Permission to intrude: hiring hackers to bolster cyber defences
It’s no news that data breaches and cyberattacks are on the rise, with hacks becoming increasingly sophisticated. Businesses are struggling to keep up with rapidly shifting cybercriminal motivations, tactics and appetites for destruction.
The problem is exacerbated further by emerging technologies such as IoT, giving hackers new mechanisms and vehicles for attack. Organisations are also migrating data to the cloud frequently, moving large volumes of work data and applications in various deployment configurations, leaving swathes of unprotected data behind for hackers to exploit. So, what steps can companies take to avoid disruption?
Insights from the enemy
To both understand and keep pace with evolving cybercriminal mindsets, many businesses are fighting fire with fire – in other words hiring hackers for help. In fact, large corporations such as Airbnb, PayPal and Spotify, recently revealed that they have willingly spent over £38M on ethical hackers to tighten their cyber defences and avoid crippling data breaches.
Ethical hackers can play a fundamental role in helping security teams consider every single possible attack vector when protecting applications. Whilst security architects have a wealth of knowledge on industry best practise, they often lack first-hand experience of how attackers perform reconnaissance, chain together multiple attacks or gain access to corporate networks.
Equipped with – one hopes – all the skills and cunning of their adversaries, the ethical hacker is legally permitted to exploit security networks and improve systems by fixing vulnerabilities found during the testing. They are also required to disclose all discovered vulnerabilities. While it may sound counter-intuitive to make use of hackers to help plan and test our cyber defences, the one thing they have in abundance is valuable, hands-on experience.
According to the 2019 Hacker Report, the white hat hacker community has doubled year over year. Last year, US$19 million was doled out in bounties, nearly matching the total paid to hackers in the previous six years combined. Eye-catchingly, the report also estimates that top earning ethical hackers can make up to forty times the median annual wage of a software engineer in their home country.
Where to hunt down ethical hackers
The most common method is a “bug bounty” scheme operating under strict terms and conditions. This way, any member of the public can search for and submit discovered vulnerabilities for a chance to earn a bounty. It can work well for publicly available services, such as websites or mobile apps. Rewards depend on the level of perceived risk once the affected organisation confirms the validity of its discovery.
Using crowdsourcing and paying incentives has obvious benefits. Hackers get reputational kudos and/or hard currency to showcase and test their skills in a very public forum. In exchange, the hiring organisation gains new dimensions of security smarts and perspectives.
Some businesses choose to hire hackers direct. Hands-on experience is key here. While it may sound counter-intuitive to make use of external hackers – some of which have a track record of criminal activity – the one thing they have in abundance is hands-on experience. At the end of the day, a hacker is a hacker. The only difference is what they do once a bug or vulnerability is found.
Ultimately, employing an ex-cybercriminal is a risky decision that should be made on a case-by-case basis. It is also worth noting that criminal background checks only help identify previous offenders – they lack context on how a person has changed. For example, it is unlikely that someone charged for a denial of service attack at a young age has mutated into an international career criminal. Indeed, some young offenders often go on to become well respected security consultants and industry thought-leaders.
Another fertile hunting ground for hackers could be closer to home. The best practitioners are curious, with a strong passion to deconstruct and reassemble. Businesses need to get better at harnessing the skills of those building their applications, code and network infrastructure. They may already know about vulnerabilities but have yet to report them as it isn’t part of their job description. This is a waste. Decision-makers need all the insight and help they can get, and there’s more of it out there than you think. Over the years, I’ve met many people at security workshops or capture the flag hacker events that have built products but claim to enjoy the process of ameliorative, intelligence-gathering hacking even more.
Finally, ethical hacking is also becoming increasingly formalised. Notable qualifications include Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) or Global Information Assurance Certifications (GIAC). Naturally, many seasoned hackers will balk at such educative evolutions but watch this space. Ethical hacking is set to become more mainstream as perceptions and security-first business imperatives change.
Keep your friends close…
Although it seems perverse to hire hackers and ex-cybercriminals, it’s clear that they can bring invaluable, real-world knowledge to a range of security activities, including threat modelling and penetration testing. They may offer a perspective that others haven’t considered and can show businesses how to adapt to threats by giving insight into their tactics and motivations.
With more businesses taking this approach to cybersecurity, it’s important to keep a close eye on their activity to make sure that these hackers aren’t slipping into their old malicious ways and putting your business at serious risk.