Knowing Your Enemy: Boom time for hackers

June 11, 2020 Claranet Limited

Let’s play a game. Imagine you’ve been told someone in your organisation is a hacker, and
everything depends on you making your best guess. Who would you pick?

Here’s a surprise: it probably isn’t the disgruntled Work Experience kid or the snarky IT
employee. (You know, that one who gave you a lecture last time you shared your login.) Very
often, the hacker in your business isn’t engaged in subterfuge.

In reality, he’s often a professional like you, using his skills to perform an essential business
process: testing your company’s defences so any holes can be plugged.

To understand this hacker’s mind, it’s necessary to understand the hacker’s market. That
market is changing fast. increasingly, the most reliable route to riches isn’t blackmail and
ransomware, but earning “bug bounties”. Rewards offered by companies paying cold, hard cash
to have their applications and networks tested.

According to white hat hackers Bugcrowd, today’s hacker isn’t necessarily a threat – he can be
your information infrastructure’s greatest friend. Let’s look inside the mind of today’s
professional IT infiltrator – and shatter some illusions about how they work.

Myth #1: Hackers are all criminals

Yes, there are still plenty of black hats out there, in criminal gangs and rogue regimes. But in the community of white hats, many have been good guys all their lives – the Bugcrowd community
of white hats is 383,000 strong1, and most described as knowledge-seekers or fun-lovers, not
evildoers. They’re not interested in becoming criminals; they’re interested in stopping them.

(Think about it. The average policeman knows a lot about crime. But he’s unlikely to have ever
done time in the Big House.)

If you want solid statistics, look at education. The average criminal has very little; sadly, a lack
of education correlates directly with those serving at Her Majesty’s Pleasure. A survey by
BugCrowd2 shows over 50% of bug bounty hunters (those who deliberately infiltrate corporate
IT for profit) have either a Bachelor’s or Master’s, and over 8 out of 10 have spent at least some
time in college.

In fact, a substantial number of hackers are motivated by fun. Even the damaging Mirai botnet
of 2016 started as a gaming gambit in Minecraft3. They don’t seek to harm the networks and
applications they try to penetrate, although they do expect a reward for exposing
vulnerabilities. (And not just a t-shirt.)

Myth #2: The theory of the lone gunman

Conspiracy theories and Hollywood movies tend to go big or go small on their antagonists. It’s
either a vast secret power structure taking over the minds of millions—as with the moon-
landings and Illuminati stuff—or an evil genius working solo, as in tabloid headlines and most
thriller novels. The truth is out there—and it’s neither of the above.

2018’s biggest hacking story (so far) has been Meltdown and Spectre4. Nor flaws in operating
systems, but in the hardware they run on: more fundamental, and harder to fix. Those flaws
have been there since the mid-90s. But when a small team of Austrian white hats discovered a
exploit and reported it to Intel, the news came back: they were just one of four teams who’d
found the bug in recent weeks.

Even a solo hacker in his darkened bedroom doesn’t work alone. He or she is constantly picking
up intelligence from web chats, news sources, rumours and gossip. Hackers are talkers. And
when the buzz gets louder, people start strategizing about it, forming new teams, swapping
ideas.

(Of course, this effect isn’t limited to hacking. Ever noticed how Hollywood often launches
several movies on the same subject around the same time? Screenwriters are a talkative bunch,
and you can bet that if a subject sounds interesting, multiple studios will get in on the action.)

In the same way, successful penetration testing or “pentesting”, probing your company’s IT
defences, involves much more than one consultant at a desk. Don’t be surprised if the hacker in
your office is that gregarious, funny gal downstairs who asks to borrow your password “just for
a moment”.

Myth #3: It’s all Russians and North Koreans

Again, national origins feature less in the hacking mindset than supposed. Over 112
nationalities5 are represented in Bugcrowd—with the two biggest being the USA and India.

This correlates with another change in the market for hacking services: the size of companies
running bug bounty programmes. It’s not small developers outsourcing their bug discovery any
more. Companies of 5,000 employees and up – the real giants of industry – are now the fastest-
growing segment offering bounties to hackers6.

And the countries where those giants operate correlates strongly with the top few countries
where hackers work: in addition to America and India the UK, Australia, and Germany are home
to substantial numbers.

Myth #4: It’s just about the code

The myth persists that hackers and hacking skills are limited to scrolling through source code
and unleashing warez attacks. Wrong! Today’s hacker is as much social scientist as computer
scientist. What’s a top tip for getting a headstart on finding that bug? LinkedIn!

Simply looking at the online resumes of the company’s security team – the applications they
know and the disciplines they’re trained in—can tell a hacker what technologies their network is
likely to be using … and therefore what vulnerabilities might be exploitable.

Similarly, plenty of hackers are into social climbing; it’s not the secret world many imagine it to
be. Every bug bounty you win increases your desirability to the market. A good bounty hunter
doesn’t have to select targets; he or she gets invited to pentest a company’s systems. As with
any area of employment, it’s about building a reputation and winning admirers.

Myth #5: a successful hack is a failure of your company

Of course, no company—particularly a listed company with sensitive shareholders—likes to
admit its systems have been compromised. But if your bug bounty programme exposes genuine
vulnerabilities in your IT infrastructure, that’s no failure: it’s a huge success. Because the cost of
paying a bounty is vastly lower than being held to ransom by evil actors later.

The majority of full-time bug hunters are in India—where low costs of living have allowed bug
bounty hunting has become a well-paid profession. A reasonable income of $50,000 translates
into a number of bounties, meaning a single bug discovery can cost a paying company mere
hundreds of dollars. Far less than the cost of compromise.

There are already bug hunters in North America and Europe who’ve turned bug bounties into
their principal source of income. And this proportion is likely to grow. The lesson for companies
is clear: don’t try to stop the hackers. Instead, invite them in.

 

That’s how the hacking market is changing for the better. And it’s led to another welcome
change—in language.

For many years, managers and journalists conflated the terms “hacker” and “evil”. Black hat or
white hat, all were seen as disreputable. This made security experts groan: to them, since at
least the 80s, an evildoer is a cracker, not a hacker. With the rise in bug bounty programmes,
the term “hacker” is losing its negative status.

Businesses are learning that a hacker can be a friend. And the more hackers that act in your
interest, the greater the benefit to your IT infrastructure.

 


1 Inside the mind of a Hacker, Bugcrowd

2 Inside the mind of a Hacker, Bugcrowd

3 3 US hackers took out key parts of the internet in 2016 because they wanted to make money on Minecraft, Business Insider

4 Triple Meltdown: How so many researchers found a 20-year-old chip flaw at the same time, Wired

5 2016 State of Bug Bounty Report, Bugcrowd

6 2016 State of Bug Bounty Report, Bugcrowd

Previous Article
UK Exposed: Cybersecurity skills shortage putting businesses in the firing line
UK Exposed: Cybersecurity skills shortage putting businesses in the firing line

The cybersecurity skills shortage and the role managed security service providers can play to manage this.

Next Article
On the Front Foot: six countermeasures to pre-empt a security breach
On the Front Foot: six countermeasures to pre-empt a security breach

Ethical hacking and countermeasures to prevent a future breach in IT security.