So how can organizations hope to fight them?
One way is to hire people just like them.
“I’ve always enjoyed thinking like a criminal,” said Casey Ellis, CEO of Bugcrowd, a company that crowd sources ethical, “white hat” hackers. “Certain types of ingenuity, creativity, even the entrepreneurial element, I’ve always found appealing. Though I’ve never had the desire to actually be one.”
Bugcrowd is among a growing wave of companies using hackers for good. While not replacing all traditional security strategies, these ethical attackers unleash “researchers” (aka hackers) to probe an organization’s defenses.
Some of these companies create their own elite red team of hackers. While others commandeer virtual armies of crowd-sourced hackers. The goal is the same: probe for weaknesses that may have escaped the internal security team’s best efforts.
“If you want to find out how secure you are, ask the hackers,” said Renee Chronister, chief executive of Parameter Security.
Parameter describes itself as “ethical hackers protecting you from unethical hackers.” The company has launched cyber-offensives against governments and companies in financial services, healthcare and retail, uncovering critical weaknesses along the way.
“We are coming in and hacking them and exposing vulnerabilities for their benefit,” Chronister said. “At the end of the day, we show them how we got in, what kind of data we accessed and how they can better defend themselves.”
Trust is an important element, she adds. “They trust that we will not use that information against them.” She stressed Parameter carefully vets each member of its red team hacker staff for skills and trustworthiness.
Separated by Ethics, not Talent
Black hat or white, their skills sets are similar.
“It’s the same knowledge base you would have if you were just interested in security,” said Justin Kennedy, a director at NTT Security, who participates in Bugcrowd’s crowd-sourced “bug bounties.” “It’s only when you cross that line that you would be considered a cybercriminal.”
Kennedy admits to having a mischievous side, and as a teenager played his share of cyberpranks on his friends. Today, he enjoys the competitive, gamified aspect of Bugcrowd’s hacking bounties.
“At the end of the month, if you are at the top of the leader board, you get a bonus,” he said.
In addition to its open-to-all bug bounties, Bugcrowd also drives private hacking efforts against more sensitive networks and organizations — creating another incentive for hackers.
“If you are good, you get invited to private programs,” said Kennedy. “And you get to meet a lot of people.”
Jay Kaplan, CEO of Synack, another ethical hacking organization, said that the diversity of his hackers is a key element to success.
“Our global researchers are so diverse — where they come from, and who they work for,” said Kaplan, who himself conducted state-sponsored hacking at the National Security Agency.
“Most are freelancing, but have full-time jobs. They are engineers in tech companies, people in the security space, people from government.”
After all, he adds, the cybercriminals are themselves diverse — and numerous. “We are trying to mimic the adversaries as much as possible. By having those diverse resources, we are ultimately closer to what the bad guys are doing.”
Another aspect of the bad guys? They never stop. “Advanced persistent threats are persistent,” said Kaplan. “They are constantly finding new ways to break into an organization.”
Kaplan, Chronister, and others recommend repeated white-hat attacks. “That testing window is a snapshot in time,” Chronister said. “After we are done there can be a change in the environment, a software update, new employees added and the testing can be out of date.”
As for the kind of public “bug bounties” that Bugcrowd organizes, Kennedy sees another positive side effect: drawing in hackers before they turn bad.
“A lot of these folks start out as teenagers,” he said. “They treat the internet as a playground. Some may not be meaning to do something malicious. But they would still technically be considered cybercriminals. If you give them the ability to use these bug bounties to legally play and learn, and even make some money, then you are reducing the number of cybercriminals.”
Tips from an Ethical Hacker
Jay Kaplan is the CEO of Synack, a firm that combines its automated security technology with a global talent pool of hackers to probe for weaknesses in a company’s defenses.
What are some core qualities of a secure organization? Kaplan recommends that decision-makers ensure that their strategy is:
- Persistent: “You can’t be looking at your security footprint in a singular point in time,” Kaplan said, “because infrastructure and apps are so dynamic and being updated regularly.” In short, cybercriminals never let up, so probing for weaknesses must be a continuous process.
- Diverse: “Bad guys come in all shapes, sizes and skill sets,” Kaplan said. He emphasizes that any ethical hacking effort should reflect that diversity, with a combination of backgrounds, specialties and nationalities. An organization’s overall security strategy should also be diverse. “Security is a multilayered thing,” he said, “you need a lot of different solutions.”
- Creative: The black hat guys think out of the box, and so should your organization. That means having top-down leadership that ensures a pervasive culture that is creative, daring and open to sharing ideas. To stay ahead of criminal hackers, Kaplan argues, an organization must be innovative and agile, ready to try new ideas to meet a constantly evolving threat landscape.