Corporate infrastructures are becoming more complex to manage as hybrid frameworks consisting of cloud infrastructure, multiple global sites, and employees that log in from home or bring their own devices increase the cyber security risks expanding the attack vectors and attack surfaces of the organization.
CIOs, CISOs and cyber security managers are constantly working to reduce the risks by integrating leading cyber security solutions, setting a multi-layered approach, implementing zero-trust solutions, having threat intelligence feeds integrated, implementing dev-ops and dev-sec-ops ticketing management and investing in the technical team’s training while staying in budget and not disturbing the firm business operations too much.
But this is a war of attrition–a continuous 24/7 effort by malicious parties to compromise the company's infrastructure, gaining access to its assets and information by sometimes using a small misconfiguration, a left-behind key, an unintentionally left-open directory, or a spoofed credential as the thread they need to get in and form an attack.
One of the best ways to find those hidden cyber security threats is to try and think not as a defender but as an attacker: A malicious hacker using his knowledge, tools, and methods to breach corporate security. More than that, you can hire a hacker to breach your systems and then tell you how he did it. This is called white hat hacking.
A white hat hacker, or ethical hacker, is an individual who uses various skills to identify cyber security vulnerabilities in network infrastructures, software applications, or physical hardware devices. However, unlike black hat hackers, or malicious hackers, white hat hackers respect the rule of law as it applies to hacking. Many white hat hackers are former black hat hackers that are now helping organizations and individuals to defend their digital assets from being breached.
Setting ground rules
Certain ground rules must be set when white hat hacking service is requested and provided. The first, and probably the most important one, is confidentiality, so when a breach is found the information about this breach and exposed organization data will not be shared with any external third party that might offer a higher bid. The white hat hacker cannot disclose any information about the customer, systems, findings, or any other information about the hacking campaign unless written consent is given that limits this consent to a certain type of information. This type of consent is usually given to the white hat hacker to promote his services, to reflect a few of the findings to external vendors so they can address those findings, or to submit those findings to a public disclosure service such as the ‘Common Vulnerabilities and Exposures’ (CVE) database.
The second rule is the ‘do no harm rule’, meaning that when a hacking attempt is made, the white hat hackers are not allowed to cause damage to the systems, erase, or manipulate any corporate or customers data, or take down any production environments and services; basically, they cannot harm the business operations availability in any way.
On the white hat hacker side, it is important to get written consent authorizing the white hat service provider to perform a hacking campaign specifically declaring the campaign schedule, scope, liability, disclosure methods, and disclosure to third-party rights before any engagement. This is mainly to prevent any breach of laws but also to prevent any legal prosecution in case it is detected by any government cyber intelligence services or law enforcement.
Do we keep the element of surprise?
One question that some CEOs and CISOs are asking themselves before setting up a white hat hacking campaign is if they should disclose this activity is planned with their teams or to keep the element of surprise and test them ‘in battle’, to observe their performance during the attack.
There are two sides to this: the obvious one is that with the element of surprise you can see how the teams really react without knowing that they are being evaluated but this is also the downside of this. In case of a successful breach, this entire campaign can become a blaming session rather than a learning session, missing the point of making the organization more immune to cyber-attacks and leaving the teams less united and less motivated.
There is no right answer to this question but sometimes a middle path can be found. Disclosing the teams that a white hat campaign will happen and during a certain period keeping the exact schedule and scope confidential. The teams are aware of the fact it is happening and that their performance will be evaluated while their management also keeps clear communication with them.
Who do you call?
As the benefits of setting up a white hat hacking campaign are clear, so are the risks. Therefore, it is extremely important to get the right vendors to perform it so a comprehensive and thorough campaign will take place. Moreover, consultation and reports should be provided following the campaign which will allow the organization's cyber security defence capabilities to get an upgrade.
Written by Moshe Karako, Chief Technology Officer (CTO) of NTT Innovation laboratory Israel