The designation “white hat” refers to the ethical intent of the hack: Miller and Valasek had no intention of using their exploit to put anyone in danger but, because they found it, the manufacturers were able to fix it. Since 1995, when the first bug bounty program was created, some hackers have been using their skills to make money on the right side of the law.
One of the problems in defending against hacking is the range of tools available to the hackers, and adapting to a world in which the attackers may be professionals working for the state or the military.
The types of sophisticated attacks perpetrated by organized groups are known as “advanced persistent threats” (APTs). The point of an APT is to remain hidden inside the victim’s network for as long as possible, moving around the system and gradually establishing more “backdoors,” or ways in, while exfiltrating increasingly valuable data over a period of months or years.
“White-hat hackers will break into your network for you, and afterwards send you a report on how to stop others from stealing your data in the future.”
Therefore, in order to detect and defend against sophisticated APTs, white-hat hacking encompasses not just the task of finding bugs and selling the discoveries to security firms— with bounties occasionally reaching five figures—but also has created a flourishing hire-a-hacker industry, on the principle that it takes a thief to catch a thief.
Hacking the Hackers
Kevin Mitnick, arguably the world’s most notorious hacker, was once on the FBI’s Most Wanted list, and was imprisoned by the U.S. government between 1995 and 2000, eight months of which he served in solitary confinement. Today he helps to fill the security holes he once exploited. Mitnick is now the successful CEO of Mitnick Security, a Las Vegas-based consulting firm that offers penetration (“pen”) testing for a client list of Fortune 500 companies, global law firms and even government agencies. “I basically do the same thing as hackers do, but now I’m authorized to do it,” he explains.
If you pay for a test—fees for complex and high-value assignments may stretch to six figures—Mitnick’s employees will break into your network for you, and afterwards send you a report on how to stop others from stealing your data in future. “Some clients have been upset with us,” Mitnick jokes, “because we give them too much work to do.”
A pen test is a test you are almost certain to fail. Mitnick’s “Global Ghost Team,” members of which are handpicked for their reputation in the hacking community, succeeds in almost all of its engagements, provided they are restricted to technical means only. If they are authorized to use social engineering—for example, persuading unsuspecting employees to share confidential information over the phone, or as Mitnick’s team recently did, cloning entry cards and dressing as engineers from the alarm company—they are yet to fail at finding a weak spot.
If APTs demonstrate the weaponization of cyber attacks, then increasingly the defenders come from the military too. SafeBreach, a Silicon Valley start-up, builds its security test by literally trying everything that hackers have ever tried to see what works.
Having served in the Israeli army’s elite 8200 Intelligence unit, co-founder and the CTO Itzik Kotler has been on the front line of cyber warfare his entire career. The idea for SafeBreach came to Kotler after he left the army, and was working as a self-employed consultant. He wanted to simulate the resources that a government-sponsored or organized group of hackers could deploy, and so he wrote a programming language to do it automatically.
SafeBreach’s research team, based in Israel, uses this programming language to build a customized, automated red (attack) team war game for each client. “They’re coming up with original ideas, anything from exploits to malware to exfiltration techniques, and they’re implementing that too,” Mr. Kotler says.
Their results are no less impressive than Mr. Mitnick’s. “We have 100% success today. Every company that we approached [that] had an asset to protect, we showed them that it’s possible to exfiltrate it,” Mr. Kotler says.
By adopting the mindset of a sophisticated, methodical hacker, teams like Mr. Mitnick’s or Mr. Kotler’s are an effective tool to discover APTs and uncover sophisticated attacks, but still never a silver bullet. The goal isn’t to provide impenetrable security against a sophisticated, well-resourced, persistent threat, but to help organizations make priorities to optimize their security, Mr.Kotler says.
Often top of any pen test remediation list: configuring existing protection (for example, updating software to avoid the basic flaws that all hackers look for. In Mr. Mitnick’s experience, some returning clients have even failed to patch basic security flaws uncovered during the previous pen test.
But, in a world of APTs, it also means looking inwards: better monitoring of internal systems might reveal the telltale signs of an ongoing APT, as hackers covertly move around the network. It also may mean rebuilding the company’s systems to make an APT less likely – for example, segmenting the networks that a hacker can access from those that contain the data they want to exfiltrate.
Most important, it means having the management ability to counter continuously evolving threats immediately and consistently. Mr Kotler points out that the holes that security consultants discover are often left open for weeks or months, during which time the client’s network has changed and new threats have evolved. By the time changes are made, implementing a pen tester’s recommendations may only give a false sense of security. So treat a security audit like sushi, he says: “Best when it’s fresh. Store it for a week, it’s poisonous.”