for seed domains from a given scan
- Queried the Vertex AI platform for details on these seed domains
- Produced and displayed the results as HTML to show in a browser
- This last step went beyond our initial plans!
What we learned: AI’s role in ASM
Can we use and trust AI to produce quality insight for a scan, alongside our own carefully curated results?
Yes absolutely, we think this could be a great addition to help our users, but it does highlight the nuance of AI prompt engineering.
Juliette certainly found that the results produced could be variable even for the same question or seed information, but providing more specific prompts reduced this variability. If we’d want to show these results in a controlled space within our ASM app, such as a widget on our Overview page, it’s likely we’d want to adjust the prompt further, but not so far we limit the response.
For the handling of the industry data, again achieving consistency is key. Using ourselves as an example, Hexiosec engages multiple areas:
- Services
- DTX
- Products
- Cyber security
To classify us alongside other similar organisations and or products needs both a decision made on what results we think are correct and how to ensure they are consistent across different organisations. Ultimately, how to make this feature useful for comparisons or other analytics.
At Hexiosec we pride ourselves on the accuracy and quality of Hexiosec ASM’s scan data, built by our experienced team of engineers, backed by Hexiosec’s wider cyber security experience and using our proven analytics. If we are to include any AI element to the results produced, we would only do this in a way, which:
- Adds genuine benefit to our users
- Is clear to the user when AI is used
- Does not negatively impact scan results
And finally, most importantly, we found hosting Juliette for the week an enjoyable and rewarding experience. Engaging in opportunities with students like this is something we shall continue to do at Hexiosec. We’d be very happy if in the not too distant future, we were able to give Juliette another opportunity at Hexiosec, and wish her luck in the meantime.
Related Posts
